CyberWire Daily - Breaking the GlassWorm.
Episode Date: May 27, 2026A major takedown disrupts the GlassWorm botnet. The White House rewrites federal cyber logging rules as CISA faces cuts amid rising AI threats. Federal agencies ramp up scrutiny of so-called anti-tech... extremism. GCHQ warns Russia is targeting UK infrastructure. Researchers uncover stealthy new malware, AI coding agent supply chain risks, and in-person extortion tactics targeting U.S. law firms. Europe grabs satellite spectrum. Ben Yelin joins us to discuss the bipartisan push for more support of CISA. Hacking your way to the main stage. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our Caveat co-host and Program Director for Public Policy & External Affairs at the University of Maryland Center for Cyber Health and Hazard Strategies, Ben Yelin, joins Dave to talk about the bipartisan push for more support of CISA. Selected Reading GlassWorm Botnet Disrupted (SecurityWeek) OMB Scraps Biden-Era Cyber Logging Rules (BankInfoSecurity) US law enforcement warns of "anti-tech extremism" as AI hatred grows (Ars Technica) Russia 'relentlessly targeting' critical infrastructure and democracy, GCHQ says (BBC) Trump hobbled top cyber agency just as AI learned to hack (Axios) EU to squeeze US space tech out of prized satellite airwaves (Politico) Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data (FortiGuard Labs) FBI warns of in-person data theft attacks from extortion gang (Bleeping Computer) ‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems (SecurityWeek) How to guarantee a speaker gig: Hack the system. Literally (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Do you know how the space and cybersecurity domains connect?
T-minus space cyber briefing is your guide through the space-based systems that expand the attack surface.
I'm Maria Varmazes, host here at N2K Cyberwire, and I'm excited to share that T-minus is back.
Now, as a weekly podcast, the T-minus Space Cyber Briefing.
We have a new dedicated focus on two great things that are even better together, space and cybersecurity.
Because whether we realize it or not, we all depend on space-based systems that are, by the way, increasingly internet-enabled.
We're talking cybersecurity technologies, policies, and organizations that are securing the critical space-based infrastructure that powers, protects, and connects our lives here on Earth.
So join me for T-Minus Space Cyber Reefing, new episodes every Sunday.
No, it's not your imagination.
Risk and regulation really are ramping up,
and these days customers expect proof of security before they'll even do business.
That's where Vanta comes in.
Vanta automates your compliance process and brings compliance, risk, and customer trust together
on one AI-powered platform.
So whether you're getting ready for a SOC2 or managing an enterprise,
governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving.
Companies like Ramp and Writers spend 82% less time on audits with Vanta.
That means less time chasing paperwork and more time focused on growth.
For me, it comes down to this.
Over 10,000 companies from startups to large enterprises, trust Vanta to help prove their security.
Get started at Vanta.com slash cyber.
A major takedown disrupts the glassworm botnet.
The White House rewrites federal cyber logging rules as SISA faces cuts amid rising AI threats.
Federal agencies ramp up scrutiny of so-called anti-tech extremism.
GCHQ warns Russia is targeting UK infrastructure.
Researchers uncover stealthy new malware.
We've got AI coding agent supply chain risks and in-person extortion tactics targeting U.S. law firms.
Europe grabs satellite spectrum.
Ben Yellen joins us to discuss the bipartisan push for more support of SISA and hacking your way to the main stage.
It's Wednesday, May 27, 2026. I'm Dave Bittner and this is your Cyberwire Intel briefing.
Thanks for joining us here today. It's great as always to have you with us.
Cybersecurity firm Crowdstrike says the glassworm botnet, active for more than six months, has been disrupted through a quarter.
coordinated takedown with Google and the Shadow Server Foundation.
Glassworm used a resilient command and control structure built on the Solana blockchain,
BitTorrent, Google Calendar, and commercial VPS servers.
The malware spread through trojanized Visual Studio extensions,
GitHub repositories, and compromised Python packages.
It stole developer credentials, targeted cryptocurrency wallets,
and enabled remote access on infected systems.
CrowdStrike says the operators continuously evolve their tooling and infrastructure to resist disruption efforts.
Attackers increasingly target developers and software supply chains rather than end users directly.
CrowdStrike warns that weak developer environments and build pipelines can expose every organization consuming affected software.
The Trump administration has rescinded a 2021 federal cybersecurity logging directive,
introduced after the solar winds breach, replacing it with a more targeted risk-based framework
focused on detection and incident response. The updated guidance from the Office of Management and Budget
emphasizes continuous monitoring, threat-hunting, forensic investigations, and rapid response
capabilities. OMB Director Russell Voight said the previous requirements generated large volumes of
costly data with limited defensive value.
The new framework also expands logging guidance to Internet of Things and operational technology systems,
while directing SISA and federal partners to develop a government-wide logging architecture aligned with zero-trust modernization efforts.
The policy reflects growing concern that adversaries are using automation and AI to accelerate attacks beyond the pace of traditional monitoring systems.
agencies will now retain logs in searchable form for six months and retrievable form for one year.
Newly obtained intelligence documents reviewed by Wired show federal agencies and fusion centers
increasingly monitoring activists, protesters, and online communities under a developing category
described as anti-technology extremism. The reports circulated by the Department of
of Homeland Security, the FBI, and regional fusion centers, cite concerns about protests tied
to artificial intelligence, data center construction, and anti-corporate sentiment.
Some assessments warn that unrest linked to AI adoption could evolve into violence,
targeting critical infrastructure or technology executives.
The documents also reference monitoring of public demonstrations, online forums,
and constitutionally protected gatherings opposing data centers and AI expansion.
Civil liberties advocates warn the category is broadly defined
and could sweep in peaceful protesters,
AI skeptics, and environmental activists
alongside individuals advocating violence.
Federal officials maintain the focus remains on threats
involving criminal activity or national security concerns.
In her first public,
speech as director of GCHQ, Anne Kest Butler warns that the UK faces a moment of consequence,
as Russia intensifies cyber and hybrid threats against critical infrastructure, supply chains,
and democratic institutions. Kest Butler says GCHQ is working with intelligence and defense partners
to counter cyber attacks, sabotage, and espionage linked to Moscow, while also warning about China's
growing technological and cyber capabilities. She stresses that advances in artificial intelligence are
rapidly reshaping the threat landscape and narrowing the UK's strategic advantage. Her speech also calls
for stronger cybersecurity practices across government, industry, and households. The cybersecurity and
infrastructure security agency is entering the AI era with reduced staffing, budget cuts, and a diminished
role in the federal government's response to emerging AI-enabled cyber threats, according to
reporting from Axios. Since early 2025, SISA has reportedly lost roughly one-third of its
workforce through buyouts and funding reductions. Industry and former government officials warn the
cuts have weakened the agency's ability to coordinate with critical infrastructure operators
and respond to increasingly sophisticated threats from advanced AI models. Sources
is also told Axios that SISA has taken a secondary role in White House discussions
surrounding cybersecurity risks tied to frontier AI systems.
Former officials argue the agency would traditionally play a central role in shaping national
cyber policy and coordinating vulnerability management to cross government and industry.
Later in the show, I'm joined by Ben Yellen to discuss the bipartisan push for more SISA funding.
Europe is moving to reserve most of a valuable satellite spectrum band for European operators,
setting up a potential clash with Washington over the future of space-based connectivity and tech sovereignty.
Their proposal could limit access for U.S. companies like SpaceX and Amazon,
while boosting Europe's own satellite ambitions.
Our contributing host Maria Vermazas joins us with more on the growing geopolitical battle over
who controls the skies.
Thanks, Dave.
As much as data sovereignty is a critical topic in the European Union right now,
so too is its companion concern, space sovereignty.
That concept encompasses access to radio frequency spectrum bands,
and there is only so much RF spectrum to go around, that's physics for you.
