A

You're listening to the Cyberwire Network, powered by N2K.

B

Most security conferences talk about Zero Trust Zero Trust World puts you inside this is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in live Hacking Labs where you'll attack real environments, see how modern threats actually work and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert led sessions, practical case studies and technical deep dives focused on real world implementation. Whether you're blue team, red team or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits, connect with peers across the industry and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now at ztw.com and take your zero trust strategy from Theory to execution.

A

At long last, a TikTok deal officials urge lawmakers makers to keep an eye on the quantum ball. Fortinet confirms active exploitation of a critical authentication bypass Ireland plans to authorize spyware for law enforcement. OCTA warns customers of sophisticated vishing kits. Under Armour investigates data breach claims. CISA adds a Zimbra collaboration suite flaw to the known exploited vulnerabilities list. Core opsec enables recovery of data stolen.

B

By the Ink ransomware gang.

A

The DOJ deports a pair of Venezuelans convicted of ATM jackpotting. Our guest is Chris Nyhais, founder and CEO of Vigilant Sharing Practical Steps to Protect Money, Identity and devices and Karl pulls the plug on bug bounties after drowning an AI swap. It's Friday, January 23rd, 2026. I'm Dave Buettner and this your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. TikTok announced it has reached a deal for its US operations to be majority owned by non Chinese investors, ending a six year political and legal battle over national security concerns. Under the agreement, Investors including Oracle, MGX, Silver Lake and Michael Dell's investment office will now own more than 80% of a new US based TikTok entity, while ByteDance will retain just under 20%. Former TikTok executive Adam Presser will lead the new company. The deal aims to address U.S. fears that China could exploit TikTok to surveil or influence American users, a concern that led Congress to pass a 2024 law threatening a ban if ByteDance did not divest. While the agreement allows TikTok to remain in the US market. Critics note that ByteDance will still license its algorithm to the new company, raising questions about whether security concerns are fully resolved. President Trump praised the deal, calling it a decisive conclusion to the long running dispute. Federal officials warned lawmakers that the lapse of the National Quantum Initiative act risks undermining US Leadership in quantum computing, despite the law's success in strengthening coordination across government, academia and industry. Testifying before the House Science Committee, leaders from the Department of Energy, NIST, NASA and the National Science foundation said the 2018 law created a unified national framework, aligned federal investments and accelerated progress from lab research toward early stage quantum systems with scientific and security relevance. The act expired in 2023, creating uncertainty for funding and workforce pipelines. Lawmakers have introduced a bipartisan reauthorization bill that would authorize nearly $1.5 billion to expand research, commercialization and workforce development. Witnesses cautioned that without sustained investment and stable authorization, the US could fall behind global competitors, particularly China, in the accelerating race to quantum capabilities. Fortinet confirmed active exploitation of a critical forticloud SSO authentication bypass after customers reported compromises of fully patched firewalls. Researchers at Arctic Wolf say Automated attacks began January 15th with attackers rapidly creating admin and VPN accounts and exfiltrating configurations. Fortinet acknowledged the activity mirrors December exploitation and is working on a complete fix until then. Fortinet urges customers to restrict admin access, disable forticloud SSO and treat effective systems as compromised. CISA has listed the flaw as actively exploited. Ireland plans to draft legislation that would explicitly authorize law enforcement to use spyware, According to Justice Minister Jim o', Callaghan, the proposal would create a legal basis for covert surveillance software and expand lawful interception powers to combat serious crime and security threats. Use of spyware would require court authorization and include safeguards to ensure necessity and and proportionality. The bill would also allow electronic scanning tools to collect mobile device identifiers for location tracking. Ireland's Department of Justice will develop the framework with other state agencies. Okta is warning customers about sophisticated phishing kits designed specifically for voice based social engineering or vishing attacks that steal single sign on credentials in real time. According to Okta and reported by Bleeping Computer. The kits are sold as a service and actively used by multiple threat groups during phone calls. Impersonating IT staff. Attackers guide victims through fake login pages that dynamically mirror real authentication and multi factor prompts, allowing credentials and one time passcodes to be intercepted and immediately abused. The attacks can bypass push based MFA and have been used for large scale data theft and extortion, with some activity linked to Shiny Hunters. Okta urges customers to adopt phishing resistant MFA such as Fido 2 keys or passkeys. Under Armour is investigating claims of a major data breach after hackers allegedly posted 72 million customer records online. The incident was flagged by have I Been Pwned? Which linked it to a November 2025 attack attributed to the Everest ransomware Group. Exposed data reportedly includes emails, names, demographics, locations and purchase details, but not payment card data. Under Armour says it's investigating and disputes claims that sensitive systems or passwords were compromised. CISA is urging federal agencies to immediately patch a Zimbra collaboration suite flaw that is being actively exploited. The vulnerability is a local file inclusion issue in Zimbra's webmail interface that allows unauthenticated attackers to access arbitrary files by manipulating request routing. Exploitation could expose sensitive information and enable further compromise if combined with other weaknesses. Although Zimbra released patches in November of last year, CISA added the bug to its known exploited Vulnerabilities catalog this week. Researchers at CrowdSec reported targeted intelligence driven attacks and rising exploitation. CISA also flagged three additional actively exploited vulnerabilities and reminded organizations to prioritize kev listed flaws. Researchers uncovered a major operational security lapse by the Ink ransomware gang that allowed full recovery of data stolen from a dozen US Organizations. The work was conducted by Cyber Centaurs, which shared full findings with Bleeping Computer. While investigating a Rain Inc. Ransomware attack on a client, analysts discovered remnants of the backup tool RESTIC that exposed long lived attacker infrastructure. Scripts with hard coded credentials pointed to cloud repositories storing encrypted data from multiple victims. Controlled analysis confirmed data from 12 unrelated US organizations across healthcare, manufacturing, technology and service sectors. Researchers decrypted and preserved the data, contacted law enforcement and released detection rules to help defenders spot RESTIC abuse tied to Ink ransomware activity. The U.S. justice Department has announced the deportation of two Venezuelan nationals convicted of ATM jackpotting using malware. U.S. department of justice said Luz Granados and Johan Gonzales Jimenez installed malware on ATMs to force machines to dispense cash. Granados received time served and restitution orders, while Gonzalez Jimenez was sentenced to 18 months in prison before deportation. The cases follow broader prosecutions tied to Venezuelan crime groups using the Plautus malware, which authorities say remains active. Coming up after the break, my conversation with Chris Nyhuis, founder and CEO of Vigilant. We're discussing practical steps to protect your money, your identity and your devices and Curl pulls the plug on bug bounties after drowning in AI slop, Stick around.

