CyberWire Daily - Attackers found a new way around MFA.
Episode Date: May 26, 2026The FBI warns attackers are abusing Microsoft OAuth authentication. India pushes faster patching as AI speeds up cyberattacks. Iranian hackers blend phishing with SEO poisoning. Anthropic’s AI finds... thousands of open source flaws, while AI also reshapes bug bounties and fuels supply-chain attacks hitting thousands of GitHub repos. Plus, a new LMS zero-day, bulletproof hosting arrests in the Netherlands, FTC action over bogus “active listening” claims, and another busy week for cyber funding and M&A. Our guest is Kurtis Minder, author, joining us to discuss his book "Cyber Recon: My Life in Cyber Espionage and Ransomware Negotiation.” Please disregard all searches for disregard. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Kurtis Minder, author, joining us to discuss his book "Cyber Recon: My Life in Cyber Espionage and Ransomware Negotiation." Selected Reading FBI warns of Kali365 phishing service targeting Microsoft 365 accounts (Bleeping Computer) India's CERT-In Sets 12-Hour Patch Deadline for Exposed Flaws (Infosecurity Magazine) Iran-Linked Hackers Target US Aviation with Phishing and SEO Poisoning Campaign (Infosecurity Magazine) Anthropic: Mythos Detected 23,000 Potential Vulnerabilities Across 1,000 OSS Projects (SecurityWeek) HackerOne takes an axe to its bug bounty rewards (The Register) Automated 'Megalodon' Campaign Spreads GitHub Repo Backdoors (GovInfo Security) Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment (SecurityWeek) Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in Netherlands (SecurityWeek) FTC to Require Cox Media Group, Two Other Firms to Pay Nearly $1 Million to Settle Charges They Deceived Customers About “Active Listening” AI-Powered Marketing Service (Federal Trade Commission) Socket raises $60 million in Series C funding. (N2K Pro Business Briefing) You can no longer Google the word 'disregard' (TechCrunch) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Do you know how the space and cybersecurity domains connect?
T-minus space cyber briefing is your guide through the space-based systems that expand the attack surface.
I'm Maria Vermazes, host here at N2K Cyberwire, and I'm excited to share that T-minus is back.
Now, as a weekly podcast, the T-minus Space Cyber Briefing.
We have a new dedicated focus on two great things that are even better together, space and cybersecurity.
Because whether we realize it or not, we all depend on space-based systems that are, by the way, increasingly internet-enabled.
We're talking cybersecurity technologies, policies, and organizations that are securing the critical space-based infrastructure that powers, protects, and connects our lives here on Earth.
So join me for T-minus Space Cyber Reefing, new episodes every Sunday.
No, it's not your imagination.
Risk and regulation really are ramping up,
and these days customers expect proof of security before they'll even do business.
That's where Vanta comes in.
Vanta automates your compliance process and brings compliance, risk, and customer trust together
on one AI-powered platform.
So whether you're getting ready for a SOC2 or managing an enterprise,
governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving.
Companies like Ramp and Writers spend 82% less time on audits with Vanta.
That means less time chasing paperwork and more time focused on growth.
For me, it comes down to this.
Over 10,000 companies from startups to large enterprises, trust Vanta to help prove their security.
Get started at vanta.com slash cyber.
The FBI warns, attackers are abusing Microsoft Oath authentication.
India pushes faster patching as AI speeds up cyber attacks.
Iranian hackers blend fishing with SEO poisoning.
Anthropics AI finds thousands of open source flaws,
while AI also reshapes bug bounties and fuels supply chain attacks hitting thousands of GitHub repose.
Plus a new LMS Zero Day, bulletproof hosting arrests in the Netherlands,
FTC action over bogus active listening claims,
and another busy week for cyberfunding and MNA.
Our guest is Curtis Minder, discussing his new book, CyberRecon,
My Life in Cyber Espionage and Ransomware Negotiation.
And please regard all searches for disregard.
It's Tuesday, May 26, 2026.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great as always to have you with us.
The FBI is warning about Cali 365, a Fishing as a service platform,
that helps attackers hijack Microsoft 365 accounts by abusing Oath device code authentication.
The platform reportedly emerged in April and is marketed through telegram channels to lower-skilled cybercriminals.
Cali 365 exploits Microsoft's legitimate OOF2.0 device authorization flow,
which was designed for devices like smart TVs and printers that cannot easily enter credentials.
Attackers generate a device code, then trick victims into entering it at Microsoft's login portal.
Once the victim completes multi-factor authentication,
attackers receive valid O-Oath session tokens and gain access without needing passwords or MFA codes.