So it is a major development in European space sovereignty,
with news reported by Politico and writers this week,
that the European Commission is moving to reserve,
of a valuable satellite spectrum band for primarily European operators
when current licenses held by U.S.-based operators via Sadd and Echo Star expire in 2027.
The proposal would divide the frequencies into three 10-MHz blocks over the next 20 years,
one block for secure EU government communications and the EU's Iris Squared satellite internet constellation,
another block for European startups,
and the last block would be open to either European or foreign companies.
There is also discussion of making the EU exclusive spectrum
open to EU adjacent countries like Norway and the UK.
Should this plan come to fruition,
it would sharply limit spectrum access for U.S. operators like SpaceX and Amazon,
both of which are fast increasing their global presence
with Starlink and Amazon Leo and acquiring access to spectrum bands to make that happen.
EU officials say that their plan of reallocating the band to prioritize EU access is necessary for European technical sovereignty and secure internet connectivity.
But squeezing out U.S. competition could provoke retaliation from the United States, just as the EU and U.S.
seem to be nearing finalization of a new trade deal.
For the Cyberwire Daily, I'm Maria Varmazes from T-Minis, Space Cyber Briefing.
Back to you, Dave.
Be sure to subscribe to...
the T-minus Space Cyber Podcast wherever you get your favorite shows.
Researchers at Fortinette Fortigard Labs have identified a fishing campaign
distributing a pure logs malware variant designed to steal credentials,
cryptocurrency wallet data, browser sessions, and other sensitive information.
The campaign used purchase order-themed phishing emails,
containing malicious RAR archives with obfuscated JavaScript files.
Once executed, the malware launched PowerShell scripts using process hollowing to inject code into Microsoft's MS build process
and downloaded additional modules directly into memory.
Fortegarde says the malware relied on layered encryption, fileless execution, and dynamic plugin delivery to evade traditional detection methods.
The malware targeted browser credentials, discord tokens, VPN accounts, email clients, and dozen
of cryptocurrency wallets.
Researchers warn the attack highlights the continued effectiveness of fishing
combined with increasingly stealthy post-compromise techniques.
The FBI is warning the Silent Ransomware Group,
also known as Luna Moth and Chattie Spider,
is escalating its extortion operations against U.S. law firms
by using in-person social engineering attacks.
According to the FBI, attackers pose as internal IT staff through phishing emails and phone calls,
convincing employees to grant remote desktop access.
If remote access attempts fail, the group may dispatch an individual directly to the victim's office
to connect malicious USB drives or external storage devices to company systems.
The stolen data is then used for extortion campaigns targeting both organizations and their clients.
The group has reportedly targeted legal and financial firms since 2023 and was previously linked to bizarre call campaigns associated with Conti and Ryuk ransomware operations.
Researchers at Adversa AI have demonstrated a new supply chain attack technique called SimJack that targets developers using AI coding agents.
The attack abuses trusted repositories and symbolic links or Sim links,
to silently register a malicious MCP server inside an AI coding environment.
Developers may unknowingly approve what appears to be a harmless file copy request,
while hidden commands modify agent configurations and execute attacker-controlled code.
Adversa says the technique could steal credentials, cloud tokens, browser sessions,
or compromise CI pipelines without further user interaction.
The firm tested the method against several major AI coding agents, including Claude, GitHub
copilot CLI, Gemini CLI, CERC agent CLI, and Groc Build CLI.
Researchers say the issue reflects growing security risks tied to developer trust in automation
rather than a traditional software vulnerability.
Coming up after the break, my conversation with Ben Yellen about the bipartisan push for more
support of SISA and hacking your way to the main stage. Stay with us. Most environments trust
far more than they should, and attackers know it. Threat Locker solves that by enforcing default
deny at the point of execution. With Threat Locker Allow listing, you stop unknown executables cold. With
ring fencing, you control how trusted applications behave, and with Threat Locker DAC defense against
configurations, you get real assurance that your environment is free of misconfigurations
and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CSO's real visibility, real control, and real peace of mind.
