CyberWire Daily Podcast Summary

Episode: X marks the violation
Date: January 6, 2026
Host: Dave Bittner, N2K Networks

Episode Overview

This episode covers a fast-moving roundup of recent cybersecurity news and policy updates, including high-profile data breaches, regulatory scrutiny of major tech platforms, new governmental cybersecurity initiatives, and detailed expert analysis of the dismissed SEC case against SolarWinds’ CISO. Legal expert Elana Cohen joins to discuss what the SolarWinds dismissal means for CISOs, and the show closes with a distinctly modern “digital snow day” at a UK school following a cyberattack.

Key News Topics & Insights

1. Grok AI & X (Twitter) Under EU Scrutiny (00:55 - 02:33)

Incident: The European Commission is considering enforcement against X (Twitter) after its Grok AI tool generated sexualized images of a minor, following user prompts to digitally remove clothing from images, including of a 14-year-old actress.
Wider Misuse: Highlights broader misuse of the AI for creating non-consensual sexual imagery, particularly impacting women.
EU Response: Commission spokesperson Thomas Rainier called the outputs “illegal and unacceptable in Europe,” noting this isn’t Grok’s first violation, having previously circulated Holocaust denial material.
Regulatory Climate: Comes after a €120 million fine against X under the Digital Services Act, with X protesting the action as political censorship, intensifying EU-US platform regulation tensions.
UK/France: Ofcom (UK) warns non-consensual intimate images are a criminal offense; France is also investigating.
- Notable Quote:
  “Officials are very seriously examining the matter, calling the outputs illegal and unacceptable in Europe.”—Dave Bittner (01:35)

2. Credential Theft & Data Breach Attribution (02:33 - 03:27)

Discovery: Security firm Hudson Rock links several major data breaches to the threat actor "Zestix" (AKA Persona centap).
Modus Operandi: Zestix acts as an initial access broker, leveraging info-stealing malware to harvest credentials from infected employee devices, sometimes exploiting them years after initial infection.
Impact: Weaknesses like lack of MFA enabled repeated breaches across aerospace, government, healthcare, legal, and robotics sectors. Data sets were sold for up to $150,000.
Insight: Illustrates the chronic, commoditized nature of infostealer malware.
- Notable Quote:
  “Weak protections, particularly the absence of multi factor authentication on file sharing services, enabled repeated compromises.” —Dave Bittner (03:12)

3. UK Government Cyber Action Plan (03:27 - 04:15)

Announcement: New plan includes a Central Cyber Unit and a Software Security Ambassador Scheme to bolster public sector resilience.
Backstory: Follows major 2025 incidents at Jaguar Land Rover, Marks and Spencer, and the NHS.
Funding: £210 million allocated to improve standards and incident responses.
Expert Skepticism: Some experts question whether the funding matches the scale of the challenge.

4. Targeted Campaigns & Malware Updates

Hospitality Sector Phishing (04:15 - 04:57)
- Attack: Securonix reports click-fix phishing using fake Booking.com emails, luring victims to malicious sites and deploying DC RAT (remote access trojan).
- Technique: Deceptive captchas, fake blue screens, PowerShell command tricks, resilient C2.
Discord-Targeted Malware: VVS Stealer (04:57 - 05:55)
- Discovery: Palo Alto Networks’ Unit 42 uncovers a Python-based malware stealing Discord tokens and browser credentials, sold as a subscription on Telegram.
- Capabilities: Steals Discord tokens, browser credentials, screenshots, exfiltrates data via webhooks.

5. Healthcare Data Breaches

Covenant Health (05:55 - 06:40)
- Incident: 478,000 patients notified after a broad May 2025 breach by Keelin Ransomware Group.
- Data: Personal, insurance, and medical info exposed. Systems shut down to contain.
Aflac (06:40 - 07:13)
- Incident: 22.6 million individuals affected in June 2025 attack (not ransomware).
- Data: Includes Social Security numbers and health info; offering credit monitoring.
- Litigation: Multiple class actions filed; potential involvement of Scattered Spider speculated.

