CyberWire Daily - A digital battlefield in practice.
Episode Date: April 24, 2026Locked Shields wraps another year. Open models challenge Mythos. CISA tracks FIRESTARTER inside a federal agency. The White House targets foreign AI model extraction. Microsoft lets admins remove Copi...lot. Treasury sanctions a Cambodian scam-compound senator. Breeze Cache rushes a patch. Researchers downplay OT malware hype, while NIST pushes for better OT visibility. Our guest is Eric Russo, Director, SOC Defensive Security at Barracuda, discussing the risks posed by employees downloading pirated software. Con artists charge crypto for counterfeit clearance. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Eric Russo, Director, SOC Defensive Security at Barracuda, discussing the risks posed by employees downloading pirated or cracked software onto corporate devices. You can learn more here. Selected Reading Locked Shields 2026: 41 Nations Strengthen Cyber Resilience in World's Biggest Exercise (SecurityWeek) Open source models can find bugs as well as Mythos (The Register) CISA: US agency breached through Cisco vulnerability, FIRESTARTER backdoor allowed access through March (The Record) Trump Administration Vows Crackdown on Chinese Companies 'Exploiting' AI Models Made in US (SecurityWeek) Microsoft now lets admins uninstall Copilot on enterprise devices (Bleeping Computer) US sanctions Cambodian senator for millions earned through scam compounds (The Record) Cloudways Patches Actively Exploited File Upload Flaw in Breeze Cache Plugin (Beyond Machines) Dragos: Despite AI use, new malware targeting water plants is ‘hype’ (CyberScoop) NIST cyber center to launch OT ‘visibility’ project (Federal News Network) Crypto scam lures ships into Strait of Hormuz, falsely promising safe passage (Ars Technica) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
No, it's not your imagination.
Risk and regulation really are ramping up,
and these days customers expect proof of security before they'll even do business.
That's where Vanta comes in.
Vanta automates your compliance process and brings compliance, risk, and customer trust together on one AI-powered platform.
So whether you're getting ready for a SOC2 or managing an end-toe,
enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals
moving. Companies like Ramp and Writers spend 82% less time on audits with Vanta. That means less
time chasing paperwork and more time focused on growth. For me, it comes down to this. Over 10,000
companies from startups to large enterprises trust Vanta to help prove their security. Get started at vanta.com
slash cyber.
Locked shields wraps another year.
Open models challenge mythos.
Sisa tracks fire starter inside a federal agency.
The White House targets foreign AI model extraction.
Microsoft lets admins remove copilot.
Treasury sanctions a Cambodian scam compound senator.
Breeze cash rushes a patch.
Researchers downplay OT malware hype, while NIST pushes for better OT visibility.
Our guest is Eric Rousseau, Director of Sock Defensive Security at Barakuta, discussing the risks posed by employees downloading pirated software.
And con artists charge crypto for counterfeit clearance.
It's Friday, April 24, 26.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
Happy Friday.
It is great as always to have you with us.
Locked Shields, 226.
the world's largest live-fire cyber defense exercise concluded Friday in Tallinn, Estonia,
after convening more than 4,000 participants from 41 nations.
Organized by NATO's Cooperative Cyber Defense Center of Excellence,
the exercise simulated sustained cyber attacks against critical infrastructure and military systems,
including air defense networks and e-voting platforms,
while also testing responses to disinformation,
and political pressure.
Officials said participants demonstrated strong detection and response capabilities,
but emphasized the importance of turning lessons learned into real-world readiness
as artificial intelligence reshapes cyber operations.
Sixteen multinational teams competed with top performers, including France and Sweden, Latvia, and Singapore,
and Germany, Austria, Luxembourg, and Switzerland.
The exercise has grown significantly since its 2010 debut, which involved only four nations and 60 participants.
At Black Hat Asia in Singapore, Run Cyble CEO Ari Herbert Voss said,
Open Source AI models can identify software vulnerabilities as effectively as Anthropics-restricted mythos system when used together in coordinated workflows.
He attributed Mythos' strength to superlinear scaling, where doubling training resources can produce disproportionately greater capability.
However, he argued organizations can approximate similar performance by combining multiple open source models,
which also improves coverage because different systems detect different flaws.
Cost and limited access further strengthen the case for open alternatives.
Herbert Voss emphasized that human expertise remains essential to coordinate models and evaluate findings,
noting AI bug hunting tools generate large volumes of alerts similar to traditional fuzzing.
He expects economic pressure to adopt AI-driven security tools will continue to push organizations
toward broader use of automated vulnerability discovery.
