Podcasts
CyberWire Daily
Ep 2458
The CyberWire Daily Podcast 12.22.25
Ep 2458 | 12.22.25

Everything old is new again.

Show Notes
Transcript

NATO suspects Russia is developing a new anti-satellite weapon to disrupt the Starlink network. A failed polygraph sparks a DHS probe and deepens turmoil at CISA. A look back at Trump’s cyber policy shifts. MacSync Stealer adopts a stealthy new delivery method. Researchers warn a popular open-source server monitoring tool is being abused. Cyber criminals are increasingly bypassing technical defenses by recruiting insiders. Scripted Sparrow sends millions of BEC emails each month. Federal prosecutors take down a global fake ID marketplace. Monday business brief. Our guest is Eric Woodruff, Chief Identity Architect at Semperis, discussing "NoAuth Abuse Alert: Full Account Takeover." Atomic precision meets Colorado weather. 

Today is Monday December 22nd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

NATO suspects Russia is developing a new anti-satellite weapon to disrupt the Starlink network. 

Two NATO intelligence services suspect Russia is developing a new anti-satellite weapon designed to disrupt Elon Musk’s Starlink network by releasing clouds of high-density pellets into orbit. According to intelligence findings seen by the Associated Press, the so-called “zone-effect” weapon could disable many satellites at once, potentially undermining Western space advantages that have supported Ukraine. Analysts not briefed on the findings question whether such a system could be used without causing uncontrollable debris and widespread damage, including to Russia’s own satellites. Some experts argue the concept may be experimental, exaggerated, or intended as a deterrent rather than a deployable weapon. While Russia denies plans to weaponize space, officials have warned that commercial satellites aiding Ukraine could be legitimate targets, keeping concerns about escalation and orbital chaos alive.

Our “history repeats itself desk” sent us a link to the Wikipedia page on Project West Ford, a U.S. experiment from the 70s which involved putting needles in orbit. We’ll have a link in the show notes. 

A failed polygraph sparks a DHS probe and deepens turmoil at CISA. 

Acting Cybersecurity and Infrastructure Security Agency director Madhu Gottumukkala failed a polygraph exam in July after seeking access to a highly sensitive intelligence program, according to multiple current and former officials. That access required a counterintelligence polygraph, which senior career staff had questioned, arguing Gottumukkala lacked a clear need-to-know and could rely on less classified material. He nevertheless pushed forward and took the test.

After the failed exam, the Department of Homeland Security launched an investigation alleging that career staff misled Gottumukkala into taking an “unsanctioned” polygraph. At least six employees were placed on paid administrative leave, a move that angered staff and raised concerns about leadership accountability. DHS disputes that Gottumukkala failed an authorized test, while career officials contest that characterization. The episode has intensified instability at CISA, which is already grappling with staffing losses, budget cuts, and the absence of a Senate-confirmed director.

A look back at Trump’s cyber policy shifts. 

A sweeping report by KrebsOnSecurity details how the Trump administration has pursued rapid policy shifts that critics say are undermining U.S. capacity to manage cybersecurity, corruption, privacy, disinformation, and press freedom. The changes span nearly every corner of government and emphasize reduced enforcement, dismantled oversight, and tighter political control.

According to the report, the administration expanded ideological screening and surveillance through new executive orders affecting speech, immigration, and travel. At the same time, it scaled back anti-corruption efforts by halting enforcement of bribery laws, dissolving kleptocracy and foreign influence task forces, retreating from crypto regulation, and issuing controversial pardons.

Federal cybersecurity suffered acute damage. Leadership was purged, advisory boards disbanded, budgets slashed, and staff reassigned, leaving agencies like Cybersecurity and Infrastructure Security Agency severely weakened. The report also describes intensified pressure on the press, erosion of consumer and privacy protections, and unprecedented data access under the now-defunct DOGE initiative, raising long-term national security concerns.

MacSync Stealer adopts a stealthy new delivery method.  

Researchers at Jamf report that the macOS malware MacSync Stealer has adopted a new delivery method that no longer requires users to run commands in the Terminal. Originally a rebrand of the low-cost Mac.c infostealer, MacSync Stealer now uses a code-signed, notarized Swift app disguised as a legitimate installer. The dropper quietly fetches and executes malicious scripts, adding stealth, persistence, and Gatekeeper evasion. Jamf says the shift reflects a broader trend toward abusing trusted macOS app mechanisms.