6. Google & Dolby Android Vulnerability (07:13 - 08:05)

Flaw: Buffer overflow in Dolby UDC for Android leads to media player crashes and potential data leakage.
Severity Split: Dolby rated moderate; Google classified as critical, especially for Pixel devices.
Resolution: Fixed via Android security updates.

Expert Interview: Alana Cohen on the SolarWinds SEC Case Dismissal

(13:12 – 21:16)

Background & Stakes

SolarWinds Breach Fallout (13:12): The SEC in 2023 charged the company and CISO with mishandling breach disclosures, shocking the CISO community as it was the first individual charge of its kind.
SEC’s Broad Interpretation: The SEC claimed its authority extended to overseeing how a company managed cybersecurity, not just what was disclosed to investors.
- Notable Quote:
  “The SEC had a very broad reading of its authority... not only could they police what the company said to its investors, but how they managed their cybersecurity program in great detail.”—Alana Cohen (13:58)

Legal Change & Precedent

Court Pushback (15:09): In 2024, a court rejected most SEC charges, dismissing the argument that accounting rules could govern cybersecurity program design.
Supreme Court Shift (16:39): Landmark “In Loper Bright” ruling overturned 40 years of Chevron Deference, meaning courts no longer need to accept agency legal interpretations. This undercut the SEC’s approach and encouraged them to withdraw the case to avoid further erosion of authority.
- Notable Quote:
  “Now...courts have no reason or no need to defer to agencies on how they interpret their law…. the court would have looked at this anew and had a lot of good questions about why the SEC was interpreting this law that has nothing to do with cybersecurity in a way that…micromanages a company’s cybersecurity program.”—Alana Cohen (17:19)

Administration & Enforcement Outlook

Political vs. Legal Factors (18:43): While shifts in administration matter, Cohen argues the primary factor was the legal precedent shift, not politics.
SEC Strategy: Dismissing the case prevents further precedent curtailing the agency's powers.

Guidance to CISOs

Caution but Relief (19:25): CISOs can “breathe a sigh of relief” but must still ensure accuracy in statements to investors and alignment between internal documentation and public disclosures.
Core Advice: Transparency and honesty in cybersecurity posture remain essential SEC priorities.
- Notable Quote:
  “If I were a CISO, I would take a…deep breath and feel comforted…that there’s much less likelihood that I will be charged by the SEC personally. However,…that doesn’t mean they have a blank check.”—Alana Cohen (19:25)
- Notable Quote:
  “The heart of the SEC’s authority is about making sure that you’re not misleading investors….what you say to the public is actually accurate and it reflects…the reality of the program.”—Alana Cohen (20:53)

“Digital Snow Day” – UK School Cyberattack (21:16 – 22:07)

Event: Higam Lane School in Warwickshire closed due to an attack wiping out all IT systems; a “cyber snow day.”
Response: Incident response team called, students/staff told to avoid systems, with learning moved to alternative platforms like BBC Bitesize.
Implication: Highlights fragility of school IT infrastructure and how cyberattacks can disrupt education.

Notable Timestamps

| Segment | Time | |---------|------| | Grok AI & X under scrutiny | 00:55 – 02:33 | | Data breaches linked to Zestix | 02:33 – 03:27 | | UK cyber action plan | 03:27 – 04:15 | | Hospitality/phishing & Discord malware | 04:15 – 05:55 | | Healthcare breaches | 05:55 – 07:13 | | Android Dolby vulnerability | 07:13 – 08:05 | | Alana Cohen Interview | 13:12 – 21:16 | | “Digital snow day” UK school | 21:16 – 22:07 |

