A

You're listening to the Cyberwire Network powered by N2K.

B

At Talas, they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Talas to protect what matters most applications, data and identity. That's Talas T H A L E S learn more@talasgroup.com cyber major federal cybersecurity programs expire amidst the government shutdown Global leaders and experts convene in Riyadh for the Global Cybersecurity Forum. NIST tackles removable media. ICE buys vast troves of smartphone location data. Researchers claim A newly patched VMware vulnerability has been a zero day for nearly a year. Click fix style attacks surge and spread across platforms, battering ram defeats, memory encryption and boot time defenses. A new phishing toolkit converts ordinary PDFs into interactive lures. A trio of breaches exposes data of 3.7 million across North America. Tim Starks from Cyberscoop unpacks a report from Senate Democrats on Doge and the Lone Star State proves even the Internet isn't bulletproof foreign October 1, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. Welcome to October. It's great to have you with us. Two major federal cybersecurity programs are set to expire this morning as Congress remains deadlocked over government funding. The Cybersecurity Information sharing Act of 2015, which shields companies that share threat intelligence, and the $1 billion state and local cybersecurity grant program will both lapse without reauthorization. The House advanced renewal bills earlier this month, but Senate gridlock has left the programs tied to a stalled stopgap spending measure. Tensions boiled over Tuesday, with Senator Gary Peters, a Democrat from Michigan, warning the lapse would weaken US Defenses, while Senator Rand Paul, a Republican from Kentucky, blocked an extension, citing concerns about alleged free speech abuses by cisa. Former CISA Deputy Director Nitin Natarajan said both efforts are critical for resilience, particularly for smaller jurisdictions. Without them, he warned, threat sharing and cyber defenses will diminish, raising risks for everyday Americans. Global leaders and experts convened in Riyadh for the Global Cybersecurity Forum, focusing on scaling cohesive advancements in cyberspace. Discussions centered on artificial intelligence, quantum computing and the urgent need for global cooperation to counter rapidly evolving cyber threats. Speakers highlighted AI's dual role as both a defensive tool and attack enabler, stressing the importance of resilience over purely preventive strategies. ITU Secretary General Doreen Bogdan Martin underscored the value of standards for trust in communications. While Interpol officials compared personal cyber defense to securing one's home. Other panelists warned that cyberattacks target people as much as machines with rising risks from disinformation and low cost AI driven exploits. Saudi Arabia and the UN announced a new Global Capacity Building initiative to strengthen training, research and policy development worldwide. NIST has released Special Publication 1334, A Concise Guide to managing cybersecurity risks from Removable media in Operational technology environments. The document highlights USB flash drives as common tools for firmware updates and diagnostics, but also major malware vectors threatening industrial control systems. The two page guide outlines procedural, physical, technical and transportation controls, urging strict policies, secure storage, malware scanning and data sanitization. NIST warns infected devices can disrupt operations or compromise safety. Underscoring the growing sophistication of OT targeted threats, Immigration and Customs Enforcement has resumed purchasing access to vast troves of smartphone location data. According to Documents reviewed by 404 Media, ICE Selected surveillance tools from Penlink, whose products Tangles and weblock, aggregate billions of daily signals from hundreds of millions of devices and link them with social media data for analysis. The decision reverses earlier assurances that ICE had ended such practices after a Department of Homeland Security Inspector General report found the agency violated the law by using location data without adequate safeguards. Critics, including Senator Ron Wyden, warn the program enables warrantless tracking of Americans movements in sensitive areas such as abortion clinics or houses of worship. ICE maintains the data is necessary to support investigative missions. A newly patched VMware vulnerability has been exploited as a zero day since October 2024, according to Enviso Labs. The flaw rated high severity with a CVSS score of 7.8, impacts VMware, ARIA operations and