Root access to the great firewall. [Research Saturday]

Daniel Schwalbe, DomainTools Head of Investigations and CISO, is sharing their work on "Inside the Great Firewall." This two-part research project analyzes an extraordinary 500–600GB leak that exposes the internal architecture, tooling, and human ecosystem behind China’s Great Firewall. Across both parts, you break down thousands of leaked documents, source code repositories, diagrams, packet captures, and telemetry that reveal how systems like the Traffic Secure Gateway, MAAT, Redis-based analytics, and modular DPI engines work together to censor, surveil, and fingerprint users at scale. Taken together, the research shows how the Great Firewall functions not just as a technical system, but as a living censorship-industrial complex that adapts, learns, and coordinates across government, telecoms, and security vendors. The research can be found here: Inside the Great Firewall Part 1: The Dump Inside the Great Firewall Part 2: Technical Infrastructure Learn more about your ad choices. Visit megaphone.fm/adchoices

A new executive order targets states’ AI regulations, while the White House shifts course on an NSA deputy director pick. The UK fines LastPass over inadequate security measures. Researchers warn of active attacks against Gladinet CentreStack instances. OpenAI outlines future cybersecurity plans. MITRE ranks the top 25 vulnerabilities of 2025. CISA orders U.S. federal agencies to urgently patch a critical GeoServer vulnerability. An anti-piracy coalition shuts down one of India’s most popular illegal streaming services. Our guest Mark Lance, Vice President, DFIR & Threat Intelligence, GuidePoint Security, unpacks purple team table top exercises to prepare for AI-generated attacks. Hackers set their sights on DNA. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Mark Lance, Vice President, DFIR & Threat Intelligence, GuidePoint Security, is discussing purple team table top exercises to prepare for AI-generated attacks. Selected Reading Trump Signs Executive Order to Block State AI Regulations (SecurityWeek) Announced pick for No. 2 at NSA won’t get the job as another candidate surfaces (The Record) LastPass Data Breach — Insufficient Security Exposed 1.6 Million Users (Forbes) Gladinet CentreStack Flaw Exploited to Hack Organizations (SecurityWeek) OpenAI lays out its plan for major advances in AI cybersecurity features (SC Media) MITRE Releases 2025 List of Top 25 Most Dangerous Software Vulnerabilities (SecurityWeek) CISA orders feds to patch actively exploited Geoserver flaw (Bleeping Computer) MKVCinemas streaming piracy service with 142M visits shuts down (Bleeping Computer) The Unseen Threat: DNA as Malware (BankInfoSecurity) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA warns that pro-Russia hacktivist groups are targeting US critical infrastructure. Google patches three new Chrome zero-day vulnerabilities. North Korean actors exploit React2Shell to deploy a new backdoor.  Researchers claim Docker Hub secret leakage is now a systemic problem. Attackers exploit an unpatched zero-day in Gogs, the self-hosted Git service. IBM patches more than 100 vulnerabilities across its product line. Storm-0249 abuses endpoint detection and response tools. The DOJ indicts a former Accenture employee for allegedly misleading federal customers about cloud security. Our guest is Kavitha Mariappan, Chief Transformation Officer at Rubrik, talking about understanding & building resilience against identity-driven threats. A malware tutor gets schooled by the law. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices segment, we are joined by Kavitha Mariappan, Chief Transformation Officer at Knowledge Partner Rubrik, talking about understanding and building resilience against identity-driven threats. Tune into Kavitha’s full conversation here.  New Rubrik Research Finds Identity Resilience is Imperative as AI Wave Floods the Workplace with AI Agents (Press release) The Identity Crisis: Understanding and Building Resilience Against Identity-Driven Threats (Report)  Agentic AI and Identity Sprawl (Data Security Decoded podcast episode) Host Caleb Tolin and guest ⁠Joe Hladik⁠, Head of Rubrik Zero Labs, to unpack the findings from their the report Kavitha addresses.  Resources: Rubrik’s Data Security Decoded podcast airs semi-monthly on the N2K CyberWire network with host Caleb Tolin. You can catch new episodes twice a month on Tuesdays on your favorite podcast app. Selected Reading CISA: Pro-Russia Hacktivists Target US Critical Infrastructure New cybersecurity guidance paves the way for AI in critical infrastructure | CyberScoop Google Releases Critical Chrome Security Update to Address Zero-Days - Infosecurity Magazine North Korea-linked ‘EtherRAT’ backdoor used in React2Shell attacks | SC Media Thousands of Exposed Secrets Found on Docker Hub - Flare Hackers exploit unpatched Gogs zero-day to breach 700 servers IBM Patches Over 100 Vulnerabilities - SecurityWeek Ransomware IAB abuses EDR for stealthy malware execution US charges