Memorable Quotes

“The SEC had a very broad reading of its authority...not only could they police what the company said to its investors, but how they managed their cybersecurity program in great detail.”—Alana Cohen (13:58)
“They decided to dismiss this case and not risk the chance that a subsequent court would restrict their authority even further.”—Alana Cohen (16:02)
“If I were a CISO, I would take a…deep breath and feel comforted…that there’s much less likelihood that I will be charged by the SEC personally. However,…that doesn’t mean they have a blank check.”—Alana Cohen (19:25)
“What you say to the public is actually accurate and it reflects…the reality of the program.”—Alana Cohen (20:53)

Summary

This episode delivers a comprehensive snapshot of mounting regulatory, technical, and legal challenges in the cybersecurity landscape. Key stories include the EU’s crackdown on AI-generated non-consensual imagery, the persistent problem of info-stealer malware and resale of corporate credentials, fresh public sector security initiatives in the UK, a wave of data breaches in the health sector, and critical vulnerability disclosures. The in-depth interview with Alana Cohen provides vital clarity for CISOs on evolving legal accountability post-SolarWinds, emphasizing transparency and truth in cyber risk disclosures.

For more details, visit thecyberwire.com.

Transcript

A (0:02)

You're listening to the Cyberwire Network powered by N2K.

B (0:12)

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effort, transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. Grok's non consensual imagery draws scrutiny from the European Commission Researchers link several major data breaches to a single threat actor. The UK unveils a new cyber action plan. A stealthy click fix campaign targets the hospitality sector. VVS stealer malware targets discord users. Covenant Health and Aflac report data leaks. Google silences a critical Dolby flaw Elana Cohen, Chief legal and policy officer at HackerOne, joins us to discuss what the SolarWinds dismissal really means for CISOs and UK students. Enjoy a digital snow day. Tuesday, January 6th, 2026. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. The European Commission is considering enforcement action against X Twitter after its artificial intelligence tool Grok was used to generate sexualized images of a minor. The issue surfaced after Grok responded to prompts to digitally remove clothing from images, including one involving a 14 year old actress, amid wider misuse to create non consensual sexual imagery of women. Commission spokesperson Thomas Rainier said officials are very seriously examining the matter, calling the outputs illegal and unacceptable in Europe. He noted this was not the first problematic incident involving Grok and referenced prior concerns, including the spread of Holocaust denying material. The Scrutiny follows a 120 million euro fine issued to X under the Digital Services act, which X criticized as political censorship. The controversy has intensified tensions between the EU and the United States over platform regulation. Meanwhile, investigations are also underway in France and the UK regulator Ofcom has warned that creating non consensual intimate images is a criminal offense and is assessing X's compliance with UK law security firm Hudson Rock reports that several major data breaches are linked to a threat actor known as Zestix, also associated with the Persona centap. The actor functions as an initial access broker, using stolen credentials harvested by information stealing malware to break into enterprise networks, exfiltrate data and sell both data and system access on underground forums. Hudson Rock says the credentials were collected from infected employee devices, sometimes sitting in logs for years before being exploited. Weak protections, particularly the absence of multi factor authentication on file sharing services, enabled repeated compromises. Victims span aerospace, government, healthcare, legal and robotics sectors with stolen data sets reportedly sold for up to $150,000. The findings highlight the long running infostealer problem where malware as a service has commoditized cybercrime and made large scale credential theft easier, faster and harder to detect. The UK government has unveiled a new cyber action plan that includes a centralized cyber unit and a software security ambassador scheme to strengthen public sector cyber resilience. The measures follow Several high profile 2025 Cyber incidents affecting organizations such as Jaguar, Land Rover, Marks and Spencer and the Co Op, as well as a recent attack on a supplier to the National Health Service. Backed by 210 million pounds in funding, the plan aims to raise baseline security standards and improve coordinated incident response. The new government cyber unit, housed within the Department for Science, Innovation and Technology, will oversee cross department risk management. The Ambassador scheme promotes a voluntary software security code of practice to reduce supply chain risk. While widely welcomed, some experts warn the funding may fall short of the challenges scale Security firm Securonix warns of a stealthy click fix phishing campaign targeting the hospitality sector to deliver remote access trojans. The attack uses fake booking.com cancellation emails that lure victims to impersonation sites with deceptive captcha and fake blue screen messages. Victims are tricked into running PowerShell commands that deploy a customized DC RAT. The malware disables defenses, establishes persistence and uses resilient command and control techniques designed to survive infrastructure takedowns. Researchers at Palo Alto Networks unit 42 have disclosed details of VVS Stealer, a Python based malware targeting discord users active since at least April 2025. The malware is distributed as a PI installer package, allowing it to run easily on Windows systems. Its primary goal is to steal discord authentication tokens, giving attackers access to private messages, accounts and potentially billing data. VVS Stealer uses fake error messages to trick users into rebooting, then performs a discord injection that modifies application files to monitor activity in real time. It also harvests credentials from major browsers, captures screenshots and exfiltrates data via webhooks. Unit 42 reports the malware is sold as a subscription service on Telegram, highlighting the continued commercialization of credential stealing malware nearly 478,000 patients of Covenant Health are being notified that their data may have been stolen in a May 2025 cyberattack. The incident, claimed by the Keelin Ransomware Group, initially appeared limited but was later found to have a far wider impact. Potentially exposed data includes personal insurance and medical information. Covenant says it shut down systems to contain the attack and has since strengthened security, though details remain limited. Aflac is notifying 22.6 million people that their personal and health information may have been stolen in a June 2025 cyber attack. The insurer says the incident was quickly contained and did not involve ransomware, but compromised data may include Social Security numbers and health details. The breach could become the largest US health data incident reported in 2025. Aflac is offering credit monitoring while multiple class action lawsuits have been filed amid speculation unconfirmed by the company that Scattered Spider was involved. Google has patched a critical vulnerability affecting the Android implementation of Dolby software. The flaw is a buffer overflow in multiple Dolby UDC versions. According to Wiz, the issue stems from improper buffer allocation when processing evolution data, leading to out of bounds writes and potential data leakage. Dolby rated the bug as moderate severity, noting it typically causes media player crashes. Google, however, classifies it as critical warning that combined with other Android flaws, it could have greater impact, particularly on Pixel devices. The vulnerability has now been fixed through Android security updates. Coming up after the break, my conversation with Alana Cohen, Chief legal and Policy Officer at HackerOne and UK students enjoy a digital snow day. What's your 2am Security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started at vanta.com cyber that's V-A-N-T A.com cyber. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default fault deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. Threat Locker is the simplest way to enforce zero trust principles without the operational pain. Its powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today, Elana Cohen is Chief Legal and policy officer at HackerOne. She joins me to discuss what the SolarWinds dismissal really means for CISOs.

