Podcasts
CyberWire Daily
Ep 2437
The CyberWire Daily Podcast 11.19.25
Ep 2437 | 11.19.25

The oversized file that stalled the internet.

Show Notes
Transcript

Cloudflare’s outage is rooted in an internal configuration error. The Trump administration is preparing a new national cyber strategy. CISA gives federal agencies a week to secure a new Fortinet flaw. MI5 warns that China is using LinkedIn headhunters and covert operatives to target lawmakers. Experts question the national security risks of TP-Link routers. The China-aligned PlushDaemon threat group hijacks software updates. Researchers discover WhatsApp’s entire global member directory accessible online without protection. LG Energy Solution confirms a ransomware attack. ShinySp1d3r makes its debut. Rotem Tsadok, Director of Security Operations and Forensics at Varonis, is sharing lessons learned from thousands of forensics investigations. A judge says Google’s claims to water use secrecy are all wet.

Today is Wednesday November 19th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Cloudflare’s outage is rooted in an internal configuration error. 

Yesterday, Cloudflare suffered its worst outage in six years after a routine database permissions change triggered a cascading failure across its Global Network. The issue began when the update caused the Bot Management system to generate an oversized configuration file that exceeded built-in limits and crashed critical traffic-routing software.

The faulty file contained duplicate metadata that pushed the system past its 200-feature cap. Clusters alternated between healthy and broken states as machines produced conflicting configuration files every five minutes. The oversized file then propagated across the network, causing system panics and widespread 5xx errors. Engineers restored core traffic by replacing the file with an earlier version.

The Trump administration is preparing a new national cyber strategy. 

The Trump administration is preparing to release a new national cyber strategy, according to National Cyber Director Sean Cairncross, who said the effort is moving “quickly” and aims to provide a single, coordinated approach unlike previous attempts. Speaking at the Aspen Cyber Summit, Cairncross outlined six planned pillars, including a focus on “shaping adversary behavior” and improving public-private partnerships. He argued the United States has not effectively signaled consequences to cyber adversaries, noting that ransomware responses remain fragmented and lack a long-term, government-wide plan. Cairncross said the forthcoming strategy will be concise and paired with immediate action items, and that his office is modernizing federal processes, including technology procurement and collaboration with national labs. Officials across government have already contributed input, according to FBI Assistant Director Brett Leatherman. Former Acting National Cyber Director Kemba Walden emphasized that clear deliverables and aligned budgets are essential to make the strategy effective.

CISA gives federal agencies a week to secure a new Fortinet flaw. 

CISA has ordered U.S. federal agencies to secure Fortinet FortiWeb devices within a week after discovering active exploitation of CVE-2025-58034, an OS command injection flaw. The vulnerability allows authenticated attackers to execute unauthorized code through crafted HTTP requests or CLI commands. Added to CISA’s Known Exploited Vulnerabilities Catalog, the flaw must be remediated by November 25 under Binding Operational Directive 22-01. CISA warned that such vulnerabilities are common attack vectors and pose significant risks to federal networks.

MI5 warns that China is using LinkedIn headhunters and covert operatives to target lawmakers. 

Britain’s MI5 warned that China’s Ministry of State Security is using LinkedIn headhunters and covert operatives to target lawmakers, parliamentary staff, consultants, economists, and think-tank researchers. The alert follows a collapsed espionage case involving two men accused of aiding Beijing. MI5 identified two China-based headhunters, Amanda Qiu and Shirly Shen, as recruiters who approach targets under corporate cover to solicit geopolitical reports that feed wider intelligence efforts. China denied the allegations as “fabrication.” Security Minister Dan Jarvis called the activity a calculated attempt to interfere with U.K. affairs and announced new countermeasures, including £170 million to upgrade government networks, expanded election-security efforts, and steps to protect universities from covert influence.

Experts question the national security risks of TP-Link routers. 

Experts say the U.S. House Select Committee on the Chinese Communist Party’s request to investigate TP-Link for national security risks is built on weak evidence and selectively targets one Chinese manufacturer. The lawmakers cite open-source reports, including work from former FCC Commissioner Michael O’Rielly at the Hudson Institute and research from Check Point’s Itay Cohen, but neither shows TP-Link acted maliciously. O’Rielly notes past TP-Link vulnerabilities were patched, and Cohen’s findings show Chinese APT malware could just as easily infect routers from Cisco or Netgear. Additional claims about Volt Typhoon overlook that DOJ removals involved Cisco and Netgear devices, not TP-Link. Researchers including Cohen and KnowBe4’s Roger Grimes stress that all routers are broadly vulnerable because users rarely patch them. Critics argue focusing on TP-Link distracts from larger risks tied to widespread dependence on China-made technology.