The cybersecurity and infrastructure security agency said,
U.S. Federal Civilian Executive Branch Agency was breached in September of last year
through vulnerabilities in Cisco Adaptive Security Appliance Software, with attackers deploying
fire starter malware to maintain long-term access. The back door allowed threat actors to
regain entry in March of this year without re-exploiting the original flaws. Investigators also
identified Line Viper malware, which enabled unauthorized virtual.
private network sections that bypassed authentication and exposed credentials and keys.
Cicill warned that patching alone does not remove the threat if persistence is already established.
The agency issued updated directives requiring federal agencies to check for compromise and inventory
affected devices. Officials have not attributed the campaign, though earlier reporting linked
activity to actors aligned with China's state interests.
The Trump administration is moving to counter what it describes as foreign extraction of U.S.
artificial intelligence capabilities, focusing primarily on China.
In a memo, White House science advisor Michael Kratios accused China-based entities
of conducting large-scale distillation efforts to replicate features of leading American AI systems.
The administration said it will work with U.S. companies to detect some of the government.
activity, strengthen defenses, and pursue penalties. The move comes as analysts report the performance
gap between U.S. and Chinese AI models has narrowed significantly. Lawmakers are advancing
bipartisan legislation to identify and sanction actors involved in model extraction. U.S. firms,
including OpenAI and Anthropic, have also raised concerns about Chinese labs using distillation
techniques, though experts note distinguishing unauthorized activity from legitimate use remains
technically difficult.
Microsoft has introduced a new policy setting that allows Enterprise IT administrators to uninstall
the co-pilot AI assistant from managed Windows devices following the April 26 Patch Tuesday
updates.
The Remove Microsoft Copilot App Policy applies to Windows 11 systems under
specific conditions and is available through Microsoft in-tune and System Center Configuration Manager.
The change affects enterprise, professional, and education additions, and users can reinstall
copilot if desired. Microsoft also recently paused automatic copilot deployments and previously
addressed a bug that exposed confidential email summaries despite data loss prevention controls.
The U.S. Treasury Department sanctioned Cambodian Senator Kock-on and 28 associates for operating scam compounds linked to millions of dollars in losses to American victims.
Officials said the network used casinos and office complexes to conduct cryptocurrency investment fraud, launder proceeds, and support human trafficking operations in which victims were forced to run scams under threat of abuse.
Investigators tied at least $73.6 million in victim funds to accounts controlled by laundering networks connected to the operation.
The sanctions align with broader U.S. enforcement efforts targeting Southeast Asia's scam center economy,
which authorities estimate has generated tens of billions of dollars.
Additional actions include domain seizures, arrests tied to Myanmar-based scam compounds,
and expanded federal coordination through the Justice Department's Scam Center Strike Force.
Cloudways has released an emergency update for the Breeze Cash WordPress plugin
to fix a critical vulnerability under active exploitation that allows unauthenticated attackers
to upload malicious files to servers.
The flaw affects multiple versions and can lead to full website compromise
through persistent web shell access.
Exploitation requires the host files locally
Gravatar's setting to be enabled,
which is not the default.
Administrators are urged to update
to the latest version immediately
or disable the affected setting
as a temporary mitigation.
Researchers initially flagged a malware sample
called Zion Siphon as a potential threat
to Israeli water infrastructure,
but analysts that Dragos say,
the tool is largely non-functional and poses no real risk to operational technology environments.
First identified by DarkTrace, the malware appeared designed to manipulate chlorine levels at water
facilities. However, investigators found the code riddled with logic errors, fictional system
references, and likely AI-generated content that demonstrated little understanding of industrial control
systems. Dregos warned that overstating such immature threats can distract defenders from more
credible risks, including activity by groups like Volt Typhoon. The episode highlights ongoing
debate over how seriously security teams should treat early-stage AI-assisted malware targeting
critical infrastructure. NIST is launching a new project through its National Cybersecurity
Center of Excellence to help critical infrastructure organizations improve visibility into operational
technology assets. Officials said asset management and inventory remain the most common challenge
across sectors, especially in legacy industrial control environments. The initiative will demonstrate
practical approaches for improving OT visibility using existing standards, frameworks, and
commercially available tools with possible support from AI, depending
on stakeholder interest. The effort follows warnings from U.S. and international agencies
urging infrastructure operators to inventory OT systems amid growing nation-state threats. In parallel,
NIST is advancing AI security work, including guidance for securing AI systems, managing AI-enabled
risks, and developing identity and authorization standards for emerging enterprise AI agents.