Researchers at Arctic Wolf say Cali 365 also offers adversary in the middle capabilities,
real-time victim tracking, and AI-generated fishing lures.
The FBI recommends restricting device code authentication and auditing unauthorized device registrations.
Device code fishing is rapidly becoming a preferred method for compromising cloud identities
and bypassing traditional MFA protections.
India's CERT IN is urging organizations to patch actively exploited internet-facing vulnerabilities
within 12 hours, warning that artificial intelligence is dramatically shortening attacker timelines.
New guidance published May 25th says generative AI, large language models, and autonomous
agents are accelerating reconnaissance, fishing, malware creation, and vulnerability discovery.
The framework sets risk-based remediation targets, including one day for critical external flaws,
and three days for critical internal vulnerabilities affecting high-value systems.
CERT-I.N. also recommends prioritizing known-exploited vulnerabilities
and exploit-prediction scoring system data over severity ratings alone.
AI is compressing the gap between disclosure and exploitation, leaving defenders with far less
time to respond. The guidance also emphasizes securing AI systems themselves and maintaining rapid
incident reporting procedures. Iran-linked threat actor Nimbus Mantekore is targeting aviation
organizations with a new fishing and search engine optimization poisoning campaign designed to spread
malware. According to Checkpoint Research, the IRGC-affiliated group operated in multiple waves between
February and April, overlapping with the U.S. military's Operation Epic Fury campaign.
Researchers say the group impersonated aviation companies and software vendors across the U.S.,
Europe, and the Middle East. In April, the attackers introduced fake Oracle SQL developer
download sites packed with search keywords to rank highly in search engines. The campaign also
delivered a new AI-developed backdoor called MiniFAST, which,
disguises command and control traffic as Chrome browser activity.
The operation shows how state-aligned actors are blending traditional fishing with search manipulation
and AI-assisted malware development to scale attacks against critical sectors.
Anthropics says its clawed mythos AI model has identified thousands of severe vulnerabilities
across more than 1,000 open-source software projects.
The company reports more than 23,000 potential findings with external reviewers confirming over 1,700 vulnerabilities, including more than 1,000 rated high or critical severity.
The model, available to select organizations through Project Glasswing, has reportedly helped researchers uncover flaws in projects, including Firefox and Chrome-related software ecosystems.
Anthropics says only a fraction of identified issues.
have been patched so far, citing disclosure timelines and strained security resources.
The findings highlight how AI-driven vulnerability discovery could significantly increase the pace
and scale of software flaw identification, while also adding pressure to already overloaded
patching and disclosure processes.
Researchers say the economics of bug bounty hunting are rapidly changing as AI accelerates
vulnerability discovery and floods maintainers with security reports. Hacker 1's internet bug bounty program
recently cut payouts sharply, reducing rewards for medium severity flaws from roughly $1,800 to
under $300, while the program remains paused amid a processing backlog.
Security researchers told the register that AI-assisted tools are producing higher-quality findings
at a much greater scale, creating pressure on open-source maintainers who still must manually
validate, deduplicate, and remediate reports.
Curl founder Daniel Stenberg and Linux maintainer Linus Torvalds both warned that AI-generated
vulnerability submissions are becoming difficult to manage.
Researchers say the real bottleneck is no longer discovering flaws, but verifying and fixing
them efficiently. Researchers say an automated supply chain campaign dubbed Megalodon
compromised more than 5,000 GitHub repositories by injecting malicious GitHub actions
workflows through fake pull requests and forged bot identities. According to SafeDep,
the attackers used Base 64 encoded bash payloads designed to steal cloud credentials,
SSH keys, open ID connect tokens, and secrets.
exposed inside development environments. The campaign reportedly executed more than 5,700 malicious
commits in a six-hour period and targeted repositories tied to projects including
tile desk and black iron project. Researchers say the malware spread through poisoned workflow
files rather than altered application code, making detection more difficult during routine package
reviews. Security firms warn the operation reflects a growing way.
wave of large-scale software supply chain attacks, targeting continuous integration and delivery
pipelines.
Mandiant reports that attackers exploited a zero-day vulnerability in the knowledge-deliver learning
management system to deploy web shells and a cobalt strike back door.
The flaw stemmed from hard-coded ASP.net machine keys shared across deployments, enabling view-state
deserialization attacks.
researchers say the attackers deployed Godzilla web shells, modified application files, and delivered fake plug-in alerts before installing additional malware.
Mandiant believes the final backdoor payload was customized for the targeted organization because its encryption key included the victim's name.
