CISA’s steady hand in a stalled senate.

CISA says cooperation between federal agencies and the private sector remains steady. Long-standing Linux kernel vulnerability in active ransomware campaigns confirmed. A Chinese-linked group targets diplomatic organizations in Hungary, Belgium, and other European nations. A government contractor breach exposes data of over 10 million Americans. Luxury fashion brands fall victim to impersonation scams. Phishing shifts from email to LinkedIn. Advocacy groups urge the FTC to block Meta from using chatbot interactions to target ads. A man pleads guilty to selling zero-days to the Russians. Emily Austin, Principal Security Researcher at Censys, discusses why nation state attackers continue targeting critical infrastructure. When M&S went offline, shoppers hit ‘Next’.

Today is Friday October 31st 2025. I’m Maria Varmazis, host of T-Minus Space Daily here on the N2K CyberWire network, filling in for Dave Bittner. And this is your CyberWire Intel Briefing.

CISA says cooperation between federal agencies and the private sector remains steady. 

Despite the recent expiration of the 2015 Cybersecurity Information Sharing Act, according to Nick Andersen of the Cybersecurity and Infrastructure Security Agency aka CISA, cooperation between federal agencies and the private sector on cyber threat data sharing remains steady. Andersen credited the sustained collaboration to CISA’s strong reputation and established long-term partnerships, but emphasized that the lapsed authority is “core and critical” to managing national cyber risk. Lawmakers are seeking a 10-year renewal, though efforts have been repeatedly stalled in the Senate amid the ongoing government shutdown. National Cyber Director Sean Cairncross also called the statute “vital,” urging swift reauthorization to preserve the trust and information exchange that underpin U.S. cybersecurity.

Elsewhere, CISA and the NSA, joined by cyber agencies in Australia and Canada, released new guidance to help organizations secure Microsoft Exchange servers from attack. The advisory urges IT administrators to harden authentication, limit administrative access, enforce strong encryption, and adopt zero-trust principles. It strongly recommends decommissioning outdated or hybrid Exchange servers after migrating to Microsoft 365, warning that unsupported systems pose major breach risks. The agencies outlined over a dozen key steps, including enabling multifactor authentication, keeping servers patched, using Kerberos instead of NTLM, enforcing Transport Layer Security, and applying role-based access controls. This guidance follows CISA’s August emergency directive requiring federal agencies to rapidly address a critical Exchange vulnerability.

CISA has also confirmed that a high-severity Linux kernel flaw is now being exploited in ransomware attacks. The vulnerability, a use-after-free bug in the netfilter “nf_tables” component, allows local attackers to gain root-level privileges. It affects major Linux distributions including Debian, Ubuntu, Fedora, and Red Hat. This escalation flaw enables system takeover, lateral movement, and data theft once root access is achieved. Organizations unable to patch are urged to blocklist “nf_tables,” restrict user namespaces, or load the Linux Kernel Runtime Guard module.

A  Chinese-linked group targets diplomatic organizations in Hungary, Belgium, and other European nations. 

Arctic Wolf Labs has uncovered an active cyber espionage campaign by Chinese-linked group UNC6384 targeting diplomatic organizations in Hungary, Belgium, and other European nations in September and October 2025. The operation exploits a Windows shortcut vulnerability disclosed earlier this year, combined with convincing phishing lures themed around European Commission and NATO events. The multi-stage attack delivers PlugX remote-access malware via DLL side-loading of legitimate Canon printer utilities. Researchers say the campaign shows rapid adoption of newly disclosed flaws, advanced social engineering aligned with diplomatic calendars, and expansion beyond UNC6384’s usual Southeast Asia focus. Arctic Wolf attributes the campaign with high confidence based on tooling, tactics, and infrastructure overlaps with prior operations.

A government contractor breach exposes data of over 10 million Americans. 

Government contractor Conduent has disclosed that a January cyberattack exposed personal data belonging to more than 10 million people across multiple U.S. states. The breach investigation found that attackers had access to Conduent’s systems from October 21 to January 13, stealing files tied to its government service contracts. Impacted states include Texas, Washington, South Carolina, and others, with compromised data such as Social Security numbers and health information. The SafePay ransomware gang claimed responsibility, saying it stole 8.5 terabytes of data. Conduent says no stolen data has surfaced publicly, systems have been restored, and law enforcement is investigating. The company provides technology services for Medicaid, child support, and EBT programs serving about 100 million U.S. residents.

