A

You're listening to the Cyberwire Network powered by N2K.

B

From phishing to ransomware, cyber threats are constant. But with Nordlayer, your defense can be too. Nordlayer brings together secure access and advanced threat protection in a single seamless platform. It helps your team spot suspicious activity before it becomes a problem by blocking blocking malicious links and scanning downloads in real time, preventing malware from reaching your network. It's quick to deploy, easy to scale, and built on zero trust principles so only the right people get access to the right resources. Get 28% off on a yearly plan at nordlayer.com cyberwire daily with code CYBERWIRE28 that's nordlayer.com CyberWire Daily Code CYBERWIRE28 that's valid through December 10, 2025. Cloudflare's outage was rooted in an internal configuration error the Trump administration prepares a new national cyber strategy. CISA gives federal agencies a week to secure a new Fortinet flaw. MI5 warns that China is using LinkedIn headhunters and covert operatives to target lawmakers. Experts question the national security risks of TP link routers. The China aligned Plush Daemon threat Group hijacks software Updates. Researchers discover WhatsApp's entire global member directory accessible online without any protection. LG Energy Solution confirms a ransomware attack Shiny Spider makes its debut We've got Rotem Sadak, director of security ops and forensics at Varonis, sharing lessons learned from thousands of forensics investigations. And a judge says Google's claims to water use secrecy are all wet. It's Wednesday, November 19, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Thanks for joining us. It's great as always to have you with us here today. Yesterday, Cloudflare suffered its worst outage in six years after a routine database permissions change triggered a cascading failure across its global network. The issue began when the update caused the bot management system to generate an oversized configuration file that exceeded built in limits and crashed critical traffic routing software. The faulty file contained duplicate metadata that pushed the system past its 200 feature cap clusters alternated between healthy and broken states as machines produced conflicting configuration files every five minutes. The oversized file then propagated across the network, causing system panics and widespread errors. Engineers restored core traffic by replacing the file with an earlier version. The Trump administration is preparing to release a new national cyber strategy, according to National Cyber Director Shawn Cairncross, who said the effort is moving quickly and aims to provide a single, coordinated approach, unlike previous attempts. Speaking at the Aspen Cyber summit, Cairncross outlined six planned pillars, including a focus on shaping adversary behavior and improving public private partnerships. He argued the United States has not effectively signaled consequences to cyber adversaries, noting that ransomware responses remain fragmented and lack a long term government wide plan. Cairncross said the forthcoming strategy will be concise and paired with immediate action items and that his office is is modernizing federal processes, including technology, procurement and collaboration with national labs. Officials across government have already contributed input, according to FBI Assistant Director Brett Leatherman. Former acting National Cyber Director Kemba Walden emphasized that clear deliverables and aligned budgets are essential to make the strategy effect. CISA has ordered U.S. federal agencies to secure Fortinet Fortaweb devices within a week after discovering active exploitation of an OS command injection flaw. The vulnerability allows unauthenticated attackers to execute unauthorized code through crafted HTTP requests or CLI commands added to CISA's known exploited vulnerabilities catalog. The flaw must be remediated by November 25. CISA warned that such vulnerabilities are common attack vectors and pose significant risks to federal networks. Britain's MI5 warned that China's Ministry of State Security is using LinkedIn headhunters and covert operatives to target lawmakers, parliamentary staff consultants, economists and think tank researchers. The alert follows a collapsed espionage case involving two men accused of aiding Beijing. MI5 identified two China based headhunters as recruiters who approached targets under corporate cover to solicit geopolitical reports that feed wider intelligence efforts. China denied the allegations as fabrication. Security Minister Dan Jarvis called the activity a calculated attempt to interfere with UK affairs and announced new countermeasures, including 170 million pounds to upgrade government