A

You're listening to the Cyberwire Network powered by N2K.

B

If securing your network feels harder than it should be, you're not imagining it. Modern businesses need strong protection, but they don't always have the time, staff or patience for complex setups. That's where Nord layer comes in. Nordlayer is a toggle ready network security platform built for businesses. It brings VPN access control and threat protection together in one place. No hardware, no complicated configuration. You can deploy it in minutes and be up and running in less than 10. It's built on zero trust principles so only the right people can get access to the right resources. It works across all major platforms, scales easily as your teams grow and integrates with what you already use. And now Nordlayer goes even further through its partnership with CrowdStrike, combining NordLayer's network security with Falcon Endpoint protection for small and mid sized businesses. Enterprise grade security made manageable Try Nordlayer risk free and get up to 22% off yearly plans plus an extra 10% with the code CYBERWIRE10. Visit nordlayer.com cyberwire daily to learn more. CISA's interim director uploaded sensitive government material into the public version of ChatGPT. The cyber attack on Poland's power grid compromised roughly 30 energy facilities. The EU and India sign a new partnership that includes expanded cyber cooperation. Meta rolls out enhanced WhatsApp security FE features researchers uncover a campaign targeting LLM service endpoints Fortinet and OpenSSL patch multiple vulnerabilities the high severity WinRar vulnerability continues to see widespread exploitation. Six months after it was patched, the SoundCloud data breach affected nearly 30 million users. Ben Yellen explains the California lawsuit accusing social media platforms of harming kids and a Spanish resort town gets hit with low rent ransomware.

A

Foreign.

B

It's Wednesday, January 28, 2026. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. Politico reports the interim director of the Cybersecurity and Infrastructure security Agency, Madhu Garamukala triggered internal cybersecurity alarms after uploading sensitive government material into the public version of ChatGPT. According to multiple officials, CISA's monitoring systems detected the activity in early August, prompting a Department of Homeland Security level review to assess potential damage to government security. The outcome of that review has not been disclosed. CISA said Gaudamukkala had temporary authorization to use ChatGPT under DHS controls and that the use was limited and short term, disputing parts of the reported timeline. However, unlike DHS approved internal AI tools, the public ChatGPT platform share uploaded data with OpenAI, raising concerns about exposure beyond federal networks. The incident led to meetings with senior DHS legal and IT leadership and could carry administrative consequences under federal document handling rules. The episode adds to broader scrutiny of Gautamukkala's leadership, which has included prior internal disputes and security related controversies. A coordinated cyberattack on Poland's power grid in late December compromised control and communications systems at roughly 30 energy facilities, according to a new report from cybersecurity firm Dregos. While Polish officials said the attack was stopped before causing outages, researchers found attackers accessed operational technology systems and permanently disabled some equipment. The electricity transmission backbone remained unaffected and power was not interrupted. The attack targeted distributed energy resources, including combined heat and power plants and systems managing wind and solar dispatch. Loss of communications, limited operators ability to remotely monitor and control equipment. Though it remains unclear whether attackers issued operational commands or focused on disruption, Dragos attributed the incident to the Russian linked Sandworm group with moderate confidence, reinforcing concerns that distributed energy systems, often less protected than centralized infrastructure, are now a serious target for sophisticated cyber adversaries. The European Union and India signed a new security and defense partnership that includes expanded cyber cooperation, pledging to deepen their existing cyber dialogue and increase exchanges on cybersecurity threats. Behind the public agreement, however, European cyber diplomats, including officials linked to the EU Agency for Cybersecurity, have privately raised concerns about India's growing Hackers for Hire ecosystem. During closed door discussions, Indian officials rejected those claims, denying such an ecosystem exists and arguing that if it did, it would be a private sector matter. Beyond government control, Meta has begun rolling out strict account settings, a new WhatsApp security feature aimed at journalists, public figures and other high risk users facing sophisticated threats like spyware. The Opt in setting applies the platform's most restrictive privacy controls, including mandatory two step verification, blocking unknown senders, silencing unknown callers, limiting profile visibility and disabling features that could be exploited. WhatsApp says the feature is intended for a small subset of users and will roll out gradually. Following past spyware campaigns that targeted WhatsApp users through zero click exploits, researchers at Pilar Security have uncovered an active cybercrime campaign targeting exposed or weakly protected large language model service endpoints. Over 40 days, more than 35,000 attack sessions were observed, revealing an operation dubbed Bizar Bazaar, one of the first documented cases of LLM jacking attributed to a specific threat actor. The attackers exploited misconfigured AI infrastructure to steal compute resources, resell API access, exfiltrate prompt data, and attempt lateral movement into internal systems. The campaign targets self hosted LLMs, exposed AI APIs, and publicly accessible model context protocol servers, often within hours of appearing in Internet scans. Pilar Security describes a coordinated supply chain involving scanning, validation and resale of access through an online service. The activity remains ongoing. Fortinet has released emergency patches for a forticloud single sign on authentication bypass that was actively exploited as a zero day against fortigate devices. The flaw, with a CVSS score of 9.4, allowed attackers with a forticloud account to access other customers registered devices when forticloud SSO was enabled. Exploitation was detected after attackers created administrator accounts and exfiltrated configuration files, even on fully patched systems. Fortinet blocked malicious accounts, briefly disabled forticloud sso, and now requires patching to restore the feature. CISA added the flaw to its known exploited vulnerabilities catalog. Separately, OpenSSL released updates fixing 12 vulnerabilities, including a high severity remote code execution risk. Google's Threat Intelligence Group warned that a high severity WinRAR path traversal vulnerability continues to see widespread exploitation six months after it was patched. The flaw was exploited in the wild before RAR Lab released a fix in late July and has since attracted a growing mix of attackers. Google attributes activity to at least three financially motivated groups, four Russia state sponsored actors and one China based attacker. Nation state groups have used the bug for espionage, including campaigns against Ukrainian military and government targets, while cybercriminals have deployed malware such as remote access trojans and info stealers across multiple regions. All attackers use a shared technique involving malicious RAR archives that silently drop payloads without user interaction, making detection difficult. Google urged organizations to update WinRAR and Hunt for indicators of compromise. The SoundCloud data breach disclosed in December of last year, has now been added to have I been Pwned? Confirming that nearly 30 million user accounts were affected. Attackers exploited unauthorized access to an internal service dashboard, allowing them to link users email addresses normally private to public profile information. Exposed data included usernames, display names, avatars, follower counts, and sometimes country information, but not passwords, financial data or private content. SoundCloud detected the activity through internal monitoring, isolated the affected systems, and brought in external security experts stating the breach was contained. Afterward, the company faced denial of service attacks and temporary access issues caused by misconfigured security controls. The attackers allegedly attempted extortion before leaking the data online in January of this year, after which it was widely redistributed. Coming up after the break, Ben Yellen explains the California lawsuit accusing social media platforms of harming kids. And a Spanish resort town gets hit with low rent ransomware. Stick around. What's your 2am Security worry? Is it do I have the right controls in place? Maybe Are my vendors secure or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally, get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. And joining me once again is Ben Yellen. He is from the University of Maryland center for Cyber Health and Hazard Strategies and also my co host on the Caveat podcast. Ben, welcome back.