former Accenture employee with misleading feds on cloud platform’s security - Nextgov/FCW Man gets jail for filming malware tutorials for syndicate; 129 Singapore victims lost S$3.2m - CNA Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Patch Tuesday. Federal prosecutors charge a Houston man with smuggling Nvidia chips to China, a Ukrainian woman for targeting critical infrastructure, and an Atlanta activist for wiping his phone. The power sector sees cyber threats doubling. The new Spiderman phishing kit slings its way across the dark web. Our guest is Dick O'Brien, Principal Intelligence Analyst from Symantec and Carbon Black Threat Hunter Team, discussing “Unwanted Gifts: Major Campaign Lures Targets with Fake Party Invites.” The Pentagon unveils a killer chatbot.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Dick O'Brien, Principal Intelligence Analyst from Symantec and Carbon Black Threat Hunter Team, is discussing “Unwanted Gifts: Major Campaign Lures Targets with Fake Party Invites." Selected Reading Microsoft Patches 57 Vulnerabilities, Three Zero-Days (SecurityWeek) Google Patches Gemini Enterprise Vulnerability Exposing Corporate Data (SecurityWeek) Adobe Patches Nearly 140 Vulnerabilities (SecurityWeek) ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Rockwell, Schneider (SecurityWeek) Fortinet Patches Critical Authentication Bypass Vulnerabilities (SecurityWeek) Smuggling Ring Charged as Trump Okays Nvidia Sales to China (Gov Infosecurity) Cybersecurity in power: supply chain most vulnerable, varying confidence in resilience (Power Technology) Spiderman Phishing Kit Targets European Banks with Real-Time Credential Theft (Hackread) Hospice Firm, Eye Care Practice Notifying 520,000 of Hacks (Bank Infosecurity) Ukrainian hacker charged with helping Russian hacktivist groups (Bleeping Computer) Man Charged for Wiping Phone Before CBP Could Search It (404 Media) Pete Hegseth Says the Pentagon's New Chatbot Will Make America 'More Lethal' (404 Media) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Organizations worldwide scramble to address the critical React2Shell vulnerability.  Major insurers look to exclude artificial intelligence risks from corporate policies. Three Chinese hacking groups converge on the same Sharepoint flaws. Ransomware crews target hypervisors. A UK hospital asks the High Court to block publication of data stolen by the Clop gang. The White House approves additional Nvidia AI chip exports to China. The ICEBlock app creator sues the feds over app store removal. The FBI warns of virtual kidnapping scams. The FTC upholds a ban on a stalkerware maker. Dave Lindner, CISO of Contrast Security, discusses nation-state adversaries targeting source code to infiltrate the government and private sector. Craigslist’s founder pledges support for cybersecurity, veterans and pigeons. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest ⁠Dave Lindner⁠, CISO of ⁠Contrast Security⁠, discusses nation-state adversaries targeting source code to infiltrate the government and private sector. Selected Reading Researchers track dozens of organizations affected by React2Shell compromises tied to China’s MSS (The Record) Insurers retreat from AI cover as risk of multibillion-dollar claims mounts (Financial Times) Three hacking groups, two vulnerabilities and all eyes on China (The Record) Researchers spot 700 percent increase in hypervisor ransomware attacks (The Register) UK Hospital Asks Court to Stymie Ransomware Data Leak (Bank Infosecurity) Trump says Nvidia can sell more powerful AI chips to China (The Verge) ICEBlock developer sues Trump administration over App Store removal (The Verge) New FBI alert urges vigilance on virtual kidnapping schemes (SC Media) FTC upholds ban on stalkerware founder Scott Zuckerman (TechCrunch) Craigslist founder signs the Giving Pledge, and his fortune will go to military families, fighting cyberattacks—and a pigeon rescue (Fortune) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, host Kim Jones examines the rapid rise of enterprise AI and the tension between innovation and protection, sharing an RSA anecdote that highlights both excitement and concern. He outlines the benefits organizations hope to gain from AI while calling out often-overlooked risks like data quality, governance, and accountability. Kim is joined by technologist Tony Gauda to discuss why AI represents a fundamental shift in how systems and decisions are designed. Together, they explore AI-driven operations, cultural barriers to experimentation, and how CISOs can adopt AI responsibly without compromising security. Want more CISO Perspectives? Check out a companion ⁠⁠blog post⁠⁠ by our very own Ethan Cook, where he breaks down key insights, shares behind-the-scenes context, and highlights research that complements this episode. Learn more about your ad choices. Visit megaphone.fm/adchoices