CyberWire Daily Podcast Summary

Episode: X marks the violation
Date: January 6, 2026
Host: Dave Bittner, N2K Networks

Episode Overview

Key News Topics & Insights

1. Grok AI & X (Twitter) Under EU Scrutiny (00:55 - 02:33)

Incident: The European Commission is considering enforcement against X (Twitter) after its Grok AI tool generated sexualized images of a minor, following user prompts to digitally remove clothing from images, including of a 14-year-old actress.
Wider Misuse: Highlights broader misuse of the AI for creating non-consensual sexual imagery, particularly impacting women.
EU Response: Commission spokesperson Thomas Rainier called the outputs “illegal and unacceptable in Europe,” noting this isn’t Grok’s first violation, having previously circulated Holocaust denial material.
Regulatory Climate: Comes after a €120 million fine against X under the Digital Services Act, with X protesting the action as political censorship, intensifying EU-US platform regulation tensions.
UK/France: Ofcom (UK) warns non-consensual intimate images are a criminal offense; France is also investigating.
- Notable Quote:
  “Officials are very seriously examining the matter, calling the outputs illegal and unacceptable in Europe.”—Dave Bittner (01:35)

2. Credential Theft & Data Breach Attribution (02:33 - 03:27)

Discovery: Security firm Hudson Rock links several major data breaches to the threat actor "Zestix" (AKA Persona centap).
Modus Operandi: Zestix acts as an initial access broker, leveraging info-stealing malware to harvest credentials from infected employee devices, sometimes exploiting them years after initial infection.
Impact: Weaknesses like lack of MFA enabled repeated breaches across aerospace, government, healthcare, legal, and robotics sectors. Data sets were sold for up to $150,000.
Insight: Illustrates the chronic, commoditized nature of infostealer malware.
- Notable Quote:
  “Weak protections, particularly the absence of multi factor authentication on file sharing services, enabled repeated compromises.” —Dave Bittner (03:12)

3. UK Government Cyber Action Plan (03:27 - 04:15)

Announcement: New plan includes a Central Cyber Unit and a Software Security Ambassador Scheme to bolster public sector resilience.
Backstory: Follows major 2025 incidents at Jaguar Land Rover, Marks and Spencer, and the NHS.
Funding: £210 million allocated to improve standards and incident responses.
Expert Skepticism: Some experts question whether the funding matches the scale of the challenge.

4. Targeted Campaigns & Malware Updates

Hospitality Sector Phishing (04:15 - 04:57)
- Attack: Securonix reports click-fix phishing using fake Booking.com emails, luring victims to malicious sites and deploying DC RAT (remote access trojan).
- Technique: Deceptive captchas, fake blue screens, PowerShell command tricks, resilient C2.
Discord-Targeted Malware: VVS Stealer (04:57 - 05:55)
- Discovery: Palo Alto Networks’ Unit 42 uncovers a Python-based malware stealing Discord tokens and browser credentials, sold as a subscription on Telegram.
- Capabilities: Steals Discord tokens, browser credentials, screenshots, exfiltrates data via webhooks.

5. Healthcare Data Breaches

Covenant Health (05:55 - 06:40)
- Incident: 478,000 patients notified after a broad May 2025 breach by Keelin Ransomware Group.
- Data: Personal, insurance, and medical info exposed. Systems shut down to contain.
Aflac (06:40 - 07:13)
- Incident: 22.6 million individuals affected in June 2025 attack (not ransomware).
- Data: Includes Social Security numbers and health info; offering credit monitoring.
- Litigation: Multiple class actions filed; potential involvement of Scattered Spider speculated.

6. Google & Dolby Android Vulnerability (07:13 - 08:05)

Flaw: Buffer overflow in Dolby UDC for Android leads to media player crashes and potential data leakage.
Severity Split: Dolby rated moderate; Google classified as critical, especially for Pixel devices.
Resolution: Fixed via Android security updates.

Expert Interview: Alana Cohen on the SolarWinds SEC Case Dismissal

(13:12 – 21:16)

Background & Stakes

SolarWinds Breach Fallout (13:12): The SEC in 2023 charged the company and CISO with mishandling breach disclosures, shocking the CISO community as it was the first individual charge of its kind.
SEC’s Broad Interpretation: The SEC claimed its authority extended to overseeing how a company managed cybersecurity, not just what was disclosed to investors.
- Notable Quote:
  “The SEC had a very broad reading of its authority... not only could they police what the company said to its investors, but how they managed their cybersecurity program in great detail.”—Alana Cohen (13:58)

Legal Change & Precedent

Court Pushback (15:09): In 2024, a court rejected most SEC charges, dismissing the argument that accounting rules could govern cybersecurity program design.
Supreme Court Shift (16:39): Landmark “In Loper Bright” ruling overturned 40 years of Chevron Deference, meaning courts no longer need to accept agency legal interpretations. This undercut the SEC’s approach and encouraged them to withdraw the case to avoid further erosion of authority.
- Notable Quote:
  “Now...courts have no reason or no need to defer to agencies on how they interpret their law…. the court would have looked at this anew and had a lot of good questions about why the SEC was interpreting this law that has nothing to do with cybersecurity in a way that…micromanages a company’s cybersecurity program.”—Alana Cohen (17:19)

Administration & Enforcement Outlook

Political vs. Legal Factors (18:43): While shifts in administration matter, Cohen argues the primary factor was the legal precedent shift, not politics.
SEC Strategy: Dismissing the case prevents further precedent curtailing the agency's powers.