VMware tools allowing attackers to escalate privileges to root on virtual machines. While Broadcom released patches this week, its advisory did not acknowledge in the wild exploitation, and Vizo attributes the activity to Chinese state sponsored group UNC5174, which which has used the bug for at least a year. The issue also affects the Open Source variant OpenVM tools included in major Linux distributions. Nvizo warns attackers can exploit weak regex logic to elevate malicious binaries staged in writable directories Broadcom has patched affected products with Linux vendors to deliver updates for OpenVM tools. Click Fix Style attacks are surging and spreading across platforms. Huntress reports a 631% rise in incidents over six months, with techniques now abusing native macOS and Linux functions. Not just Windows adversaries weaponize user helpfulness, fake verifications and interstitials, copy attacker commands to the clipboard, then prompt execution via run File Explorer, PowerShell or staged downloads. Variants include file fix, terminal fix, and Download fix. Observed payload flows show Explorer exe or a browser, spawning scripting interpreters and making outbound connections with registry and file artifacts that aid detection. This matters because these lures bypass technical controls and target behavior detection. Chokepoints focus on interpreters, suspicious parent processes and network egress, plus behavioral analytics and process relationship monitoring to cover future iterations and payload swaps, including scams and phishing. Researchers representing KU Leuven in Belgium and the University of Birmingham and Durham University in the UK disclosed battering ram, a hardware attack that uses a $50 interposer placed between CPU and DRAM to gain plain text access to protected memory on intel and AMD systems. The technique can bypass Intel SGX and AMD SEV snp, defeating memory encryption and boot time defenses by redirecting protected addresses to attacker controlled locations. The proof of concept targets DDR4 requires brief physical access and cannot be patched by software. Intel and AMD say physical access attacks fall outside their threat models. Full technical details were published by the researchers. A new phishing and malware toolkit called Matrix PDF converts ordinary PDFs into interactive lures that can bypass email defenses and redirect victims to credential theft pages or malware, Varonis researchers told Bleeping Computer. First seen on Cybercrime forums and promoted via Telegram, the builder, marketed as a phishing simulation and black teaming product, lets attackers import legitimate PDFs, add blurred content and fake secure document prompts and embed JavaScript and clickable overlays that open external payload URLs because the PDFs carry no malicious binaries. Gmail's viewer does not execute PDF JavaScript and treats subsequent fetches as user initiated clicks, enabling a filter bypass. Matrix. PDF is sold by subscription. Veronis urges AI driven email defenses that analyze PDF structure, detect overlays and detonate embedded URLs in sandboxes. Three companies disclosed breaches this week impacting about 3.7 million people across North America. Alliance Life confirmed nearly 1.5 million customers, staff and financial professionals were exposed in a third party CRM break in with Social Security numbers. Among the data stolen, Canadian airline WestJet reported 1.2 million Americans information compromised in a June attack linked to scattered spider, though no payment data was taken. Meanwhile, Ohio based Motility Software Solutions said ransomware affected 766,000 people, potentially exposing personal and licensed data. All firms offered credit monitoring. Coming up after the break, Tim Starks from cyberscoop unpacks a report from Senate Democrats on Doge and the Lone Star State proves even the Internet isn't bulletproof. Stay with us. Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo. That's V A N T a dot com Cyber AI adoption is exploding and security teams are under pressure to keep up. That's why the industry is coming together at the Data SEC AI Conference, the premier event for cybersecurity, data and AI leaders. Hosted by data security leader ciara. Built for the industry, by the industry, this two day conference is where real world insights and bold solutions take center stage. Data SEC AI25 is happening November 12th and 13th in Dallas. There's no cost to attend. Just bring your perspective and join the conversation. Register now at data sec ai2025.com cyberwire joining me once again is Tim Starks. He is a senior reporter at cyberscoop. Tim, it's great to have you back.