B

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple?

A

Meet Meter, the company reimagining enterprise networking.

B

From the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together.

A

The result?

B

Fast, reliable and secure connectivity without the constant patching, vendor juggling, or hidden costs.

A

From wired and wireless to routing, switching.

B

Firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E-R.com cyberwire. What's your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber.

A

Chris Nyhais is founder and CEO of Vigilant. I recently caught up with him to discuss some practical steps to protect money, identity and devices. So Chris, as we are heading into the early part of this year, I'd love to get kind of a reality check from you where you estimated most organizations stand in terms of being prepared for the challenges that face them when it comes to cybersecurity this year, I.

C

Would actually tell you from experience, I would say most organizations are not prepared for what's coming their way. It's a combination of two things. The cyber industry isn't prepared, but then the organizations out there that are purchasing technology or the implementing it. They either don't have the resources on their staff to to man some of the technology they're purchasing in the way that they need to, to fight the threat actor of today, or they are buying things that have, that just really can't hit the mark at defending them. And it's, it's, it's going to be a big problem this year, especially as we accelerate with a lot more nation state activity from China and Iran and Russia.

A

Can you give us some examples of some of the things that are top of mind for you in terms of concerns?

C

Sure. I would say the last 10 years of evolution, what you see is cybersecurity used to fit across. I'm sure your audience is familiar with this, but the OSI model, the TCP model, where you have this full stack detection within an organization and as we've started moving things out to the cloud, or we start using things like virtualized firewalls, or we're implementing, you know, detection more at the endpoint because our users are remote and we're not really, we're starting to disregard the network. What we're seeing is a lot of attackers are taking advantage of that and so they're going downstack in terms of their attacks. And you're seeing a lot of detection go upstack. And where that benefits a lot of the cyber companies out there is it's a lot less expensive to do security upstack than it is to do full stack. But the issue to the consumer is that now you have a technology that's only seen a portion of your environment and when you then go and look at how a lot of these things are deployed, the very means by which they collect data is diminished or flawed. So you're making cyber decisions with a lot less information and data than you had before.

A

Is your sense that folks out there are aware that they're not seeing the whole picture or is there sort of a blissful ignorance?