The incident highlights the risks of shared cryptographic secrets across enterprise software deployments and the continued abuse of ASP.net deserialization.
flaws for post-exploitation access.
Dutch authorities have arrested two men accused of operating companies that allegedly
provided bulletproof hosting services to Russian threat actors while evading European Union
sanctions. According to the Dutch Fiscal Information and Investigation Service, investigators seized
more than 800 servers during raids at multiple locations and data centers across the Netherlands.
officials say one suspect operated a Dutch front company tied to a sanctioned hosting provider
linked to disinformation and cyber attacks targeting EU members.
Investigators allege the second suspect maintained infrastructure
that kept the services operational after sanctions took effect.
The case underscores growing scrutiny on infrastructure providers
accused of enabling cybercrime,
distributed denial of service attacks,
and state-aligned influence operations,
despite international sanctions.
The Federal Trade Commission says Cox Media Group and two partner firms will pay $930,000 to settle allegations they falsely marketed an AI-powered advertising service
that supposedly listened to conversations captured by smart devices.
Regulators allege the companies claimed consumers had opted into the service and that advertisers could target localized
ads based on voice data collected in real time.
According to the FTC, the active listening product did not actually use voice data.
Instead, the firm's reportedly resold email lists purchased from data brokers while misleading
customers about the services capabilities and consumer consent practices.
The settlement bars the companies from misrepresenting advertising features, geographic targeting,
or the collection and use of consumer voice data.
The case highlights increasing regulatory scrutiny of AI marketing claims and consumer privacy practices.
The notion that your mobile device is actively listening to you is a conspiracy theory that sadly refuses to die.
Turning to our Monday business breakdown, cybersecurity investment actively remained strong last week, led by Socket,
which raised $60 million in Series C funding at a reported $1 billion valuation.
Other notable raises include Israeli email security startup Ocean with $28 million,
quantum safe security firm Quantum Bridge with $8 million,
and offensive security startup Hactron with $2.9 million.
The mergers and acquisitions market also remained active.
Akamai agreed to acquire Israeli browser security company,
LairX for $209 million, while Sirea acquired Genie Security for a reported $50 million.
Additional deals involved security scorecard, black box, and torque.
The funding and acquisition activity reflects continued investor focus on AI-native security
platforms, software supply chain protection, and threat intelligence capabilities as organizations
adapt to evolving cyber risks.
Be sure to check out our weekly business briefing.
That's part of CyberWire Pro.
You can find that on our website.
Coming up after the break, my conversation with Curtis Minder, author of the new book CyberRecon,
My Life in Cyber Espionage and Ransomware Negotiation.
And please disregard all searches for disregard.
Stick around.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave.
And with Threat Locker DAC, defense against configurations, you get real assurance
that your environment is free of misconfigurations and clear visibility into whether
you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operation.
pain. It's powerful protection that gives SISO's real visibility, real control, and real peace
of mind. Threat Locker make zero trust attainable, even for small security teams. See why thousands of
organizations choose Threat Locker to minimize alert fatigue, stop ransomware at the source, and regain
control over their environments. Schedule your demo at Threatlocker.com slash N2K today.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security incident last year,
and 92% of responders reported threat levels have increased in the past two years.
Guard Square delivers the highest level of security for your mobile apps without compromising performance, time-to-market, or user-experienced.
Experience. Discover how Guard Square provides industry-leading security for your Android and iOS apps at www.gardsquare.com.
Curtis Minder is author of the new book CyberRecon, My Life in Cyber Espionage and Ransomware Negotiation. Here's our conversation.
I've been interviewed by the media, including yourself, many times, and occasionally after those interviews, people would say, you know, I didn't.
realize that there were companies doing this kind of work, cyber espionage type of work,
you should write a book about that. A lot of people don't realize that this is a thing.
Richard Steenan, who's a close friend and mentor of mine, who's written many books. I'm sure
you know, Richard, he introduced me to his publisher, and the publisher in the first
conversation offered me a contract. So it kind of just fell in my lap.
Well, take us through how you decided to organize this, because this book is really packed with a lot
a good information.
Yeah, you know, I wanted to take the audience through sort of first give basic context,
you know, the readers through basic context of the industry and why this type of industry
inside the cyber industry exists.
And then kind of go through the who, what, where, when, you know, how components of that.
That's kind of how he did each chapter.
Each chapter was, you know, here are the bad guys that we're dealing with and here's
why they're doing what they're doing and here's why we're spying on them and here's how we're
spying on them and here's where we're spying on them.
And each chapter kind of addresses all of those things.
