Podcasts
CyberWire Daily
Ep 2477
The CyberWire Daily Podcast 1.28.26
Ep 2477 | 1.28.26

When the Director uses the wrong chat window.

Show Notes
Transcript

CISA’s interim director uploaded sensitive government material into the public version of ChatGPT. The cyberattack on Poland’s power grid compromised roughly 30 energy facilities. The EU and India sign a new partnership that includes expanded cyber cooperation. Meta rolls out enhanced WhatsApp security features. Researchers uncover a campaign targeting LLM service endpoints. Fortinet and OpenSSL patch multiple vulnerabilities. A high-severity WinRAR vulnerability continues to see widespread exploitation six months after it was patched. The SoundCloud data breach affected nearly 30 million users. Ben Yelin explains the California lawsuit accusing social media platforms of harming kids. A Spanish resort town gets hit with low-rent ransomware.  

Today is Wednesday January 28th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CISA’s interim director uploaded sensitive government material into the public version of ChatGPT. 

Politico reports the interim director of the Cybersecurity and Infrastructure Security Agency, Madhu Gottumukkala, triggered internal cybersecurity alarms after uploading sensitive government material into the public version of ChatGPT, according to multiple officials. CISA’s monitoring systems detected the activity in early August, prompting a Department of Homeland Security–level review to assess potential damage to government security. The outcome of that review has not been disclosed.

CISA said Gottumukkala had temporary authorization to use ChatGPT under DHS controls and that the use was limited and short-term, disputing parts of the reported timeline. However, unlike DHS-approved internal AI tools, the public ChatGPT platform shares uploaded data with OpenAI, raising concerns about exposure beyond federal networks.

The incident led to meetings with senior DHS, legal, and IT leadership and could carry administrative consequences under federal document-handling rules. The episode adds to broader scrutiny of Gottumukkala’s leadership, which has included prior internal disputes and security-related controversies.

The cyberattack on Poland’s power grid compromised roughly 30 energy facilities. 

A coordinated cyberattack on Poland’s power grid in late December compromised control and communications systems at roughly 30 energy facilities, according to a new report from cybersecurity firm Dragos. While Polish officials said the attack was stopped before causing outages, researchers found the attackers accessed operational technology systems and permanently disabled some equipment. The electricity transmission backbone remained unaffected, and power was not interrupted.

The attack targeted distributed energy resources, including combined heat and power plants and systems managing wind and solar dispatch. Loss of communications limited operators’ ability to remotely monitor and control equipment, though it remains unclear whether attackers issued operational commands or focused on disruption.

Dragos attributed the incident to the Russian-linked Sandworm group with moderate confidence, reinforcing concerns that distributed energy systems, often less protected than centralized infrastructure, are now a serious target for sophisticated cyber adversaries.

The EU and India sign a new partnership that includes expanded cyber cooperation. 

The European Union and India signed a new security and defence partnership that includes expanded cyber cooperation, pledging to deepen their existing Cyber Dialogue and increase exchanges on cybersecurity threats. Behind the public agreement, however, European cyber diplomats, including officials linked to the EU Agency for Cybersecurity, have privately raised concerns about India’s growing hackers-for-hire ecosystem. During closed-door discussions, Indian officials rejected those claims, denying such an ecosystem exists and arguing that, if it did, it would be a private-sector matter beyond government control.

Meta rolls out enhanced WhatsApp security features. 

Meta has begun rolling out “Strict Account Settings,” a new WhatsApp security feature aimed at journalists, public figures, and other high-risk users facing sophisticated threats like spyware. The opt-in setting applies the platform’s most restrictive privacy controls, including mandatory two-step verification, blocking unknown senders, silencing unknown callers, limiting profile visibility, and disabling features that could be exploited. WhatsApp says the feature is intended for a small subset of users and will roll out gradually, following past spyware campaigns that targeted WhatsApp users through zero-click exploits.

Researchers uncover a campaign targeting LLM service endpoints. 