A

Always my pleasure.

B

So we've got a group of Senate, Homeland Security and Governmental Affairs Committee members, Democrats, we should note, who put out a new report recently that you've chronicled over on cyberscoop. What's going on with this report, Tim?

A

Yeah, so the committee Democrats said we're going to take a look at what Doge was doing, the Department of Government Efficiency, what they were doing at a few agencies, Social Security Administration, General Services Administration and the Office of Personal Management. And what they found and concluded in the report that they released was that essentially they're operating outside of privacy and cybersecurity laws. Some of these things are things we've heard before. Some of these things have been reported, some of these things have been alleged in court disclosures. But they do get into the weeds a little bit more on those specific agencies. A couple specific things that are happening at those and they detail the way in which they've been rebuffed as overseers that check on the federal government. The oversight role they say was being squashed. Here.

B

Before we dig into the details, reading through this report, what is your take on the seriousness of it versus the partisan nature of it? Obviously, this is all Dems. What's your take?

A

It's a really good question. I mean, I think if Republicans were doing this report, it wouldn't exist. They just wouldn't do it certainly for, for, for a Republican administration. They just wouldn't pursue it. With the state of the party today, I'm sure the Democrats don't mind sticking it to the Trump administration, but the person leading the committee is Gary Peters on the, on the Democrat side. And Gary Peters is one of the more bipartisan senators in the entire body. If you just look at his track record and look at the way he's worked on cyber issues, particularly, you know, when before the current chairman, Rand Paul, he worked with his, the predecessor there to pass a lot of legislation. So I don't, I don't, I can't say that there's no, no partisan motive, but I can say that the, the history of, of the person who's leading it would suggest that at least a significant amount of it is coming from a legitimate desire to have oversight in the face of a Republican leadership that doesn't seem to be interested in saying anything negative whatsoever about this administration.

B

Well, let's dig into some of the details here. What are some of the things that you think should have the attention of our audience?

A

You know, there were some sections in there about the GSA and them having a starlink link that or network that, that potentially puts information security at that agency in jeopardy. They already have a secure Internet connection, was what the report said. Starlink just gives opportunities, certainly for, you know, what they think it was about, which was. Which was people from the Department of Government efficiency being able to communicate outside of official channels, but gives a way in for attackers. The other thing that was, that struck me as new and noteworthy was that there was, after the uploading of a big file of personal information at the Social Security Administration known as Numident, that there was a risk assessment done by the ssa and they looked at it and said, as a result of this, and not having additional protections against authorized access, the risk of a catastrophic cyber attack or breach is at 35 to 65%. They said that sensitive personal information could be exposed. They talked in the report about some things we've heard about before, which is that some of these things, some of these kind of changing of environments and moving things around is giving an opportunity to foreign adversaries. They talked about good old big balls, the somewhat infamous Doge employee. You know, there's been some reporting about his past working at a cybersecurity firm and getting fired, allegedly for sharing sensitive information with a competitor. So there's a lot of stuff that's familiar, there's a lot of stuff that is new, and there's a lot of stuff that's about, okay, these people were blocked at basically every term. They say they were invited to come in and do some touring. They would say, no, but you can't go into that office. And then when they said, can we go into this office? We can't go in today. Can we go another day? They say, sure, come on back next day. And then when they go to follow up, suddenly they're not getting responses about returning that day. So there's a few things that jumped out at me.

B

You've reached out to some of the agencies here. What's their response been?

A

Yeah, the response has been, you know, there's a certain kind of Trumpian response to any negative feedback. That is, these people are partisan hacks. You know, this is the fake news. They didn't quite go there, but they did reject the gist of it. They pointed to past responses that they've made to allegations about the nubinant database being insecure. They just essentially said, you know, that Doge people aren't here. Maybe that's the case now. But was that the case? That's interesting. The way they phrased it was very specific to make you wonder, oh, well, there aren't people here now. To what degree were they doing some of these things, so they pushed back, but they didn't push back quite as hard as we've seen from time to time what this administration has done when they, when somebody says something they don't like.

B

So what happens next here? Is this report at all actionable?

