America goes solo on cyber.

The US withdraws from global cybersecurity institutions. A maximum-severity vulnerability called Ni8mare allows full compromise of a workflow automation platform. Cisco patches ISE. Researchers uncover a sophisticated multi-stage malware campaign targeting manufacturing and government organizations in Italy, Finland, and Saudi Arabia. The growing rift of defining AI risk. Microsoft gives 365 admins a one-month deadline to enable MFA. The Illinois Department of Human Services inadvertently exposed personal and protected health information of more than 700,000 residents. An Illinois man is charged with hacking Snapchat accounts to steal nudes. Our guest is Caitlin Clarke, Senior Director for Cybersecurity Services at Venable, with insights on CISA 2015. Facial recognition that’s bear-ly controversial.

Today is Thursday January 8th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The US withdraws from global cybersecurity institutions.

The Trump administration is suspending U.S. support for several international organizations, including two focused on cybersecurity, as part of a broader withdrawal from multilateral institutions. An executive order signed January 7 by Donald Trump directs the United States to exit 66 international bodies, including 31 affiliated with the United Nations, on the grounds that continued participation is contrary to U.S. interests.

Among the affected organizations are the Global Forum on Cyber Expertise, which supports global cybersecurity capacity building, and the European Centre of Excellence for Countering Hybrid Threats, which focuses on countering blended cyber, information, and political threats. Federal agencies have been instructed to end participation and funding where legally permitted.

Secretary of State Marco Rubio said many of the targeted bodies are redundant, mismanaged, or driven by ideological agendas that conflict with U.S. priorities. The withdrawals also include organizations focused on climate, human rights, and international law, marking one of the most extensive pullbacks from multilateral engagement in years.

A maximum-severity vulnerability called Ni8mare allows full compromise of a workflow automation platform. 

A maximum-severity vulnerability called Ni8mare allows remote, unauthenticated attackers to fully compromise locally deployed instances of the n8n workflow automation platform. Tracked as CVE-2026-21858, the flaw carries a 10.0 severity score and affects more than 100,000 exposed servers, according to researchers at Cyera. The issue stems from content-type confusion in how n8n parses webhook data, allowing attackers to bypass file upload protections and read arbitrary files from the underlying system. This can expose secrets such as API keys, credentials, and session data, and may enable further compromise. n8n developers warn there is no official workaround beyond restricting public webhooks and urge users to upgrade to version 1.121.0 or later to fully remediate the risk.

Cisco patches ISE. 

Cisco has released patches for a vulnerability in its Identity Services Engine, or ISE, network access control platform, after public proof-of-concept exploit code appeared online. The flaw, tracked as CVE-2026-20029, affects Cisco ISE and ISE Passive Identity Connector regardless of configuration. According to Cisco, attackers with valid administrative credentials could exploit improper XML parsing in the web interface to read arbitrary files, including sensitive data. Cisco reports no active exploitation but urges customers to upgrade promptly.

Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency has flagged a critical HPE OneView vulnerability as actively exploited in the wild. The flaw, CVE-2025-37164, allows unauthenticated attackers to achieve remote code execution on unpatched systems. According to CISA and Hewlett Packard Enterprise, the issue affects all OneView versions before 11.00 and has no mitigations. Federal agencies must patch by January 28, and others are urged to update immediately.

Researchers uncover a sophisticated multi-stage malware campaign targeting manufacturing and government organizations in Italy, Finland, and Saudi Arabia. 

Researchers at Cyble Research and Intelligence Labs have uncovered a sophisticated, multi-stage malware campaign that uses a shared commodity loader across multiple threat actor groups. The operation targets manufacturing and government organizations, with confirmed activity in Italy, Finland, and Saudi Arabia. Phishing emails posing as purchase orders deliver weaponized Office files, SVGs, or ZIP archives containing LNK shortcuts, all funneling victims into the same evasive loader. The campaign deploys Remote Access Trojans and information stealers, including PureLog, AsyncRAT, and Remcos. Attackers use layered obfuscation, steganography hosted on legitimate platforms, trojanized open-source code, and process hollowing to evade detection. Analysts assess the shared infrastructure and evolving techniques as evidence of coordinated, high-maturity threat activity.

The growing rift of defining AI risk. 

Microsoft is pushing back on claims that several issues reported in its Copilot AI assistant qualify as security vulnerabilities, underscoring a growing rift between vendors and researchers over how AI risk is defined. Security engineer John Russell said Microsoft dismissed four reported flaws, including prompt injection, system prompt leakage, sandbox command execution, and a file upload restriction bypass using base64 encoding. Microsoft argues these behaviors do not cross a security boundary and therefore fall outside its vulnerability criteria.

Some researchers agree the issues reflect known limitations of large language models, rather than exploitable flaws. Others counter that competing tools, such as Claude from Anthropic, appear more resistant, suggesting gaps in input validation. The OWASP GenAI Project takes a middle ground, warning that prompt disclosure matters only when it enables real-world impact. The debate highlights unresolved questions about what “secure” means for generative AI systems.

Microsoft gives 365 admins a one-month deadline to enable MFA. 

Microsoft will begin fully enforcing multi-factor authentication for all users accessing the Microsoft 365 admin center starting February 9, 2026. After that date, administrators without MFA enabled will be blocked from signing in to key admin portals. According to Microsoft, the move builds on a rollout that began in early 2025 and is intended to reduce the risk of account compromise from phishing and credential abuse. Microsoft is urging organizations to enable MFA now to avoid administrative access disruptions.

The Illinois Department of Human Services inadvertently exposed personal and protected health information of more than 700,000 residents. 

The Illinois Department of Human Services disclosed that it inadvertently exposed personal and protected health information of more than 700,000 residents by posting data to public online mapping platforms. The information, including names, addresses, and benefits status, remained accessible for up to four years before removal in September. Affected individuals include disabled clients and Medicaid and Medicare Savings Program recipients. While no misuse is known, the data falls under HIPAA protections, prompting policy changes to prevent similar disclosures.

An Illinois man is charged with hacking Snapchat accounts to steal nudes. 

An Oswego, Illinois man has been charged in a federal case involving the hacking of Snapchat accounts. Prosecutors say 26-year-old Kyle Svara obtained Snapchat access codes for nearly 600 women and unlawfully accessed more than 50 accounts to steal nude images. He faces charges including aggravated identity theft, wire fraud, and computer fraud. Authorities allege he was hired by former Northeastern University coach Steve Waithe, who is already imprisoned. Svara is scheduled to appear in federal court in Boston on February 4.

 

Facial recognition that’s bear-ly controversial. 

When a grizzly injured a group of schoolchildren near Bella Coola in late 2025, officials launched a determined hunt for the responsible bear. Helicopters flew, traps snapped shut, DNA was tested, and four very innocent bears were briefly inconvenienced before being released. After three weeks, the case went cold. The suspect, a mother grizzly with cubs, remained anonymous. Bears, it turns out, all look suspiciously like bears.

That frustration helps explain growing interest in facial recognition for wildlife. Tools like BearID use artificial intelligence to identify individual bears by facial geometry, even as their bodies swing seasonally from “lean” to “Fat Bear Week finalist.” For ecologists, this promises better population counts and behavior tracking.

For humans, facial recognition remains controversial, often described as dangerous, invasive, and error-prone. For bears, the ethical stakes are lower. No surveillance capitalism. No constitutional rights. Just fewer mistaken identities, and possibly fewer wrong bears getting hauled off for questioning. The bears have yet to lawyer up.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.