Luxury fashion brands fall victim to impersonation scams. 

Researchers at PreCrime Labs, part of BforeAI, uncovered a surge in malicious domains impersonating luxury fashion brands ahead of the 2025 holiday season. Between mid-August and late September, they identified 1,330 domains, with over 1,200 mimicking 23 major brands. These fraudulent sites exploit brand prestige to lure customers into scams and phishing attacks, causing both financial and reputational harm. Coordinated domain registrations, recurring email operators, and exploitation of current events suggest an organized criminal network preparing large-scale fraud campaigns.

Phishing shifts from email to LinkedIn. 

Hackers are exploiting LinkedIn to phish finance executives with fake invitations to join a “Common Wealth” investment fund’s executive board, aiming to steal Microsoft credentials. According to Push Security, victims receive LinkedIn messages containing malicious links that redirect through Google and Firebase to a fake “LinkedIn Cloud Share” site. The page ultimately displays a spoofed Microsoft login to harvest credentials and session cookies. Push warns that phishing now frequently occurs outside email, with LinkedIn-based attacks rapidly increasing in sophistication and volume.

Advocacy groups urge the FTC to block Meta from using chatbot interactions to target ads. 

A coalition of more than 30 consumer and children’s advocacy groups is urging the Federal Trade Commission (FTC) to block Meta from using users’ chatbot interactions to target ads or personalize content. Meta plans to begin this practice on December 16 without opt-in consent. The groups, including EPIC and the Center for Digital Democracy, argue the move violates Section 5 of the FTC Act on unfair practices. They call it an “industrial-scale privacy abuse,” pressing the FTC to act decisively.

A man pleads guilty to selling zero-days to the Russians. 

Former L3Harris executive Peter Williams, 39, pleaded guilty to two counts of theft of trade secrets for selling eight U.S. government-developed zero-day exploits to a Russian broker in exchange for millions in cryptocurrency. Prosecutors said Williams stole the tools while working at Trenchant, an L3Harris subsidiary, and sold them to a firm believed to be Operation Zero, a Russian platform advertising exploits for non-NATO clients. The scheme, running from 2022 to 2025, caused $35 million in losses and risked arming adversaries with advanced cyber capabilities. Williams faces up to 20 years in prison, fines exceeding $300,000, and $1.3 million in restitution. Sentencing is scheduled for January.

 

Stick around after the break, Dave Bittner is joined by Emily Austin, Principal Security Researcher at Censys, as they discuss why nation state attackers continue targeting critical infrastructure. And when M&S went offline, shoppers hit ‘Next’.

Dave Bittner recently sat down with Emily Austin, Principal Security Researcher at Censys, as they discuss why nation state attackers continue targeting critical infrastructure. Here is their conversation.

That was Dave Bittner sitting down with Emily Austin from Censys, discussing why nation state attackers continue targeting critical infrastructure.

When M&S went offline, shoppers hit ‘Next’. 

British retailer Next has discovered that one company’s cyber misfortune can be another’s sales strategy. In a trading update Wednesday, Next credited “favourable weather and competitor disruption” — translation: Marks & Spencer’s cyber meltdown — for a tidy 7.6% sales jump and a £30 million profit boost. M&S, still nursing its digital hangover after months of outages, expects to lose around £300 million this year. While Next, Zara, and H&M cashed in, retailers without robust online stores didn’t see the same windfall. Meanwhile, Jaguar Land Rover’s separate cyber incident wiped £1.9 billion off the British economy, a sobering reminder that not all disruptions come with silver linings. Lawmakers say stronger cybersecurity laws can’t come soon enough.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Be sure to join us for a new Research Saturday, where Dave Bittner sits down with Dario Pasquini, Principal Researcher at RSAC, discussing the team's work on WhenAIOpsBecome “AI Oops”: Subverting LLM-driven IT Operations via Telemetry Manipulation. That’s Research Saturday, check it out!

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.