A

Good to be with you again, Dave.

B

So we've got a trial kicking off here in California, your home state.

A

Go Cali. Yep.

B

Yeah, in Los Angeles. And not to be breathless here, but some of the folks involved with this case are saying that they're putting the Internet on trial. What's going on here, Ben?

A

Yeah, so this is a big one. A plaintiff who is not named in the suit because it's somebody who is underage has filed suit in California Superior Court against basically all of the big tech players. So Meta TikTok and YouTube through Google and we're going to have a jury trial here. So this is really the first time that social media companies will have to go in front of a jury and defend some of their practices and consider claims that their algorithms and their way of doing business is harming the mental health of young people. So the allegation is that in the way these products are designed, they produce these sort of addictive features. So Infinite scroll, autoplay, persistent notifications, et cetera. They've pointed to some literature saying that these tools in social media have caused or worsened depression, eating disorders, self harm, in the most extreme cases, suicide. And they're going to go through the discovery process to try and prove that these companies knew or should have known about harms to minors but failed to act. This is going to be a very difficult lawsuit for the plaintiff. It's going to be very difficult for them to prevail on the merits here. This is being considered under a products liability framework. Most products liability framework, there's some design defect and it's very clear how and when a person was injured by that design defect. So there's a law professor in this article who's like, they're trying to analogize this to the Coke bottle that explodes in your face. And if that doesn't make sense to you, that shows you why using this sort of products liability theory is going to be problematic here. But I think the trial itself, even if the plaintiff ultimately doesn't prevail, is going to be eye opening for a couple of reasons. One, you're going to have some high profile people who are going to be forced to take the stand to testify, including Mark Zuckerberg, who I don't know about you, Dave, but I've seen him testify in front of Congress and it has not gone well.

B

No, no, not. He's not at his best in those situations.

A

It seems to me that is not his strength. And I wonder if that will have some impact on the jury or just kind of on the public's view of this trial. And then the other big deal here is the discovery process. For the first time, the plaintiffs and their attorneys are going to be able to look through decades worth of documents on how they've developed some of these tools and algorithms. And that could be really eye opening. That's where people are drawing these parallels to the lawsuits against big tobacco companies in the 1990s where they looked back at this 50 year horizon on strategies these companies use to get young people addicted to their products. And we could certainly see the same thing here. I think from the company's perspective, they're saying that this lawsuit just mis portrays their work, that they have taken steps to improve online safety for young people with things like parental controls and other safety features. But it's certainly there's the potential, if the plaintiff prevails, that we could see major industry wide changes that rival some of the changes that came to the tobacco industry after those big lawsuits in the 90s.