Researchers at Pillar Security have uncovered an active cybercrime campaign targeting exposed or weakly protected large language model (LLM) service endpoints. Over 40 days, more than 35,000 attack sessions were observed, revealing an operation dubbed “Bizarre Bazaar,” one of the first documented cases of LLMjacking attributed to a specific threat actor. The attackers exploit misconfigured AI infrastructure to steal compute resources, resell API access, exfiltrate prompt data, and attempt lateral movement into internal systems.

The campaign targets self-hosted LLMs, exposed AI APIs, and publicly accessible Model Context Protocol servers, often within hours of appearing in internet scans. Pillar Security describes a coordinated supply chain involving scanning, validation, and resale of access through an online service. The activity remains ongoing.

Fortinet and OpenSSL patch multiple vulnerabilities. 

Fortinet has released emergency patches for a FortiCloud Single Sign-On authentication bypass that was actively exploited as a zero-day against FortiGate devices. The flaw, tracked as CVE-2026-24858 with a CVSS score of 9.4, allowed attackers with a FortiCloud account to access other customers’ registered devices when FortiCloud SSO was enabled. Exploitation was detected after attackers created administrator accounts and exfiltrated configuration files, even on fully patched systems. Fortinet blocked malicious accounts, briefly disabled FortiCloud SSO, and now requires patching to restore the feature. The US Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog. Separately, OpenSSL released updates fixing 12 vulnerabilities, including a high-severity remote code execution risk.

A high-severity WinRAR vulnerability continues to see widespread exploitation six months after it was patched. 

Google’s Threat Intelligence Group warned that a high-severity WinRAR path-traversal vulnerability, CVE-2025-8088, continues to see widespread exploitation six months after it was patched. The flaw was exploited in the wild before RARLAB released a fix in late July and has since attracted a growing mix of attackers. Google attributes activity to at least three financially motivated groups, four Russia state-sponsored actors, and one China-based attacker. Nation-state groups have used the bug for espionage, including campaigns against Ukrainian military and government targets, while cybercriminals have deployed malware such as remote access trojans and infostealers across multiple regions. All attackers use a shared technique involving malicious RAR archives that silently drop payloads without user interaction, making detection difficult. Google urged organizations to update WinRAR and hunt for indicators of compromise.

The SoundCloud data breach affected nearly 30 million users. 

The SoundCloud data breach disclosed in December 2025 has now been added to Have I Been Pwned, confirming that nearly 30 million user accounts were affected. Attackers exploited unauthorized access to an internal service dashboard, allowing them to link users’ email addresses, normally private, to public profile information. Exposed data included usernames, display names, avatars, follower counts, and sometimes country information, but not passwords, financial data, or private content.

SoundCloud detected the activity through internal monitoring, isolated the affected systems, and brought in external security experts, stating the breach was contained. Afterward, the company faced denial-of-service attacks and temporary access issues caused by misconfigured security controls. The attackers allegedly attempted extortion before leaking the data online in January 2026, after which it was widely redistributed.

 

Today, I am joined by my Caveat co-host Ben Yelin who is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Cyber Health and Hazard Strategies. We discuss the upcoming trial where Meta and YouTube will make their case against accusations of social media being harmful to children. We’ll be right back.

Welcome back.

A Spanish resort town gets hit with low-rent ransomware. 

In the beautiful coastal town of Sanxenxo [san-SHEN-sho] in northwestern Spain, the City Council has learned that ransomware does not respect coastal charm. Hackers broke into the town hall’s systems on January 26, encrypting thousands of administrative documents and knocking internal operations offline. The attackers then made their pitch: $5,000 in Bitcoin, a ransom so small it raised questions about whether this was cybercrime or a clearance sale.

City officials were unimpressed. They refused to pay, notified Spain’s Civil Guard, and began restoring systems from daily backups. Some services never went down at all, including the online citizen portal and two municipal companies operating on separate networks. Recovery is ongoing, though slower than initially hoped.

The attack is part of a wider surge in ransomware hitting Spanish municipalities, but Sanxenxo’s case stands out for its unusually low ransom demand. More of a nuisance than anything. Too small to negotiate, too annoying to ignore. 

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

A tip of the hat to our T-Minus space daily team who are on-site in Florida covering Space Week. I had the pleasure of filling in for Maria Varmazis yesterday on T-Minus, so if you’d like to check that out we’ve got a link in the show notes. 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.