The China-aligned PlushDaemon threat group hijacks software updates. 

ESET researchers detail how the China-aligned PlushDaemon threat group uses its previously undocumented EdgeStepper network implant to hijack software updates through adversary-in-the-middle attacks. EdgeStepper redirects all DNS queries on compromised network devices to a malicious DNS node, which reroutes legitimate update traffic to attacker-controlled servers. From there, victims receive LittleDaemon, followed by the DaemonicLogistics downloader, which ultimately deploys the group’s SlowStepper backdoor. Active since at least 2018, PlushDaemon has targeted individuals and organizations across China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand. ESET’s analysis shows the group compromising routers or servers, exploiting weak credentials or vulnerabilities, and hijacking updates for software such as Sogou Pinyin to deliver malware.

Researchers discover WhatsApp’s entire global member directory accessible online without protection. 

Austrian researchers discovered that WhatsApp’s entire global member directory, more than 3.5 billion accounts, was accessible online without protection, allowing them to download phone numbers, profile data, public keys, and profile photos at scale. Meta ignored their warnings for a year before responding, ultimately calling the issue a “scraping” problem and saying no private messages or non-public data were exposed. The dataset revealed sensitive information such as workplace details, political or sexual orientation, links to social profiles, and device-usage patterns. Researchers also identified millions of active accounts in countries where WhatsApp was banned, creating potential safety risks for users. Roughly 57 percent of users had publicly visible profile photos, enabling large-scale facial recognition mapping between faces and phone numbers.

LG Energy Solution confirms a ransomware attack. 

LG Energy Solution confirmed a ransomware attack on one of its overseas facilities after the Akira gang listed the company on its leak site. The group claims to have stolen 1.7 terabytes of data, including corporate documents, financial records, SQL databases with employee information, confidential projects, and partner data. LG says the affected site has been restored and that headquarters and other facilities were not impacted. The company has not disclosed how many individuals were affected and has launched an investigation.

ShinySp1d3r makes its debut. 

ShinySp1d3r, a new ransomware-as-a-service platform developed by threat actors tied to ShinyHunters, Scattered Spider, and Lapsus$, has surfaced through early builds uploaded to VirusTotal. Researchers found the group is shifting from using others’ encryptors to building its own from scratch. Analysis by Coveware shows the Windows encryptor includes event-logging evasion, process-killing, network propagation, anti-analysis features, Shadow Copy deletion, and ChaCha20 encryption with RSA-2048-protected keys. Each file receives a unique extension and metadata-rich header. Victims get hardcoded ransom notes and a warning wallpaper. ShinyHunters says Linux, ESXi, and a faster “lightning” version are in development, with the operation to run under the Scattered LAPSUS$ Hunters brand.

 

A judge says Google’s claims to water use secrecy are all wet. 

For months, local governments guarded Google’s projected data center water use in Botetourt County, Virginia as though the numbers were national security secrets rather than estimates about H₂O. Each agency redacted the figures, insisting they were “proprietary” because Google said so. The founder of local newspaper The Roanoke Rambler disagreed and, armed with an $86 filing fee and a stubborn streak, took the Western Virginia Water Authority to court.

Judge Leisa Ciaffone sided with transparency, ruling that water-usage estimates are not corporate property and that the public has a right to know what its government plans to pump into a billion-dollar data center project. She noted that disclosing consumption only after Google signs on the dotted line is, effectively, useless.

But the victory may be temporary. Google, worried competitors might reverse-engineer its data-center strategy from water totals, is urging an appeal. The water authority now appears ready to fight on, sending the case toward the Virginia Court of Appeals, where judges may soon decide whether mere gallons can truly be treated as trade secrets.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Varonis
Sponsored by Varonis

Varonis is a leader in data security, fighting a different battle than conventional cybersecurity companies. Varonis’ cloud-native Data Security Platform continuously discovers and classifies critical data, removes exposures, and detects advanced threats with AI-powered automation. Learn more.