networks and expanded election security efforts and steps to protect universities from COVID influence, experts say. The U.S. house Select Committee on the Chinese Communist Party's request to investigate TP link for national security risks is built on weak evidence and selectively targets one Chinese manufacturer. The lawmakers cite open source reports, including work from former FCC Commissioner Michael O'Reilly at the Hudson Institute and research from Check Point's ITE Cohen, with neither showing TP link acting maliciously. O'Reilly notes past TP link vulnerabilities were patched and Cohen's findings show Chinese APT malware could just as easily infect routers from Cisco or netgear. Additional claims about Volt Typhoon overlook that DOJ removals involved Cisco and Netgear devices, not TP Link researchers, including Cohen and KnowBefore's Roger Grimes stress that all routers are broadly vulnerable because users rarely patch them. Critics argue focusing on TP link distracts from larger risks tied to widespread dependence on China made technology. Researchers from ESET detail how the China aligned Plush Daemon Threat Group uses its previously undocumented edgestepper network implant to hijack software updates through through Adversary in the middle attacks, EdgeSteper redirects all DNS queries on compromised network devices to a malicious DNS node, which reroutes legitimate update traffic to attacker controlled servers. From there, victims receive little daemon followed by the daemon Logistics Downloader, which ultimately deploys the group's slow stepper backdoor Active since at least 2018, Plushdaemon has targeted individuals and organizations across China, Taiwan, Hong Kong, Cambodia, South Korea, the United States and New Zealand. ESET's analysis shows the group compromising routers or servers, exploiting weak credentials or vulnerabilities, and hijacking updates for software to deliver malware. Austrian Researchers discovered that WhatsApp's entire global member directory, more than 3.5 billion accounts, was accessible online without protection, allowing them to download phone numbers, profile data, public keys and profile photos at scale Meta ignored their warnings for a year before responding, ultimately calling the issue a scraping problem and saying no private messages or non public data were exposed. The data set revealed sensitive information such as workplace details, political or sexual orientation, links to social profiles and device usage patterns. Researchers also identified millions of active accounts in countries where WhatsApp was banned, creating potential safety risks for users. Roughly 57% of users had publicly visible profile photos, enabling large scale facial recognition mapping between faces and phone numbers. LG Energy Solution confirmed a ransomware attack on one of its overseas facilities after the Akira gang listed the company on its leak site. The group claims to have stolen 1.7 terabytes of data, including corporate documents, financial records, SQL databases with employee information, confidential projects and partner data. LG says the affected site has been restored and that headquarters and other facilities were not impacted. The company has not disclosed how many individuals were affected and and has launched an investigation. Shiny Spider, a new ransomware as a service platform developed by threat actors tied to Shiny Hunters, Scattered Spider and Lapsus, has surfaced through early builds uploaded to VirusTotal. Researchers found the group is shifting from using others encryptors to building its own from scratch. Analysis by Coveware shows the Windows encryptor includes event logging, evasion for process killing, network propagation. Anti analysis features shadow copy deletion and ChaCha20 encryption with RSA 2048 protected keys. Each file receives a unique extension and metadata rich header. Victims get hard coded ransom notes and a warning wallpaper shiny Hunter says Linux ESXI and a faster Lightning version are in development, with the operation to run under the scattered Lapsus Hunters brand. Coming up after the break, Rotem Sadak from Varonis shares lessons learned from thousands of forensic investigations, and a judge says Google's claims to water use secrecy are all wet. Stay with us. At Thales they know cyber security can be tough and you can't protect everything, but with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S learn more@thalesgroup.com cyber foreign. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. Rotem Sadak is director of security, Operations and Forensics at Veronis. In today's sponsored Industry Voices segment, he shares lessons learned from thousands of forensic investigations, a rather small oversight that has.

