CyberWire Daily – "The oversized file that stalled the internet"
Date: November 19, 2025
Host: Dave Bittner
Featured Guest: Rotem Sadak, Director of Security Operations and Forensics at Varonis
Episode Overview
This episode delivers timely analysis of a major Cloudflare outage, the upcoming U.S. national cyber strategy, urgent new vulnerabilities, and evolving threats from Chinese actors and ransomware groups. An in-depth interview with Rotem Sadak examines real-world trends in incident response, human vulnerability, and AI’s growing cybersecurity role.
Key Stories and Insights
Cloudflare's Worst Outage in Six Years
[00:45 – 02:19]
- Incident: A routine database permissions change authored an oversized configuration file that exceeded a system limit, crashing Cloudflare’s global network traffic routing.
- Key Details:
- Duplicate metadata triggered breach of a 200-feature cap.
- Configuration files kept producing conflicting versions every 5 minutes, causing clusters to flip between working and broken.
- Restoring an older config resolved the traffic disruption.
- Analysis: Highlights how mundane changes and overlooked system caps can cause global disruption.
U.S. National Cyber Strategy
[02:19 – 03:13]
- Announcement: National Cyber Director Shawn Cairncross previews a new cyber strategy built around six pillars, aiming for comprehensive, quick action.
- Key Points:
- Goal is unified government response and clearer signals to adversaries.
- Cites fragmented ransomware responses and outdated procurement structures.
- Former officials stress the need for clear deliverables and budget alignment.
Rapid Fortinet Security Mandate
[03:13 – 03:39]
- Mandate: CISA gives U.S. federal agencies 7 days to patch a Fortinet FortaWeb OS command injection vulnerability.
- Significance: The flaw lets unauthenticated attackers run code remotely through HTTP requests or CLI commands.
- Deadline: Remediation required by November 25.
MI5: Chinese Influence via LinkedIn
[03:39 – 04:51]
- Warning: UK’s MI5 says China’s Ministry of State Security is recruiting through LinkedIn fronts, targeting MPs, staff, and researchers.
- Recent Case: Unravels after espionage charges are dropped against two men.
- Government Response: New funding to upgrade networks, secure elections, and protect universities from influence campaigns.
Debating Risks of TP-Link Routers
[04:52 – 06:00]
- Congressional Inquiry: Focused review of TP-Link’s national security risk may be selective.
- Expert Opinions:
- Check Point and Hudson Institute research reveal similar risks in Cisco/Netgear devices.
- Critics caution against scapegoating one vendor while ignoring broader supply chain risks.
- Weak patching hygiene is the true cross-vendor risk.
Plush Daemon Threat Group’s Software Update Hijacks
[06:00 – 07:30]
- Research: ESET uncovers “EdgeStepper,” a Plush Daemon implant that redirects DNS traffic to attacker-controlled servers.
- Attack Flow: DNS redirection → Install malicious tools → Deploy slow stepper backdoor.
- Victims: Organizations across East Asia, US, New Zealand; targets routers via credential and software flaws.
WhatsApp’s Global Member Directory Exposed
[07:30 – 08:51]
- Research: WhatsApp’s user directory (~3.5 billion records) was accessible online.
- Data at Risk: Phone numbers, profile photos, keys, revealed at scale—even in banned countries.
- Meta’s Response: Labeled incident as “scraping,” downplayed exposure.
LG Energy Solution Ransomware Attack
[08:52 – 09:30]
- Attack: Akira gang claims 1.7 TB data theft from an overseas plant—project and employee data included.
- Company’s Stand: Impact reportedly contained to one facility.
Shiny Spider Ransomware-as-a-Service Emerges
[09:31 – 10:32]
- Discovery: Early builds analyzed show advanced, self-developed ransomware infrastructure (not re-used encryptors).
- Technical Details: Uses ChaCha20 + RSA-2048, logs events, spreads on networks, deletes shadow copies.
Featured Interview: Rotem Sadak on Threat Trends & AI in Security
[14:08 – 26:19]
Email Security Oversight & Direct Send Abuse
[14:08 – 15:41]
- Issue: Microsoft’s Exchange Online “Direct Send” allows unauthenticated internal emails.
- Attack Vector: Threat actors send spoofed emails appearing as “the victim themselves,” luring with QR codes for credential theft.
- Impact: “It's like leaving the front door wide open for attackers.”
— Rotem Sadak [14:32] - Case Example: Compromises escalated to dozens of accounts, privileged access, and data theft.
Human Weakness and Advanced Threats
[16:11 – 16:56]
- “The cyber threat landscape today is even more hyper focused than ever before on humans as the weakest link.”
— Rotem Sadak [16:21] - Dominance of AI-powered phishing, identity takeovers, ransomware-as-a-service.
AI as Double-Edged Sword
[17:02 – 18:37]
- AI development outpaces defensive understanding; many developers lack secure coding experience, risking new vulnerabilities.
- Security experts now worry about incident response within opaque AI environments.
- “How do we investigate an incident that occurs entirely within an AI ecosystem? ...I think this is one of the major topics to be concerned about.”
— Rotem Sadak [18:00]
Separating AI Hype from Reality
[19:15 – 20:49]
- Value comes from hands-on experience.
- “AI by itself is not really a plug and play product... Sometimes even a lot of context (is needed)... AI is not always consistent and deterministic.”
— Rotem Sadak [19:39]
AI in Action: Real-World Security Cases
[20:49 – 24:08]
- AI used for threat detection, classification, enrichment.
- Example: AI stops compromised domain logins, stalls automated lateral movement, flags unusual file activity to contain ransomware.
- “AI and LLMs on their own are still neither fully autonomous nor deterministic enough to inspire complete trust...”
— Rotem Sadak [23:10] - Proper context and boundaries crucial for effectiveness.
[24:08 – 24:18]
- “Are these tools useful and is there a positive future for them?”
— Dave Bittner - “Absolutely, yeah.”
— Rotem Sadak
Quick Wins for Security Leaders
[24:32 – 25:14]
- Secure identities with multi-factor authentication.
- Prompt offboarding and aggressive patching are “easy wins.”
Core Advice: AI Security is Data Security
[25:24 – 26:19]
- “AI security is data security. ...If data is not secure, your AI isn’t secure either.”
— Rotem Sadak [25:29] - Leaders must know where data lives, what’s sensitive, and what AI can access.
Memorable Moment
- “Some people with less experience could call this magic. But I think it’s also worth talking about what it takes to make it so good and precise... context really matters.”
— Rotem Sadak [22:10]
Final News Bite: Judge Rejects Google’s Bid for Water Use Secrecy
[28:17 – 29:35]
- Ruling: Projected data center water use is not a trade secret.
- Public right to know wins over Google’s corporate confidentiality claims.
Useful Timestamps
| Segment | Start | |----------------------------------------|---------| | Cloudflare outage explained | 00:45 | | National cyber strategy preview | 02:19 | | Fortinet security urgency | 03:13 | | MI5’s LinkedIn warning | 03:39 | | TP-Link investigation debate | 04:52 | | Plush Daemon update hijacks | 06:00 | | WhatsApp directory leak | 07:30 | | LG Energy Solution ransomware | 08:52 | | Shiny Spider ransomware insights | 09:31 | | Rotem Sadak interview begins | 14:08 | | Direct Send security risk | 14:08 | | AI as new attack surface | 17:02 | | Practical AI security advice | 19:39 | | Practical wins for security leaders | 24:32 | | AI and data security | 25:24 | | Google water secrecy court ruling | 28:17 |
Takeaways
- Even minor technical oversights, like unbounded config files or legacy email features, can have massive security implications.
- AI is already game-changing for security, but its risks and the skills gap it introduces merit urgent focus.
- Human vulnerability, neglected patching, and data exposure remain the biggest practical threats.
- Security leaders: focus on identity, data, and context for both old and new technologies.