A

Interesting question. Yeah, I mean, I think if you're looking at the things that would, would normally be levers of, of an attempt to get these organizations into, into the law, essentially to be doing things that are legal, because one of the things this report says is they operated in violation of existing cybersecurity laws. You start looking at the fact that those laws exist, you're not obviously going to see Congress pass new laws about the FISMA law that we well know or governs security of federal agencies. They could maybe tweak that law. But I think the other thing is that's when, if you see a switch over in power with Republicans getting out of power in the Senate or House or both, then you get into a situation where appropriators can start putting conditions on funding, saying, hey, we need evidence that you've trained these people or else we're going to cut funding to your agency. I wonder how much that would be something that the Trump administration would be sad about, because in a lot of cases, they're wanting to cut these agencies down in size. There are a few avenues, but I think they're questionable effectiveness even if they do happen. I don't think it's impossible that something could happen if there was a changeover in Congress, but I just wouldn't put a lot of money on it if it were me.

B

Yeah. So in the end, how valuable is this report?

A

I think if you're a person who has any of their information in the federal government, which is all of us, you know, things like our Social Security numbers, that's cause for concern. Does that mean you can do anything about it? I think that's what you're getting at at a certain way, Dave, is as a, as a, as a private individual, there's not much you can do other than voting, you know, or getting involved in the campaign process. Well, I guess it should back up. I mean, there are ways you could maybe take court action if you were able to say, my rights, my privacy rights have been violated, maybe you have a way to pursue any kind of redress in court. So it's another one where there's a few different maybes, but also that I wouldn't put a lot of money on. It is, I think just from the standpoint of being a little bit of a nerd about the Constitution and being excited about the fact that I, a reporter, am in the very First Amendment. I think an informed nation is better off. So I hope that in a way, reporting on something like this contributes to that, to that information. And then I guess it starts to get a little bit more amorphous out of there about who could do what about it. But I'm going to do my job and then let the people figure out what they're going to do in response.

B

Yeah, it's so strange to be in this place operating outside of history's norms.

A

Yeah, I mean it's, you know, I think what we've, what we've seen happen in past administrations with something like this might have come out is you might have seen an administration jump to and say, ah, yes, we'll, we'll fix this. We want to be responsive to Congress, we want to be responsive to the voters. This, this administration has exposed a lot of ways in which unless there's something that really actually makes you do something and there's somebody from the outside who can actually force you to do something, how much the weaknesses in our system have been exposed in that way.

B

Tim Starks is a senior reporter at cyberscoop. We will have a link to his coverage in our show notes. Tim, thanks so much for joining us.

A

Happy to do it.

B

Foreign Think your certificate security is covered by March 2026, TLS certificate lifespans will be cut in half, meaning double today's renewals. And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume. That's exponential complexity, operational workload and risk. Unless you modernize your strategy, Cyberark, proven in identity security, is your partner in certificate security. Cyberark simplifies lifecycle management with visibility, automation and control at scale. Master the 47 day shift with CyberArk Scan for vulnerabilities, streamline operations, scale Security. Visit cyberark.com for 47day that's cyberark.com the numbers 47day and now a word from our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker. And finally, the Internet, it turns out, is just as fragile as the squirrels and snakes that occasionally gnaw or slither their way into service outages. Last week in Texas, though, the culprit wasn't wildlife but a bullet. A stray round pierced a fiber optic cable, cutting off spectrum service for 25,000 people across Dallas, Austin, San Antonio and beyond. Customers lost Internet, phones and TV mid meeting, mid binge, mid life. Spectrum confirmed the gunshot damage, but offered no clues about who fired the shot or how they figured it out. In sprawling Texas, with its abundance of firearms and jurisdictions, tracing one stray bullet is like hunting tumbleweeds. America has seen wildlife take out the Internet before, but only here do bullets sometimes join the food chain of digital disruption. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

C

And Doug, here we have the Limu Emu in its natural habitat, helping people customize their car insurance and save hundreds with Liberty Mutual. Fascinating. It's accompanied by his natural ally, Doug.

B

Limu is that guy with the binoculars.

C

Watching you us Cut the camera. They see us.

B

Only pay for what you need@liberty mutual.com Savings Fairy undertaken by Liberty Mutual Insurance Company and affiliates, excludes Massachusetts Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more@cid.datatribe.com.