Coming up after the break, my conversation with Eric Russo,
Director of SOC defensive security at Barracuda.
We're discussing the risks posed by employees downloading pirated software.
And con artists charge crypto for counterfeit clearance.
Stay with us.
Quick question.
Have you watched Project Hail Mary yet?
Humanity is facing an existential threat and racing to solve it with the clock ticking.
For security teams, that probably hits close.
close to home with AI use rapidly spreading.
Everyone's using AI, marketing, sales, engineering.
Chris the intern without security even knowing about it.
That's where Nudge Security comes in.
Nudge finds Shadow AI apps, integrations, and agents on day one
and helps you enforce policy without blocking productivity.
Try it free at Nudgesecurity.com slash cyberwire.
Maybe that's an urgent message from your sales.
CEO, or maybe it's a deep fake trying to target your business.
Dopple is the AI-native social engineering defense platform fighting back against impersonation
and manipulation. As attackers use AI to make their tactics more sophisticated,
Dopple uses it to fight back, from automatically dismantling cross-channel attacks to building
team resilience and more. Doppel, outpacing what's next in social engineering. Learn more at
dopple.com. That's D-O-P-P-E-L.com. Eric Russo is director of SOC defensive security at Barakuta.
I recently caught up with him to discuss the risks posed by employees downloading pirated software.
I must admit, Eric, when I was a young lad back in the 80s in the days of TRS 80s and Apple 2s,
there was a lot of horse trading that went on with software. We were teenagers. We had no money.
and so we would trade things that perhaps we should not have.
But that was a long time ago.
I have to say it's a little surprising for me to hear
how prevalent pirated software still is today.
Yeah.
So we've actually come across a handful of cases recently
of this exact issue of cracked software.
And the reason that I believe is behind that is you have users
in a lot of very distributed workforces
who are trying to do their jobs as quickly and efficiently as possible.
And oftentimes, they'll run into a task that requires some sort of application,
and maybe they're not aware or their organization doesn't have
that sort of application available for them to use.
So what's the first thing that they do?
They head over to Google and they do a search for PDF editor.
Let's say, for example, and they'll find free PDF editor,
and they'll go ahead and without thinking, download it.
And unfortunately, in certain cases, things like PDF editors and other office applications and creative and design tools are cracked versions that present some security risks with the installer that's being downloaded.
And what are the specific risks here?
Yeah, I think a couple of concepts.
One is the idea of shadow IT.
So say, for instance, a user goes ahead and they do it.
install a application that actually is legitimate. Let's say their organization uses Firefox for
the browser for all their employees' missions. But then this user wants to go ahead and use Chrome.
So they go ahead and install Chrome, and that's what they're using. Unfortunately, the IT team
most likely isn't aware of that. So what happens when Chrome has a vulnerability? Well,
whose responsibility does it become and who's managing that vulnerability and making sure that it's
addressed? The user, in this case, which we know can't always be relied on.
to be security first.
So that's one issue is the idea of shadow IT.
Also, specifically the issue with cracked software
is oftentimes threat actors that are designing these cracked software
will embed malicious code within these applications
that could do a slew of harmful behaviors on the user's endpoint.
Yeah, I was looking through the research
that you all recently published about this.
And it was really surprising to me
what a high percentage of cracked software contains
all kinds of malware.
Yeah, there were a lot of threats.
I can give you an example of one really interesting one we saw not too long ago.
There was an organization that we work with.
They're located in the United Kingdom.
And they had a user who went ahead and downloaded a free version of a common creative
and design tool off of the Internet.
And what was embedded within that application was malicious code to do a number of things.
first was info-sealing tactics, trying to scrape passwords from the browsers on the machine,
credentials, I should say, from those browsers and send them back. Other actions that were embedded
were shell code and changing startup processes in order to evade defense evasion tactics like
disabling endpoint security and others. We also saw behaviors that were indicative of privilege escalation
within some of that code in the application.
And lastly, we also saw beckoning to a malicious IP address halfway around the world.
So a lot of those types of things that ultimately lead to command and control and give threat actors access are being baked into these cracked softwares.
I'm curious, you know, how much do you think this is kind of an organizational culture problem of, as you mentioned at the outset, you know, folks are just trying to get their work done.
And I suspect in a lot of cases, they go to the powers that be and say,
hey, I want to do this thing.
I want to do this task.
I need this tool.
And they're told no, or we can't afford that,
or it's going to take a month to fill out a requisition, those sorts of things.