C

I think there's a, I wouldn't say blissful ignorance. I think there's a desire, I think the consumer is saying, look, we want cyber at this level, we need these things. But I think a lot of the approach, a lot of the education, even inside cyber programs, and I would even say most of the marketing that's out there really markets heavy towards this upstack, you know, approach. And, and so, you know, when you're looking at the things that are, you know, best practices, those best practices, you really have to question them sometimes because they're really driven in a lot of cases by who's marketing the best and who's marketing the best is not Always the best at cyber warfare. And, and, and, and so a lot of the decision making now at the consumer level from what I see is they're driven by those top 10 lists or the best practices or the right vendors. And those are not always the vendors or the technologies that actually work.

A

It reminds me of that old chestnut about how from decades ago how nobody ever got fired for choosing IBM. You heard that?

C

Yeah, It's a similar type thing.

A

Right.

C

Until they did. And the thing, it's a very similar thing, the way in which these organizations have driven and I'll even say this, you know, a lot of our, and this is a controversial topic, but a lot of cyber is driven by private equity. And that's not always a good thing. You know, it's the, the decision making inside those rooms are a lot different than, you know, does. Does this work on the ground? And when you deal with something like cybersecurity, you know, I'm a big believer that cyber should be a standard of care industry. And, but I'm also a capitalist. I'm a big fan of high growth organizations. I own a company as well. And you have to balance that as a decision maker, an organization. You have to look at this and go, you know, we're fighting cyber warfare. This applies to the organizations that trust us to secure them. Those organizations are primarily, you know, a large chunk of the financial sector, you know, the financial stability of the United States. And you have to make decisions to say, okay, will we allow ourselves to reduce our margin but make the right decision to fight against the threat actor. Right. Because the threat actor out there isn't, they're not making a capability decision. Right. But that does happen across the cyber industry and organizations that purchase these things, they don't really know that a capability has been diminished. You know, especially as you look at AI coming into play. AI is a hyperscaler in some sense to help assist cyber detection and cyber professionals. But it, it isn't even close to being a place where it can be replaced. But a lot of consumers are buying AI technology. But if you look at why a cyber company would want to deploy AI first in a lot of cases it's to replace the very costly human analyst and increase their margin. So I would just say that this year is going to be a very interesting year where you have, the consumer's going to have to ask some really hard questions of the people they're buying technology from.

A

What sorts of questions do you recommend they ask?

C

It depends on where you're applying, what you're Applying if you're looking at things like Endpoint Technology, I would be very, very concerned as a consumer of asking the cyber providers that you're purchasing from on how they are precisely curating detection to your organization. Because when you look at things like take marketing for instance, we're told that aggregation is good and that taking technology from all of these organizations and doing an aggregation across what's being attacked and then using those aggregated detections and intel with inside your environment to detect, well, when you start to ask questions of, well, how does that company actually create those aggregations, you know, and, and how do those averages come around? And you start to see that a lot of that comes from some of the larger customers that they have, because that's where that average is coming from. And so most of their organizations that they protect, or a lot of the smaller companies that are out there, they're not getting any curation to the detection of their environment. And in fact, the smaller companies, the mid sized organizations, are the primary targets for these hackers because they're going through them to get to the larger companies. And so, you know, when it comes to Endpoint Technology or even just intel in general, that intel is nowhere near curated to what you actually need to protect your organization. So unless you have people on your staff that are going to curate or modify that intel, it's not going to detect what you need it to in your environment. When you look at things like the network, for instance, it poses the same problem. Most people do detection in their firewalls or they do detection with appliances that use span ports or mirror ports. And when you look into the way that these technologies work, a mirror port just by itself running on a daily basis loses 30% of the packets going across your network. And the reason for that is a couple fold. One, the primary function of a firewall or switch is not to collect security data, it's to be a firewall or a switch. And so the processing priority for a span porting airport is lower. And as those devices start to use more bandwidth or more of their backplane, they just start dropping packets to things that have less priority, which is your span ports and mirror ports. And the other factor there is that a lot of these technologies, like firewalls, for instance, you know, you have detection systems, they're all using an ASIC chipset, you know, mostly in these. And ASIC chipsets can't do deep packet inspection the way you need it to. They're really meant to store and forward traffic. And so when you're purchasing A network detection technology. You really have to get into the architecture and saying, hey, you know, do you have intel processors with enough cores? You know, are, you know, show me, show me deep packet inspection, you know, you know, a lot of these companies even have reduced the storage on these devices. And so you can't do continuous PCAP anymore. And, and so they, they marketed things like smart pcap, right, where you know, it's, it's smart because it turns on when an event happens. Well, that doesn't help you because frankly, an event's happened. You need to know what happened before it. Right. So the questions when it comes to these things are more around architecture now. And you have to ask, how are you doing what you're doing? Because there's a lot of corners being cut in this industry and you can see that by how many companies are getting hacked.