And then, of course, I have a chapter on the ransomware negotiation component.
The longest chapter in the book is on operational security for an individual or an organization, which I think is pretty powerful.
Yeah, I mean, it strikes me that it's not just a review of what's been done and how it's done,
but it's also a practical guide for a lot of folks out there.
That was the hope to write it so that it was broad enough that someone who's new to the cybersecurity industry could gain something from it
and potentially learn something, you know, learn something.
tactical, but also have enough context and storytelling that the veterans of the industry are
entertained by it. And I think I walked that line pretty well. Yeah. One of the things that impressed
me is, you know, this is not just a book about your own experience. You've brought in some
big names, some other heavy hitters, if you will, in this world. Yeah, that was my
attempt at addressing my imposter syndrome. I, you know, I'm
sure you have these moments in your career too where you're like i why am i doing this there's like at least
10 people who are smarter than me and so instead of uh you know just putting them in the you know the
acknowledgments i decided to make a profile of some of the people that i admire or have helped
this industry specifically or me um and and do a profile on those individuals in the book
well let's go through some of the the main uh things that folks can expect to get out of this book
Can you take us through some of the chapters that you're particularly fond of?
Yeah.
I mean, I'll start with the offset chapter since that's the one that takes up the most space.
After doing this type of work for so long, one, we learned so much about how the bad guys operate,
the threat doctors operate.
That's useful information.
I'm obviously a target because of the work I do, and so I have to be very careful about my own operational security.
And I also just in life recognize how.
often people are doing this wrong, not maliciously, just unintentionally doing this wrong or incorrectly.
So I spent a lot of time walking through, again, I like to always give a good why, why this is
important, but then here are some basic things that you should know. If you're an analyst and you're
doing this kind of work, here are the things that you should be aware of. If you're just a person
who's a high-profile individual, here are some things that you need to take into account.
So I spent a lot of time on that chapter. I think the chapter on the ransomware and
negotiation night is one of the more eye-opening for the average person because I walk through
actual cases. I talk about who these bad guys are and why they're doing what they're doing.
And like they operate a lot like a business themselves and how that works and the inner workies
of all that. So I think that's one of the more entertaining chapters for sure.
Well, I'd be remiss to not get your take on AI and where we find ourselves with this revolution.
Yeah, at the last couple chapters, I talk a little bit about the current landscape and AI,
and we are seeing, you know, the threat actors utilizing AI.
In some ways, they're mirroring the way the broader market is doing that.
So the initial, you know, sort of evidence that we saw threat actors using AI maliciously was, you know,
as simple as sort of content creation and things like that.
That's what we started with, you know, making cats breakdance or whatever we were doing.
They're doing that, but they're doing it for fishing emails, right?
And so then they've then stepped that up.
And we've even had a couple cases where we believe they were using AI and the negotiations.
Obviously, you know, the METOS thing is pretty big now.
And I think we will be seeing evidence of that in the wild if it's not already out there.
So it's definitely like everywhere else in the world and every profession, the AI is making a major impact.
Who's your target audience here for the book?
It's broad.
But I would say that when I think of a,
a reader persona while I'm writing.
A lot of times it's just security or board level leadership at a company.
So CISOs and or, you know, their peers at the board level.
And I do a fair amount of board advisory work now after exiting my last company.
That's mostly what I'm spending my time on is book signings and board advisory work.
And I recognize the gaps.
These people don't have enough context to make good decisions.
And so I try to write the book to help with that.
From a big picture point of view, what do you hope people come away from reading the book?
Better awareness of the risk and just, you know, improve cyber hygiene, which I talk about in the book is something that I believe is a, almost like a civic responsibility.
And I talk about that in all my public speaking as well.
And the title of Curtis Minder's new book is Cyber Recon, My Life in Cyber Espionage and Ransomware Negotiation.
And finally, Google's...
new AI-heavy search experience has apparently found an innovative way to redefine the word
disregard by disregarding the actual search result. Users searching the single word disregard this
week were greeted with a large, mostly empty AI-generated response that pushed the useful
Merriam-Webster definition well below the fold. The issue surfaced shortly after Google rolled out
a redesigned search interface that prioritizes AI summaries over traditional web links.
Critics online pointed to the example as evidence that the system may not handle simple edge
cases particularly well. In an unexpected twist for longtime tech reporters, Microsoft's Bing reportedly
delivered the more useful result, a sentence that may have caused several search engineers
to quietly stare into the middle distance.
The episode highlights ongoing concerns that AI-generated search features can sometimes add complexity where users simply wanted an answer.
And that's The CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at N2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ivan.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.