Exactly.
I definitely think that's a factor, especially what you alluded to at the end there,
the time that it can take.
We can take weeks, maybe even months, depending on procurement processes and things like that.
And users just don't want to deal with it.
They want to get their work done and move on.
So I definitely think, like you said, that kind of culture contributes to some of these scenarios.
So ideally what I would suggest to organizations is to make sure that they have the tools that users need available to them.
And they have a process for users to be able to submit anything else that they might need, that the organization might not already have,
and have a way for users to get a hold of what they need in a timely fashion so that we're not encouraging users to be able to.
go out and just install things on their own.
Yeah, how do you strike that balance between having an end user's system properly
configured, you know, locked down, but not so much that they feel as though they can't
get anything done?
I mean, people want to feel like they have a certain amount of autonomy, a certain amount
of freedom in their day-to-day work.
Yeah, absolutely.
I think there are a couple of different degrees of levels of security, I will say, that
you could apply to address this type of issue, you could go full-fledged with the concept of zero
trust and say users aren't allowed to download or install anything except for what is explicitly
authorized by our organization. Obviously, that approach typically provides the highest level of
security. But like you said, maybe in certain cases you do want to give users some flexibility,
but you could still take other controls as well, like limiting the amount of administrative
actions that they could take on their endpoints or requiring approval from IT administrators
before they install something. So at least there is some level of verification there. That seems
to be a common step that organizations could take. Oftentimes, as I'm sure you know,
if you're going to install a new application, you need admin privileges to do so. And if you
could restrict local admin privileges on those endpoints and have your users automatically
submit something to the IT team, if they need to use local admin privileges on their machine,
that could be a way of having a verification step in place.
So overall, what are your recommendations to the defenders out there in our audience who are faced with this?
To me, the biggest thing, especially coming from a background of security operations, is having visibility.
I think that's where it really becomes an issue for organizations is when they're not aware of what's out there and they're not aware of what their users are doing.
So making sure that you have visibility into what's going on on their systems and it's being monitored and making
appropriately when something bad happens.
And I think for something like this, really the most effective approach is having some
sort of advanced endpoint protection in place that can identify these sorts of threats in real
time and mitigate them appropriately.
That example that I talked about earlier with that organization and the user with the
cracked version of a creative and design tool, fortunately for them, they had advanced endpoint
protection.
And the behavioral AI detection engine within that endpoint protection agent detected it almost
instantaneously and was able to mitigate the file and quarantine it before it became an issue.
So to me, I'm a big believer that advanced implant protection will really help solve the
issue of users clicking and downloading things that maybe they should.
That's Eric Russo from Barracuda.
Local news is in decline across Canada, and this is bad news for all of us.
With less local news, noise, rumors, and misinformation fill the void, and it gets high.
harder to separate truth from fiction.
That's why CBC News is putting more journalists in more places across Canada,
reporting on the ground from where you live,
telling the stories that matter to all of us,
because local news is big news.
Choose news, not noise.
CBC News.
The ride that steals the spotlight every time it hits the road,
that's the Volkswagen Tiguan.
Its sleek exterior makes a first impression you can't ignore.
Step inside to find a very important.
available full leather seats and wood accents.
Under the hood, the available 201 turbocharged horsepower engine gives it a fun to drive edge.
The refined Tiguan, you deserve more style.
Visit vw.ca to learn more.
SUVW, German engineered for all.
And finally, crypto scammers are reportedly targeting commercial vessels stranded near the Strait of Hormuz,
posing as Iranian authorities and requesting transit fees in business.
Bitcoin or Tether for safe passage through the contested waterway.
Greek maritime risk firm Marisks warned shipowners after identifying at least one vessel
that may have paid such a demand before being fired upon anyway.
Another cargo ship was also shot at after receiving what may have been fraudulent clearance to proceed.
Roughly 2,000 ships remain stuck amid escalating regional conflict with confirmed missile, drone,
and small boat attacks complicating navigation.
Iranian inspections, U.S. naval enforcement actions, and retaliatory strikes have created a
confusing security environment, one apparently chaotic enough that even counterfeit maritime
tollbooths, now accepting cryptocurrency, are finding willing customers.
And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the
Riverwire.com. Be sure to check out this weekend's Research Saturday. In my conversation with
Juliana Testa, senior security engineer from 7A.I, the research is titled Quish Splash,
when the QR code is the weapon, a multi-wave fishing campaign that slip past every filter.
That's Research Saturday. Do check it out. We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world
of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at n2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here.
next week.