A

So what are your recommendations then? I mean, for folks who are responsible for turning these dials and figuring out how to get the most for their security budget. Any words of wisdom?

C

Yeah, I'd speak first to CEOs. You know, I think that you're, you have to put yourself, and if, and if you're a professional listening to this, it's in cyber and your CEO isn't listening to this podcast, I would, I would strongly suggest that you sit down with them and really challenge them to become the cyber leader of the organization. Now they're going to say, hey, I don't have the skill set to do that. And really what I would say is become their coach, you know, because they have to be able to understand how to wield cyber warfare at their company. They have to, the CEO has to get to that point. And I would say it's, it's one of the reasons why cybersecurity does not get the budget at most organizations. And because the C level just, they just don't understand it. And, and so I would say is, as you're purchasing, do not purchase the cheapest solution. You have to purchase the, the things that work and the best in class. I would 100% do side by side comparisons and I would ask them hard questions like can you forensically prove this? And I would ask them to show you the real data behind the reporting that they give you because there's a lot of reports that just frankly are just skewed to be false. As a consumer of these technologies, I would highly and very strongly, from a cyber standpoint, really challenge yourself to work with US Based companies that have US Citizens protecting your infrastructure. We're going to see over the next few years, I think significant change in the boundaries of cyber security and they're going to start looking more like nation lines. We're already seeing that in Europe, et cetera. And when you work with organizations that have more, you know, foreign presence, things like that, as we're starting to do incidents, you're going to start seeing a lot of compliant requirements that restrict them from even doing analysis within your environment.

A

That's Chris Nyhuis from Vigilante.

B

When it.

A

Comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience.

B

Discover how Guard Square provides industry leading.

A

Security for your Android and iOS apps at www.guard square.com. Security works best in layers, and when those layers actually work together, that's when things get interesting.

B

Nordlayer is a network security platform designed for modern teams. It secures connections, controls access and helps.

A

Stop threats, all without hardware or long deployment cycles. Now Nordlayer has partnered with CrowdStrike to bring Falcon endpoint protection into the mix, giving small and mid sized businesses a multi layered security approach that's practical to deploy and easy to manage. Nordlayer handles secure access and zero trust networking.

B

CrowdStrike Falcon adds endpoint visibility and protection. Together they cover more ground than either.

A

Could alone without requiring a large IT staff. For business leaders, that means clearer control and easier compliance. For IT teams, IT means granular access policies, faster onboarding and protection that scales.

B

If you're looking for enterprise grade security.

A

Without enterprise grade customer service complexity, take a look at Nord Layer get up to 22% off yearly plans plus an.

B

Additional 10% with code CYBERWIRE10. There's even a 14 day money back guarantee.

A

Check out Nord layer.com cyberwire daily to learn more. And finally, the Curl Project is an open source effort that builds and maintains Curl, a command line tool and software library used to transfer data over networks. The Curl project has decided it has had quite enough of being told repeatedly and creatively that it might be vulnerable. Its maintainer Daniel Stenberg announced that Curl will shut down its HackerOne bug bounty program at the end of January after being swamped by low quality, often AI generated vulnerability reports. Since 2019, Curl and its sibling library Libcurl have offered cash rewards through HackerOne. Recently, however, the signal to noise ratio collapsed. Stenberg says the security team has been buried under reports that sound impressive, require hours to triage, and ultimately describe non issues. The fix is remove the bounty, remove the incentive, and restore sanity. Starting February 1st, Curl will accept reports directly via GitHub, offer no money, and reserve the right to publicly mock especially bad submissions. A blog post, presumably more polite, is promised, And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's Research Saturday my conversation with Andrew Northern, principal security researcher at Census. The research we're discussing is titled From Evasion to Evidence Exploiting the Funneling Behavior of Injects. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here next week. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th.

B

In San Francisco, bringing together the global.

A

Security community for four days of expert insights, hands on learning, and real innovation.

B

I'll say this plainly, I never miss this conference.

A

The ideas and conversations stay with me all year.

B

Join thousands of practitioners and leaders tackling.

A

Today'S toughest challenges and shaping what comes next.

B

Register today@rsaconference.com cyberwire26 I'll see you in San Francisco. Attackers don't go through your tools, they go around them. In our interview with Jared Atkinson, CTO at Spectrops, he reveals how attackers look to exploit our identities, steal tokens, and quietly snowball their access across active Directory, cloud apps and GitHub. We talk through attack paths, why least privilege keeps failing, and how one misconfiguration can hand over the keys to your organization. Want to see risk as attackers do? Then check out the full interview now on TheCyberWire.com Spectrops.