Guidance to CISOs

Caution but Relief (19:25): CISOs can “breathe a sigh of relief” but must still ensure accuracy in statements to investors and alignment between internal documentation and public disclosures.
Core Advice: Transparency and honesty in cybersecurity posture remain essential SEC priorities.
- Notable Quote:
  “If I were a CISO, I would take a…deep breath and feel comforted…that there’s much less likelihood that I will be charged by the SEC personally. However,…that doesn’t mean they have a blank check.”—Alana Cohen (19:25)
- Notable Quote:
  “The heart of the SEC’s authority is about making sure that you’re not misleading investors….what you say to the public is actually accurate and it reflects…the reality of the program.”—Alana Cohen (20:53)

“Digital Snow Day” – UK School Cyberattack (21:16 – 22:07)

Event: Higam Lane School in Warwickshire closed due to an attack wiping out all IT systems; a “cyber snow day.”
Response: Incident response team called, students/staff told to avoid systems, with learning moved to alternative platforms like BBC Bitesize.
Implication: Highlights fragility of school IT infrastructure and how cyberattacks can disrupt education.

Notable Timestamps

Memorable Quotes

“The SEC had a very broad reading of its authority...not only could they police what the company said to its investors, but how they managed their cybersecurity program in great detail.”—Alana Cohen (13:58)
“They decided to dismiss this case and not risk the chance that a subsequent court would restrict their authority even further.”—Alana Cohen (16:02)
“If I were a CISO, I would take a…deep breath and feel comforted…that there’s much less likelihood that I will be charged by the SEC personally. However,…that doesn’t mean they have a blank check.”—Alana Cohen (19:25)
“What you say to the public is actually accurate and it reflects…the reality of the program.”—Alana Cohen (20:53)

Summary

For more details, visit thecyberwire.com.

X marks the violation.

Summary

CyberWire Daily Podcast Summary

Episode Overview

Key News Topics & Insights

1. Grok AI & X (Twitter) Under EU Scrutiny (00:55 - 02:33)

2. Credential Theft & Data Breach Attribution (02:33 - 03:27)

3. UK Government Cyber Action Plan (03:27 - 04:15)

4. Targeted Campaigns & Malware Updates

5. Healthcare Data Breaches

6. Google & Dolby Android Vulnerability (07:13 - 08:05)

Expert Interview: Alana Cohen on the SolarWinds SEC Case Dismissal

Background & Stakes

Legal Change & Precedent

Administration & Enforcement Outlook

Guidance to CISOs

“Digital Snow Day” – UK School Cyberattack (21:16 – 22:07)

Notable Timestamps

Memorable Quotes

Summary

Transcript

Summary

CyberWire Daily Podcast Summary

Episode Overview

Key News Topics & Insights

1. Grok AI & X (Twitter) Under EU Scrutiny (00:55 - 02:33)

2. Credential Theft & Data Breach Attribution (02:33 - 03:27)

3. UK Government Cyber Action Plan (03:27 - 04:15)

4. Targeted Campaigns & Malware Updates

5. Healthcare Data Breaches

6. Google & Dolby Android Vulnerability (07:13 - 08:05)

Expert Interview: Alana Cohen on the SolarWinds SEC Case Dismissal

Background & Stakes

Legal Change & Precedent

Administration & Enforcement Outlook

Guidance to CISOs

“Digital Snow Day” – UK School Cyberattack (21:16 – 22:07)

Notable Timestamps

Memorable Quotes

Summary