A

Kept us very busy for a few months. Microsoft Direct Send is a feature in Exchange Online that allows devices or applications like printers or scanners to send emails directly to recipients inside your organization without authenticating through a mailbox and, I repeat, without requiring any authentication at all. So what happens is, once an attacker abuses this feature, the victim receives an email that appears to come from themselves. To create the urgency. Like typical phishing attacks and so on, the attackers frame the message as a missed call or a fax and include a QR code in as the attachment, asking the user to scan or to retrieve the message in some way or another. Basically, boom. Credentials are Stolen. Right. So in the past few months we've been swamped with cases where this direct send feature was enabled without anyone realizing what that really means. Essentially, it's like leaving the front door wide open for attackers. So threat actors actually figured out they can use the setup to send spoofed emails that bypass security controls without ever logging or touching the tenant. And the impact in multiple incidents was sometimes even scary. Like we had to contain compromises of dozens accounts. Attackers in some cases managed to log on to some customer's entra ID and pivoted into administrative apps, expanding their reach and then sends it and then really stealing sensitive data.

B

What's the rationale for the functionality itself? What's the good side of this?

A

The good side of it? I think it's basically to allow devices that cannot authenticate to send you messages within the organization. But I think if you think this through, you should allow that only from internal endpoints and not necessarily from anyone over the Internet. Right. So the idea was just for devices that cannot support different authentication mechanisms.

B

Well, when you're out and about and you have to explain what the current cyber threat landscape looks like and you're talking to non technical people, how do you describe it?

A

So I'd say the cyber threat landscape today is even more hyper focused than ever before on humans as the weakest link. Look, it's dominated by AI powered phishing and identity takeovers. Attackers have dozens of ways to succeed using just these two vectors. Right? And you can add ransomware as a service and supply chain compromises. And I think this is what really gets you threats all laser focused on one thing, which is the data, the most expensive digital asset there is.

B

And what has you most concerned? What are the things that you're seeing emerging that are on your radar?

A

So without a doubt, the threats against AI and those emerging because of its extensive use. Right now I'm going to try to break this down to explain why this is more complex than we imagine. So not long ago, before AI took the center stage, we were in a relatively comfortable position. We understood the core principles of security and how to apply them across different technologies. We train an entire generation of developers on secure coding best practices, we quote, unquote, mastered software and hardware risk modeling. And most importantly, we understood those technologies as attack surface inside out. But with AI, that's no longer the case. Right now, as far as I see it, at least there are two, let's say, concerning trends that are happening simultaneously. On one side, we are witnessing a wave of developers pushing products of all Kinds to market at incredible speed thanks to AI driven development. But what they lack is the deep understanding of secure coding principles. And this might create a regression in security knowledge compared to the pre AI era. And then there is the other side of it, which is the world is adopting AI across almost every domain at a pace far faster than our ability to understand AI as an attack surface. And yes, research exists, vulnerabilities are documented, but we're barely scratching the surface. So Ben, comes my biggest concern. How do we investigate an incident that occurs entirely within an AI ecosystem? What investigation artifacts will matter beyond just the prompt and attacker to model interactions? And then what happens when there will come a day, and I think it's just a matter of time when an LLM trained on the most sensitive business data of my organization is stolen and I have extremely limited ability to trace the full chain of events. So in my eyes, I think this is one of the major topics to be concerned about.

B

Help me understand how you as a practitioner separate the hype from the reality when it comes to AI. Because you know, we see we're being bombarded with marketing messages about AI, about the power of AI, about the vulnerabilities of AI, but you're in the middle of this, doing the actual work. How do you separate the signal from the noise?

A

Right? So first of all, you gotta have a lot of hands on experience with AI to really understand what it can and can't do. And from our research and from general experience within the operation, we also utilize AI to some extent and we understand that AI by itself is not really a plug and play product that you can simply provide a prompt to and things will happen. Things will, the magic will happen. Right. With AI, you have to provide sometimes even a lot of context, right? You have to set clear boundaries as to what you want the AI to do and what you don't want the AI to do and even really limit the kind of roles you want the AI to play in your operation. It could be anything, could be a product, could be just automation, pure automation you would like to orchestrate and turn to a fully automatic flow. Right? So we have to set the boundaries and we have to understand that AI is not always consistent and deterministic when it comes to vague or ambiguous prompts and roles that we give it.

B

Do you have any examples, any real world use cases where AI has either prevented or maybe mitigated a major incident?