How might Trump’s new National Security Strategy impact cyber? The UK’s NCSC warns LLMs may never get over prompt injection. At least 18 U.S. universities were hit by a months-long phishing campaign. Russia blocks FaceTime. A bipartisan group of senators reviving efforts to strengthen protections across the health sector. Portugal provides legal safe harbor for good-faith security research. A large-scale campaign targets Palo Alto GlobalProtect portals. A Maryland man gets 15 months in prison for his part in a North Korean IT worker scam. Business Brief. Tim Starks from CyberScoop unpacks the President's pending cybersecurity strategy release. An AI image sends UK train schedules off the rails.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Tim Starks, senior reporter  from CyberScoop, discussing President Trump's pending cybersecurity strategy release and the end of Sean Plankey’s nomination process. Selected Reading National Security Strategy (The White House) The National Security Strategy: The Good, the Not So Great, and the Alarm Bells (CSIS) UK intelligence warns AI 'prompt injection' attacks might never go away (The Record) Over 70 Domains Used in Months-Long Phishing Spree Against US Universities (Hackread) Russia restricts FaceTime, its latest step in controlling online communications (AP News) Bipartisan health care cybersecurity legislation returns to address a cornucopia of issues (CyberScoop) Portugal updates cybercrime law to exempt security researchers (Bleeping Computer) New wave of VPN login attempts targets Palo Alto GlobalProtect portals (Bleeping Computer) Maryland man sentenced for N. Korea IT worker scheme involving US government contracts (The Record) ServiceNow reportedly intends to acquire Veza for more than $1 billion (N2K Pro Business Briefing) Trains cancelled over fake bridge collapse image (BBC News) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Please enjoy this encore of Career Notes. Chief security strategist from Analyst1, Jon DiMaggio shares his story on how he grew to become a part of the cybersecurity world. He describes different jobs that paved the way to the knowledge he has in the industry right now, and he even shares about an experience that led him to a path that split and which decision he would make, would be crucial in his career. He explains which way he ended up going and how a critical part of his career helped to determine that path. He says "there's two paths when you have that happen, you can either let it defeat you, or you know, you come back swinging." We thank Jon for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Jaron Bradley, Director of Jamf Threat Labs, is sharing their work on "ChillyHell: A Deep Dive into a Modular macOS Backdoor." Jamf Threat Labs uncovers a newly notarized macOS backdoor called ChillyHell, tied to past UNC4487 activity and disguised as a legitimate applet. The malware showcases robust host profiling, multiple persistence mechanisms, timestomping, and flexible C2 communications over both DNS and HTTP. Its modular design includes reverse shells, payload delivery, self-updates, and a brute-force component targeting user credentials. The research can be found here: ⁠ChillyHell: A Deep Dive into a Modular macOS Backdoor Learn more about your ad choices. Visit megaphone.fm/adchoices

Chinese threat actors deploy Brickstorm malware. The critical React2Shell vulnerability is under active exploitation. Cloudflare’s emergency patch triggered a brief global outage. Phishing kits pivot to fake e-commerce sites. The European Commission fines X(Twitter) €120 million for violating the Digital Services Act. Predator spyware has a new bag of tricks. A Russian physicist gets 21 years in prison for cybercrimes. Twin brothers are arrested for allegedly stealing and destroying government data. Our guest is Blair Canavan, Director of Alliances - PKI & PQC Portfolio from Thales, discussing post quantum cryptography. Smart toilet encryption claims don’t hold water.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today on our Industry Voices segment, we are joined by Blair Canavan, Director of Alliances - PKI & PQC Portfolio from Thales, discussing post quantum cryptography (PQC). Listen to Blair’s full conversation here. Selected Reading Chinese hackers used Brickworm malware to breach critical US infrastructure (TechRadar) React2Shell critical flaw actively exploited in China-linked attacks (BleepingComputer) Cloudflare blames today's outage on emergency React2Shell patch (Bleeping Computer) SMS Phishers Pivot to Points, Taxes, Fake Retailers (Krebs on Security) Threat Spotlight: Introducing GhostFrame, a new super stealthy phishing kit (Barracuda) EU issues €120 million fine to Elon Musk's X under rules to tackle disinformation  (The Record) Predator spyware uses new infection vector for zero-click attacks (Bleeping Computer) Russian scientist sentenced to 21 years on treason, cyber sabotage charges (The Record) Twins with hacking history charged in insider data breach affecting multiple federal agencies (Cyberscoop) ‘End-to-end encrypted’ smart toilet camera is not actually end-to-end encrypted (TechCrunch)- kicker Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices