CyberWire Daily - CISA secrets left sitting on GitHub.
Episode Date: May 19, 2026A CISA contractor leaks GovCloud credentials on GitHub. INTERPOL cracks down on phishing infrastructure across the Middle East and North Africa. Microsoft patches a critical Authenticator flaw, while ...Poland moves officials off Signal after targeted phishing campaigns. A stealthier SHub macOS infostealer emerges. Universal Robots fixes a critical vulnerability. A Dark Web marketplace dumps millions of stolen payment cards. Echo Protocol loses $76 million in a synthetic Bitcoin breach. Our guest is Chris Cochran, Field CISO & Vice President of AI Security at SANS, discussing their AI maturity model. Nathan Detroit rolls malware snake eyes. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Chris Cochran, Field CISO & Vice President of AI Security at SANS, discussing their SANS AI Security Maturity Model™. Selected Reading CISA Admin Leaked AWS GovCloud Keys on Github (Krebs on Security) INTERPOL Operation Ramz: 201 Apprehended in MENA Cybercrime Disruption (TechNadu) Microsoft Patches Critical Token Theft Vulnerability in Authenticator App (Beyond Machines) Poland shifts away from Signal following cyberattacks on officials’ accounts (Security Affairs) SHub macOS infostealer variant spoofs Apple security updates (Bleeping Computer) Critical Vulnerability Exposes Industrial Robot Fleets to Hacking (SecurityWeek) B1ack's Stash Releases 4.6 Million Stolen Credit Cards for Free (SOC Radar) Echo Protocol Hit by $76M eBTC Minting Exploit (SOC Radar) Chanhassen Dinner Theatres cancels more Guys and Dolls performances due to illness and cyberattack (KARE11) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Do you know how the space and cybersecurity domains connect?
T-minus space cyber briefing is your guide through the space-based systems that expand the attack surface.
I'm Maria Varmazes, host here at N2K Cyberwire, and I'm excited to share that T-minus is back.
Now, as a weekly podcast, the T-minus Space Cyber Briefing.
We have a new dedicated focus on two great things that are even better together, space and cybersecurity.
Because whether we realize it or not, we all depend on space-based systems that are, by the way, increasingly internet-enabled.
We're talking cybersecurity technologies, policies, and organizations that are securing the critical space-based infrastructure that powers, protects, and connects our lives here on Earth.
So join me for T-minus, Space Space.
Cyber Reefing, new episodes every Sunday.
Quick question. Have you watched Project Hail Mary yet?
Humanity is facing an existential threat and racing to solve it with the clock ticking.
For security teams, that probably hits close to home with AI use rapidly spreading.
Everyone's using AI, marketing, sales, engineering. Chris the intern without security even
knowing about it. That's where Nudge Security comes in. Nudge finds Shadow
AI apps, integrations, and agents on day one and helps you enforce policy without blocking productivity.
Try it free at nudgesecurity.com slash cyberwire.
Assisa contractor leaks GovCloud credentials on GitHub. Interpol cracks down on fishing infrastructure
across the Middle East and North Africa. Microsoft patches a critical authentiator flaw,
while Poland moves officials off signal. A stealthier S-Hub MacOS Info-Stealer emerges.
Universal robots fixes a critical vulnerability.
A dark web marketplace dumps millions of stolen payment cards.
Echo Protocol loses $76 million in a synthetic Bitcoin breach.
Our guest is Chris Cochran, Field Sissau, and Vice President of AI Security at Sands,
discussing their AI maturity model.
And Nathan Detroit rolls malware snake eyes.
It's Tuesday, May 19, 26.
I'm Dave Bittner, and this is your first.
your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great as always to have you with us.
A public GitHub repository maintained by a contractor for the cybersecurity and infrastructure
security agency exposed highly privileged AWS GovCloud credentials and internal agency systems
until it was taken offline this weekend.
Researchers at Git Guardian and Serilis say the repository
contained plain text passwords, cloud keys, tokens, logs, and internal deployment files tied to
SISA and the Department of Homeland Security. According to available reports, exposed credentials
authenticated to at least three AWS GovCloud accounts with elevated privileges.
Researchers also found credentials for SISA's internal software development and code package
systems. The repository reportedly included evidence that,
GitHub's secret scanning protections had been disabled.
Exposed administrative credentials and software build systems could provide attackers a pathway
for persistence or lateral movement inside sensitive government environments.
Researchers describe the leak as an example of poor credential management and weak operational
security practices.