A

It happens more than we think, let's say. Right. A lot of security products nowadays use AI for various use cases such as Threat detection, classification, enrichment and so on. These are like the most common ones that we typically see in our domain, the cybersecurity domain. And from my experience, AI has already proven its value many times. I've seen AI driven systems block compromised domain accounts or attempting password resets for lateral movement. I've also seen AI classifying ransomware threats based on known and unknown file extensions and file system activity, so essentially containing the encryption in a relatively short time. So this is magic. Some people with less experience could call this magic. But I think it's also worth talking about what it takes to make it so good and precise. Because like I said before, AI is far from being just pure plug and play as of today, and especially in cybersecurity domain, like I said before, AI and LLMs on their own are still neither fully autonomous nor deterministic enough to inspire complete trust that we would justify relying solely on AI as a defense mechanism. And this raises the question about how to shape an AI driven defense strategy. Like we have to somewhat consider using AI and try to prepare for the tomorrow, because the threat landscape is evolving very quickly also thanks to AI. So first and foremost, even for AI, the context really matters. Sometimes we really have to provide heavy context to AI to understand what is the role and what we want to do here. So it's critical for these models because they need to understand, for example, in detection engineering, what is more significant and what is less. There is multiple ways to do that, but while some might call the context a bias, it's actually necessary to reduce the hallucinations and poor decisions, those that in the hindsight we would consider to be pretty bad. So because the model lacked sufficient context or knowledge to make the best decision for whatever the situation, I think this begs the question, where does AI truly shine as a critical security function? Either within my operation or within my security stack. So at this stage at least, AI primarily acts as a force multiplier for human teams monitoring the infrastructure, and in some cases even takes on decision making roles such as whether to respond to a threat or how to respond to that threat. And we know that when you provide AI with enough context and clear rules and very specific responsibility boundaries, that's where it really outperforms human operators. And for example, predictive threat detection platforms typically use some form of machine learning model, which often really helps with the explainability. This explainability introduces a kind of healthy bias for this AI model, allowing it to really whether a certain anomaly is malicious or not in a more deterministic way, and even choose from a predefined set of actions on how to respond.

B

So you're really confident here that these tools are useful and there's a positive future for them?

A

Absolutely, yeah.

B

You know, looking at the big picture, what do you think is the low hanging fruit? What are some of the easier things that an organization can do to improve their security posture?

A

So you're not going to be surprised at all. But you can start because, you know, easy wins. I think it has to be common and known to everyone. It's just a decision whether to do that or not. But I would say you can start by protecting your identities. Apply multi factor authentication wherever possible and for a strict offboarding process, which means to really disable and remove stale accounts quickly to reduce the risk. And the next relatively quick win is to patch aggressively because if you don't really protect your identity, well, the second, I would say most, the easiest attack vector would be to just get in through unpatched systems.

B

What's your advice for the security leaders out there who are preparing for this AI driven future, these AI driven threats? What are your words of wisdom?

A

There's a saying by our CEO Jaqui Fedelson that I really like AI security. This is what he says all the time. AI security is data security. What that means is simple. AI systems eventually are inseparable from data. They consume the data they process and generate. So AI runs on data and really learns massive data set during the training process and it continues to handle sensitive inputs in production. It's always about data, right? So what makes data an integral part of the attack surface is the fact that AI is based on this sole parameter. So my advice to security leaders is just put your data in order. Know where your data lives, what's sensitive and what your AI models can access. Because if data is not secure, your AI isn't secure either.

B

That's Rotem Sadak, Director of Security Operations and Forensics at Varonis. What's your 2am Security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vantage comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally, get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber.

C

At Capella University, learning online doesn't mean learning alone. You'll get support from people who care about your success, like your enrollment specialist who gets to know you and the goals you'd like to achieve. You'll also get a designated academic coach who's with you throughout your entire program. Plus, career coaches are available to help you navigate your professional goals. A different future is closer than you think with Capella University. Learn more at Capella Eduardo and finally.

B

For months, local governments guarded Google's projected data center water use in Botator County, Virginia, as though the numbers were national security secrets rather than estimates about H2O. Each agency redacted the figures, insisting they were proprietary because Google said so. The founder of local newspaper the Roanoke Rambler disagreed and, armed with an $86 filing fee and a stubborn streak, took the Western Virginia Water Authority to court. Judge Lisa Cifoni sided with transparency, ruling that water usage estimates are not corporate property and that the public has a right to know what its government plans to pump into billion dollar data center projects. She noted that disclosing consumption only after Google signs on the dotted line is effectively useless. The victory may be temporary. Google, worried competitors might reverse engineer its data center strategy from water totals, is urging an appeal. The Water Authority now appears ready to fight on, sending the case toward the Virginia Court of Appeals, where judges may soon decide whether mere gallons can truly be treated as trade secrets. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead of the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

A

Hey, Ryan Reynolds here wishing you a very happy half off holiday because right now Mint Mobile is offering you the gift of 50% off unlimited. To be clear, that's half price, not half the service. Mint is still premium unlimited wireless for a great price. So that means a half day. Yeah, give it a try@mintmobile.com Switch up.

B

Front payment of $45 for three month.

A

Plan equivalent to $15 per month required new customer offer for first three months only. Speed slow hacker 35 gigabytes of networks busy taxes and fees extra. C mint mobile.com.