Threat Locker make zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security incident last year,
and 92% of responders reported threat levels have increased in the past,
two years. Guard Square delivers the highest level of security for your mobile apps without compromising
performance, time to market, or user experience. Discover how Guard Square provides industry-leading
security for your Android and iOS apps at www.gardesquare.com. And it is always my pleasure to be
joined by Ben Yellen. He is my co-host over on the caveat podcast, and also he is from the University
of Maryland Center for Cyber Health and Hazard Strategies.
Ben, welcome back.
Good to be with you again, Dave.
Interesting story from our friends over at CyberScoop.
And this is about bipartisan support to take a closer look at some of these budget cuts
that SISA has been experiencing here.
What are we looking at here, Ben?
So two members of Congress, Representative Don Bacon, a Republican from Nebraska,
and Representative James Walkenshaw, a Democratic.
from Virginia spoke during a panel at the National Cyber Innovation Forum and harped on the importance
of the cybersecurity and infrastructure security agency known as SISA.
This agency has suffered significant budget cuts over the past year and a half.
A lot of that was due to the Department of Government Deficiency and the fork in the road thing
where employees were incentivized potentially to leave, lest they face the threat of
layoffs, and then even through the fiscal year 2026 budgeting cycle, it's faced significant cuts.
Some estimates say about a third of the January 20th, 2025 workforce has since left the agency.
And this is during a time when the threat landscape is extremely significant.
We've seen the high-profile attacks.
We've heard about advanced potential offensive cyber tools.
the threats around something like mythos or similar technology,
not to mention concerns about attacks on our critical infrastructure.
So these two members of Congress are coming together.
They are encouraging their colleagues as we move into the fiscal year 2027 appropriations process
to prioritize funding this agency to prioritize information sharing of cyber threats.
And I think this could be a really powerful call for their colleagues.
The one thing I will say is that the Republican member here, Representative Bacon, is retiring at the end of this year.
So in the next Congress, I think somebody else on the Republican side of the aisle will have to take this over as a cause,
given that we will be losing Representative Bacon's voice on this.
Are these representatives in a position of influence when it comes to this particular topic?
Yeah, so Representative Bacon is the chairman of the House Armed Services Subcommittee on Cyber Information Technology and Innovation.
And he spoke passionately in the past about how important this is to protecting our networks and our critical infrastructure.
I mentioned previous campaigns that we've all known about like Salt Typhoon.
Yeah.
And just that our adversaries are more sophisticated than they've ever been.
and when surveying the threat landscape,
we're all terrified of attacks on energy grids or water systems
or other things that we rely on as a society for our subsistence.
And there's a limited capability for state and local governments to do this on their own
just because this is a problem that's national and international in scope.
So yeah, I think both of these guys have significant influence.
I think because of Representative Bacon's chairmanship,
and the fact that he's a member of the president's party,
I think his voice is critically important on this.
Yeah.
As we look at this, I mean, to what degree do we suppose that SISA is seeing these cuts
as part of the broader government-wide cuts that have been a big part of this administration?
You mentioned Doge and Sisa got cut there.
The proposed budget for 2027 is reducing Siss's funding,
by between $361 million or even up to over $700 million,
depending on which budget document you're looking at.
But we've also got this sort of this longtime specter of the president himself
having a grudge against the organization for way back when in 2020,
saying that the election was fair and the president doesn't seem to have gotten over that.
No, certainly if you read the truth social feed, he has not gotten over that.
Yeah, I think that's a huge element of this.
The president fired the chair of Sisa post-election 2020 during his first term after Mr. Krebs said publicly that he thought the election was fair and that there weren't any irregularities.
And he was fired by tweet.
And I think there's certainly a perception out there.
that some of the president's reluctance or grievances at SISA
are still based on what he saw as that improper statement
in the aftermath of the 2020 election.
I think that's had a huge impact on it.
Now, there are a lot of programs,
including ones that weren't directly in the president's line of fire
that have faced significant cuts,
that I think members of both parties would say
are cost-effective spending programs
that shouldn't have been on the chopping block.