Researchers warn a popular open-source server monitoring tool is being abused. 

Researchers at Ontinue warn that Nezha, a legitimate open-source server monitoring tool, is being abused by attackers as a Remote Access Trojan. Because Nezha is widely trusted and rarely flagged by security tools, hackers can use it to gain persistent SYSTEM-level access across Windows, Linux, macOS, and even routers. Its normal-looking network traffic helps it blend in. Experts say the abuse reflects a growing trend of attackers weaponizing legitimate software, forcing defenders to focus on behavior and context rather than labels alone.

Cyber criminals are increasingly bypassing technical defenses by recruiting insiders. 

Researchers at CheckPoint say cyber criminals are increasingly bypassing technical defenses by recruiting insiders to provide access to corporate networks, devices, and cloud environments. On darknet forums, employees are solicited, or sometimes volunteer, to sell credentials, disable security controls, or share sensitive data in exchange for cash, often paid in cryptocurrency. These insider actions create major blind spots for security teams and make attacks far harder to prevent.

Financial services, cryptocurrency platforms, banks, technology firms, telecoms, and logistics companies are frequent targets, with payouts ranging from a few thousand dollars to six figures for high-value access or datasets. Ransomware groups have also expanded recruitment through encrypted platforms, offering profit-sharing schemes. The trend highlights a growing insider threat that combines financial incentives with anonymity. Defending against it requires employee education, strict access controls, behavioral monitoring, and proactive surveillance of darknet activity, alongside traditional cybersecurity tools.

Scripted Sparrow sends millions of BEC emails each month. 

Researchers at Fortra have identified a prolific business email compromise group dubbed Scripted Sparrow, which sends an estimated four to six million targeted emails each month. Active since mid-2024, the group poses as executive coaching firms and targets accounts payable teams with fake invoices and W-9 forms. Fortra says the loose collective operates across multiple continents, uses hundreds of domains and bank accounts, and relies on spoofed reply chains to boost credibility.

Federal prosecutors take down a global fake ID marketplace. 

U.S. prosecutors have charged Zahid Hasan, a 29-year-old resident of Bangladesh, with running a global fake ID marketplace that fueled identity theft worldwide. According to the U.S. Department of Justice, Hasan sold digital templates for forged passports, driver’s licenses, and Social Security cards through multiple websites from 2021 to 2025. Investigators say the scheme generated more than $2.9 million from over 1,400 customers. The operation was dismantled by the Federal Bureau of Investigation with international partners, and Hasan now faces multiple federal fraud charges.

Monday business brief. 

A wave of global cybersecurity funding and dealmaking highlights sustained investor interest across fraud prevention, AI security, identity, and infrastructure protection. New York-based Adaptive Security led the week with an $81 million Series B, bringing its total funding to $146.5 million since launching in early 2025. Other notable raises include Echo at $35 million, Kasada at $20 million, Resemble AI at $13 million, and Evertrust at €10 million. Early-stage funding went to startups including Dux, Verisoul, Cyphlens, Soverli, and Realm.Security.

Mergers were equally active, with acquisitions by Outpost24, Silent Push, MetaCompliance, Arteris, SPIE, and Cyderes, underscoring continued consolidation across the security market.

Atomic precision meets Colorado weather. 

A power outage near Boulder, Colorado briefly put the USA’s National Institute of Standards and Technology in the awkward position of having very precise clocks and slightly unreliable electricity. According to NIST physicist Jeffrey Sherman, who is cheerfully “paid to watch the clocks all day,” the outage disrupted the atomic time scale that underpins NIST’s Network Time Protocol services, a quiet but critical backbone of the internet.

The problem was not just losing power. Backup generators kept systems running, meaning inaccurate time could still be broadcast. Sherman even considered disabling the generators, a sentence that probably does not appear often in federal incident reports. Severe storms prevented access to the site, adding weather to the list of adversaries of atomic precision.

The good news: the clock drift stayed within a few microseconds, an eternity for physicists but negligible for most internet users. Services were fully restored within a day, right on time, more or less.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Semperis
Sponsored by Semperis

Semperis secures hybrid identity systems like Active Directory, Entra ID, and Okta, protecting over 100 million identities. It also supports the cyber community with tools like Purple Knight, Forest Druid, and the Hybrid Identity Protection (HIP) Conference and Podcast. Learn more.