Interpol says its latest cybercrime crackdown dubbed Operation Rams led to more than
200 arrests and the seizure of 53 servers tied to fishing, malware, and online fraud operations
across the Middle East and North Africa. Authorities across 13 countries also identified 382
additional suspects and linked the seized infrastructure to at least 3,800 confirmed victims.
Interpol says the operation disrupted fishing-as-a-service platforms, malware distribution systems,
and investment fraud schemes.
Private sector partners, including Kaspersky, Group I.B.
and Team Simru assisted with threat intelligence and infrastructure tracking.
The operation highlights growing international coordination
between law enforcement and cybersecurity firms
to disrupt cybercriminal infrastructure before it can be reused or expanded.
Microsoft has released emergency updates for its Authenticator app
on Android and iOS to fix a critical vulnerability that could allow attackers to steal
authentication tokens and access corporate resources. The flaw, with a CVSS score of 9.6,
could be exploited by tricking users into approving a malicious authentication request disguised
as legitimate. According to Microsoft, the app could then generate and transmit access
tokens to an attacker-controlled server. Multiple versions were affected.
The issue highlights ongoing risks around push-based authentication and user approval fatigue,
even in multi-factor authentication workflows.
Poland is directing government officials to stop using signal for sensitive communications
after a series of fishing and account takeover campaigns targeting politicians, military personnel,
and public servants.
Officials say the activity is linked to advance persistent threat groups associated with
Russian state interests. According to Poland's national computer security incident response teams,
attackers posed as signal support staff and tricked users into sharing verification codes or linking
attacker-controlled devices through malicious QR codes and fishing links. Authorities emphasized
that signals encryption was not broken. Instead, attackers exploited users through social engineering
techniques.
Poland will shift officials to government-controlled platforms.
The move reflects broader concerns across Europe that user-targeted fishing remains one of
the biggest weaknesses in secure messaging environments.
Researchers at Sentinel One have identified a new variant of the S-Hubb MacOS Info-Stealer,
dubbed Reaper, that uses AppleScript and fake security update prompts to compromise Apple devices
and install persistent backdoor access.
Unlike earlier S-Hub campaigns
that relied on terminal-based social engineering,
the new variant abuses the AppleScript URL scheme
to launch malicious scripts through MacOS script editor.
Researchers say the malware steals browser data,
cryptocurrency wallets,
password manager information,
telegram sessions,
and sensitive files from infected systems.
Reaper also hijacks,
cryptocurrency wallet applications
by replacing legitimate
application files with malicious versions
and establishes
persistence through fake Google
Software Update launch agents.
The campaign highlights how
macOS focus threat actors are
adapting to Apple's recent security
mitigations by shifting
toward new execution methods
and broader post-compromise
access capabilities.
Universal Robots
has patched a critical vulnerability
in its Polyscope 5 operating system
that could allow attackers to remotely execute commands
on industrial collaborative robots or co-bots.
The flaw has a CVSS score of 9.8
and affects the dashboard server interface
and stems from improper handling of user input.
According to SISA and the vendor,
an unauthenticated attacker with network access
could compromise affected robot controllers.
Researchers warn that flat industrial networks and remote management connections could increase exposure
and potentially allow attackers to move between connected systems.
The issue underscores continuing risks around operational technology security and network segmentation on industrial environments.
The dark web carding marketplace Black's Stash has released roughly 4.6 million stolen credit cards,
card records for free, claiming the move was punishment for sellers who allegedly resold stolen
cards through competing criminal platforms. According to SOC radar, the leaked records include full payment
card details, billing addresses, phone numbers, email addresses, and IP data. Researchers estimate roughly
4.3 million of the cards may be previously unseen and potentially active. The majority of affected
victims appear to be based in the United States, with additional exposure across Canada,
the United Kingdom, and parts of Asia. Security researchers warn the release could fuel a spike in
card-not-present fraud, identity theft, fishing campaigns, and credential stuffing attacks in the coming
weeks as threat actors redistribute the data. Echo Protocol is investigating a major security breach
after an attacker minted roughly 1,000 unauthorized EBTC tokens,
creating about $76.7 million in synthetic Bitcoin on the Monad blockchain.
Blockchain security firms Peck Shield and Look-on Chain,
say the attacker moved portions of the funds through decentralized finance platforms,
bridged assets to Ethereum, and laundered some proceeds through tornado cash.
Researchers suspect the incident stemmed from an administrative private key compromise rather than a flaw in the protocol's smart contracts.
Echo Protocol has suspended cross-chain transactions while the investigation continues.
The breach highlights ongoing operational security risks in decentralized finance,
particularly around privileged account management and bridge infrastructure.
Coming up after the break, my conversation with Chris Cochran,
from SANS. We're discussing their new AI maturity model. And Nathan Detroit rolls malware snake eyes.
Stick around. Chris Cochran is Field Sissau and Vice President of AI Security at Sands.
I recently caught up with him for the latest on their new SANS AI security maturity model.
Chris, welcome back. Hey, it's always good to be back with you, Dave.
Well, you have an exciting announcement to share with our.
audience here today. The latest coming out of Sands from your colleagues. What's going on here, Chris?
Yeah, so it's been a long time coming. I've been spending my days basically talking to other
leaders in the space around the world trying to understand their pain points when it comes to
AI adoption, AI security, and AI strategy. And honestly, I just kept hearing a lot of the same
things of what people are concerned about. And, you know, being able to, number one,
practice what I preach, but then also being able to sort of get the, in order to being able to
see what other people are doing out there in the space, I decided to pull together an AI security
maturity model. And I wanted to create this, basically to help folks orient themselves around
artificial intelligence, be able to see where they're at from a maturity standpoint,
figure out where they need to go, and then what they need to do to cross.
that gap to get to where they need to be.
Well, let's walk through that together.
I mean, you decide that this is something you're going to take on.
What happens next?
Yeah, basically, it started with the AI blueprint that Sands came out with,
which is a really overarching piece around how do you orient yourself around artificial
intelligence.
They bucket it into protect, utilize, and govern.
So protect is how do we secure our AI against attacks, utilize, and utilize, and
is how do we use AI for security and govern is how do we manage AI risk and enable innovation
in a way that is fast and efficient.
And so this is the accompanying document.
This is a guide to help folks orient themselves around where they are today and where they need to be.
And who's the target audience here?
Who are you hoping to help out?
I would say the target audience here would be mainly the security leaders.
And this could be the CSO.
this could be VPs for different organizations within the security function.
But I would say it's for anybody that's really trying to understand the world that we live in today when it comes to AI.
I have this belief that we are maybe months, maybe a year at most away from autonomous attacks, right?
I could see a world in which we have tens of thousands, if not hundreds of thousands of malicious autonomous agents looking for,
targets of opportunity. And I feel like that we as cybersecurity practitioners and leaders really need
to start to get our houses in order so that we can start to defend ourselves against this
oncoming storm. Can you give us some examples of some of the things people can expect to find here?
Yeah, you'll be able to see the five different stages of maturity, right? I do these things called
Jeffersonian dinners where I have conversations with folks around their AI adoption, AI maturity.
And I would have to say that the most of organizations out there are probably around one, two, maybe a level three.
You'll be able to see different questions inside to really assess where you're at from a maturity standpoint.
And maybe even ask some questions around things that you haven't even thought of yet.
When we think about things like third-party risk analysis, right, are folks going back to older analysis that we've done with vendors that we've already onboarded that have now included our official intelligence?
What are we doing from an AI identity standpoint, right?
We had workforce identity, which we, you know, started to do pretty decent.
Then we had non-human identity, which we haven't done as well.
But now we have agentic identity that we have to account for.
and we all know exactly how tough that is.
And so this is going to help folks sort of orient themselves around the problem.
With something that's changing as quickly as AI is,
is there anybody out there who you would consider to have a really high level of maturity?
There are some organizations out there that I would say
they're as mature as they could be, right?
There's a lot of high-tech organizations out there that are really pushing the envelope,
creating their own infrastructure, creating their own standards and protocols.
But I would say that for the most part, I feel like we're all really starting to just figure
a lot of this stuff out together.
We're all having a lot of the same pain points.
And I feel like the more that we can all get on the same page, find a way to communicate
with one another, the better we're going to be for the days to come.
Yeah, I know that you are out there talking face to face with these folks who are
experiencing these pain points. Can you share some of the stories that you're hearing out there?