Right.
especially for things like public health.
I mean, we're looking at what's happening with Ebola.
I think at one point, Elon Musk said in the Oval Office
that he accidentally cut off the funding stream
to fight Ebola in Africa and then tried to restore it.
So it's these types of things where it's not just one agency,
but just given the threat landscape here,
I think this is a particularly important one.
And one of the things that the Democratic lawmaker,
James Walkenshaw, said here,
is he's had experience at the local level working for Fairfax County in Virginia,
which is a pretty wealthy county that has a sophisticated water system.
And in his work there, he saw the critical importance of having these communications channels
through this federal agency and that we need to restore that capability.
It has just not been the same since it lost so many of its staff members
and since as an agency it's kind of been deprioritized.
Yeah, yeah.
And I suppose, I mean, it's good to see that the representatives are offering bipartisan support for this.
It seems like there's pretty much universal understanding that Siss's mission is an important one.
Part of me wonders if it's fair to the president to keep going back to the 2020 thing.
But it's hard to, because of the importance of Siss's mission, it's hard to, and the White House,
this is lack of direct information and comment on the justification for cutting SISA,
other than just broad budget cutting, it's hard to come to other conclusions, right?
Yeah.
Yeah, I mean, I think it leaves a lot of us to just speculate, which you're right.
Sometimes is not fair.
And I think the representatives here are doing a good job of not making this a Donald Trump story.
Right, right.
No matter what happens, we'll have a new president in 2029, and we need this agent.
to be up and working because of the threat environment.
Yeah.
And because of the importance to this coordinating agency
to state and local governments in particular.
Right.
And I think that's what they're saying,
that they have the requisite experience,
both in terms of what they've done in Congress
and in their previous careers and local governments.
And they're coming at it from that perspective,
not in the, you know, let's have a food fight
about the Donald Trump administration.
where Sissa gets caught in the crossfire.
I don't think any of these members of Congress
are particularly interested in doing that.
Yeah, yeah, yeah, fair enough.
All right, well, Ben Yellen is from the University of Maryland
Center for Cyber Health and Hazard Strategies
and also my co-host on the caveat podcast.
Ben, thanks so much for joining us.
Good to be with you, Dave.
Thanks.
Hey, y'all, it's Kelly Clarkson with Wayfair.
Ever order furniture online and wonder, what if?
Like, what if it doesn't hold up?
That sofa was four days old.
You should have ordered from Wayfair.
With Wayfair,
There's no what if.
Just style you love and quality you can trust.
Visit wayfair.ca.
Wayfair, every style, every home.
And finally, a security researcher found an unusually effective way to get conference talks accepted,
compromise the submission platform first.
Researchers at NoV disclosed a stored cross-site scripting flaw in pre-talks,
a popular open-source conference management platform used by security events.
worldwide. The vulnerability allows malicious JavaScript hidden in speaker submissions to execute
inside organizer accounts. Researcher Elad Meghed demonstrated the issue by automatically submitting
proposals to roughly 40 conferences, all for a deliberately bland talk titled Securing Modern
Web Apps. Apparently, subtlety still works. Novi says the flaw could have enabled
attackers to hijack organizer sessions, alter submissions, or launch fishing attacks from trusted
conference infrastructure. Pre-talks patched the issue in April. Megad emphasized the testing
remained controlled and non-destructive, though he admitted a more outrageous talk title
would have been funnier. And that's the Cyberwire. For links to all of today's stories,
check out our daily briefing at the Cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at n2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Iben.
Peter Kilpy is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
The Madamy Holmes bike for brain health
supporting Baycrest returns on May 31st for its fifth anniversary
with a new start and finish at the Aga Khan Museum.
Join thousands of cyclists as we take over the DVP
and Gardner Expressway in support of dementia research and brain health.
Riders of all abilities are welcome,
and both regular bikes and e-bikes can participate.
Bring your friends, family, or corporate team, and make an impact.
Register today at fightforbrainhealth.ca.