B

Hmm. I'm looking at some of the reporting here from NPR on this story. And they note that the judge in this case has already struck some of the plaintiff's claims on the grounds that their third party content and they're covered by section 230 of the Communications Decency Act. What do you make of that, Ben?

A

Right. So section 230 says that the platforms themselves are not liable for content posted on on their platforms. Very controversial. But I think that does cover a lot of the claims here. If you're making a direct allegation of injury based on a particular post or a particular series of posts, I do think that Section 230 is going to immunize these companies, at least the way the law is structured. Now they can always change the law and there have been discussions about doing that, but really you can only be liable in terms of the products that they themselves have created, not the users. So what are those products that they themselves have created, these big tech companies? It is the algorithms, it is the scrolling features, that sort of thing. So when you start to base allegations on particular content, that's where the plaintiffs are going to run into these 230 issues where parts of the case are going to be dismissed.

B

Do you suppose this could head in direction or maybe bolster the arguments of folks who say that these social media platforms should be treated like pornography in that under a certain age you're not permitted to interact with them?

A

Yeah, I mean, I think there's the chance that we go down a path like that. They're asserting a First Amendment interest, which they definitely have. I mean they have the right to freedom of expression and that includes the way they build out these platforms. They do have a protected First Amendment interest, as do pornographers, by the way. But I think the law understands things differently when we're talking about non consenting or young people who are just not capable of consenting to seeing this type of content.

B

I see.

A

Or for understanding how these algorithms work and how they're being driven to certain pieces of information. Again, I'm not sure that this case is going to be the vehicle to do that, but it might start a long process that ends up with some sort of resolution as to whether these companies can be held responsible for psychological harm, which would force them to make major design changes to further enhance protections for the safety of children in ways that they've been reluctant to do in the past, both for cost reasons. And also they don't want to restrict access for adults to certain content. So.

B

Yeah, you know, I gotta ask Ben, what kind of timeline does this put us on to actually get any results?

A

It's never one of those things, Dave, where it's like, oh, well, we'll know in a couple of weeks. Yeah, I mean, this is going to be a long trial. Luckily, we're getting close to the actual trial itself, which is good because we've gone through months and years of dueling motions. And you know, the, as you mentioned, the petition to narrow the case based on issues that the plaintiff's not going to win. So things that are protected by section 230. But I think the litigation itself could take a long time, potentially up to a month and then several more months after that for a decision from this judge. And then you have to consider the appeals process through the California court system, which. Which could take a long time.

B

Yeah.

A

And it's unlikely that this case, because it's a state based case, would be on a direct path to the Supreme Court. But you never know. It could happen.

B

Ben Yellen is from the University of Maryland center for Cyber Health and Hazard Strategies and also my co host on the Caveat podcast. Ben, thanks so much for joining us.

A

Good to be with you, Dave.

B

The world moves fast. Your workday even faster. Pitching products, drafting reports, analyzing data. Microsoft 365 Copilot is your AI assistant for work built into Word, Excel, PowerPoint, and other Microsoft 365 apps you use, helping you quickly write, analyze, create and summarize so you can cut through clutter and clear a path to your best work. Learn more@Microsoft.com N365 Copilot this episode is.

A

Brought to you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed sponsored Jobs to find the right place people with the right skills fast. It's a simple way to make sure your listing is the first candidate. C According to Indeed data, sponsored jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

B

And finally, in the beautiful coastal town of San in northwestern sp, the city council has learned that ransomware does not respect coastal charm. Hackers broke into the town hall's systems on January 26, encrypting thousands of administrative documents and knocking internal operations offline. The attackers then made their $5,000 in Bitcoin, a ransom so small it raised questions about whether this was cybercrime or a clearance sale, or maybe a practical joke. City officials were unimpressed. They refused to pay, notified Spain's Civil Guard and began restoring systems from daily backups. Some services never went down at all, including the online Citizen portal and two municipal companies operating on separate networks. Recovery is ongoing, though slower than initially hoped. The attack is part of a wider surge in ransomware hitting Spanish municipalities, but Sansensho's case stands out for its unusually low ransom demand, more of a nuisance than anything else. Too small to negotiate, too annoying to ignore. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwiren. A tip of the hat to our T Minus Space Daily team, who are on site in Florida covering Space Week. I had the pleasure of filling in for Maria Vermazes yesterday on T Minus, so if you want to check that out, we've got a link in the show notes N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

A

Foreign.

B

If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning, and real innovation. I'll say this plainly. I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco. Attackers don't go through your tools, they go around them. In our interview with Jared Atkinson, CTO at Spectrops, he reveals how attackers look to exploit our identities, steal tokens, and quietly snowball their access across active Directory, cloud apps and GitHub. We talk through attack paths, why least privilege keeps failing, and how one misconfiguration can hand over the keys to your organization want to see risk as attackers do, then check out the full interview now on TheCyberWire.com Spectrops.