Yeah, for example, I just was speaking to a customer the other day, and they were hiring somebody
on their team. It was something very simple, like an AI security engineer. And they put out a job
wreck. Within a week, they had 2,000 folks, which sounds great, but after about two months of this
process, they couldn't find one person with the requisite skills that they needed to fulfill this
role. So, I mean, what that tells me is a couple things. Number one, there's not a lot of talent
right now out there in the world that has the AI skills that we might be looking for because it's
such a new arena. But then it also tells me that it might be best case for folks to really look
inside their organizations and start to train their people in order to fill the gaps that they have
from a skills perspective. And so this document will help from that perspective. And number one,
figure out, hey, what are all the components and pieces that we might be missing? But then also,
what can we use in here to sort of help us guide exactly the skills that we need, the personnel that we need,
the technology, and the processes? Do you sense that folks are feeling a little overwhelmed when it
comes to this, I mean, it feels like the security leaders are being pulled in a lot of different
directions. I'm glad you asked that because that's one of the big problems that I'm seeing right
now. They're getting, the security leaders out there are getting pulled in a million different
directions. They are being expected to have a solid strategy and an answer for the board and their
C-suite counterparts as to, hey, what are we doing with AI? What are we doing with AI security?
They're having to encourage their teams to use artificial intelligence to make their jobs faster, better, more efficient.
But believe it or not, there's a lot of technical and even process inertia.
I think human beings don't really like change.
And that even accounts for cybersecurity practitioners.
I mean, I wish it wasn't the case, but I speak to people.
I would say about 50% of the technologists that I speak to
are self-profess AI skeptics.
And this is what I tell them.
I say you can no longer afford to be a skeptic of artificial intelligence.
At worst, you could be cautiously optimistic
because our enemies, our adversaries,
they're using artificial intelligence.
And trying to fight fire with fire
is the only way that we're going to be able to keep pace.
Are you optimistic?
that we're on a good pathway here,
that over the next few years
we could see good things come from all of this?
I'm always optimistic, but I'm also a realist.
I know that the future can be bright.
I feel like we're all going to band together
and do this,
be able to defend ourselves
against all the stuff that may come at us.
But I do know it's going to take a lot of work
and it's going to take a lot of intention on our part
in order to get there.
So that's part of the communication that I've been sort of pushing is,
hey, we all need to band together.
We need to really start to hone in on what's the most important.
How do we prioritize our initiatives?
How do we prioritize our hiring, our resources?
Because it's going to take a lot of really concerted effort in order to get there,
but I'm optimistic.
So it's a really good point, I think, that despite this push towards technology
and these rapid changes,
we still need a community.
100%.
It's the most important thing that we have.
You know, when you think about
what is the role of the human being?
First of all, a human should always be in the loop
with artificial intelligence.
Second of all, you know, they say high ties,
raise all boats.
But even more importantly,
in this arena that we're dealing with
in artificial intelligence,
you know, potential autonomous attacks,
being able to communicate
all of these learnings, the findings,
hey, we made this discovery,
or we made this mistake.
And being able to share that brain trust of information
with one another is how we're going to really
become hard targets for the cyber criminals out there.
Chris Cochran is Field Sissau
and Vice President of AI Security at Sands.
Chris, thanks so much for taking the time for us.
Thanks, Dave. Always a pleasure.
That's Chris Cochran, Field Sissau,
and Vice President of AI Security.
security at Sands.
From the pitch to the stands to communities around the world.
The beautiful game is coming to our beautiful country,
uniting fans around a shared passion.
Now you have the opportunity to hold this chapter of Canadian soccer history in the
palm of your hands.
Score the FIFA World Cup 2026, $1 coin today.
Look forward in your change.
And finally, the Shanheassen dinner,
theaters in Minnesota has canceled two more performances of guys and dolls after a one-two punch
of norovirus and a cyber attack sidelined both cast members and online systems.
And I said to myself, sit down, sit down, you're rocking a bowl.
The theater says performances scheduled for May 19th and the May 20th matinee will not go on,
while staff work with the Minnesota Department of Health to disinfect facilities and give
performers time to recover. At the same time, officials are responding to a cyber attack that
disrupted the theater's computer network and online operations. According to theater leadership,
efforts are underway to securely restore affected systems. It is an unusually modern backstage problem,
one part public health response, one part incident response plan. For now, the show, quite literally,
cannot go on.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at n2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester
with original music and sound design by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
The Madamy Holmes Bike for Brain Health
supporting Baycrest returns on May 31st for its fifth anniversary
with a new start and finish at the Aga Khan Museum.
Join thousands of cyclists as we take over
the DVP and Gardner Expressway in support of dementia research and brain health.
Riders of all abilities are welcome, and both regular bikes and e-bikes can participate.
Bring your friends, family, or corporate team, and make an impact.
Register today at fightforbrainhealth.ca.