CyberWire Daily - Deadline-driven defense.
Episode Date: June 12, 2026CISA directs agencies to “patch smarter, not harder.” The House fails to extend FISA. Europol pulls over AudiA6. GitHub announces npm security updates. Anthropic rejects Fable 5 jailbreak claims. ...CISA gives feds three days to patch a critical Ivanti Sentry vulnerability. Google confirms ShinyHunters exploited a critical Oracle PeopleSoft vulnerability. FancyBear shifts part of its infrastructure to compromised edge devices. Pundits push for CyberCorps scholarship budgets. Our guest is Dr. Renée Burton, VP of Threat Intelligence at Infoblox, to discuss scams targeting the World Cup. Amazon drivers sweat through a software update. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Dr. Renée Burton, VP of Threat Intelligence at Infoblox, to discuss the World Cup and fans possibly getting caught out if they use SuperBox to view it. Selected Reading CISA directive orders agencies to prioritize vulnerability patching in a new way (CyberScoop) House votes against extending controversial wiretapping law set to lapse Friday (The Washington Post) Ransomware gangs cut off from EUR 336 million ‘AudiA6’ crypto laundering pipeline - Europol analysis links the criminal service to over 15 international cybercrime investigations (Europol) GitHub to Update npm to Thwart Software Supply Chain Attacks (Infosecurity Magazine) Anthropic Disputes Fable 5 AI Jailbreak (SecurityWeek) CISA orders feds to patch actively exploited Ivanti flaw by Sunday (Bleeping Computer) Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters (SecurityWeek) GRU-Linked APT28 Uses MooBot Botnet and Compromised EdgeRouters for Cyber Operations (GB Hackers) CyberCorps is adapting to AI. The budget isn't keeping up. (CyberScoop) Software Update Automatically Turns off Amazon Delivery Drivers’ AC During Dangerous Summer Heat (404 Media) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Do you know how the space and cybersecurity domains connect?
T-minus space cyber briefing is your guide through the space-based systems that expand the attack surface.
I'm Maria Varmazes, host here at N2K Cyberwire, and I'm excited to share that T-minus is back.
Now, as a weekly podcast, the T-minus Space Cyber Briefing.
We have a new dedicated focus on two great things that are even better together, space and cybersecurity.
Because whether we realize it or not, we all depend on space-based systems that are, by the way, increasingly internet-enabled.
We're talking cybersecurity technologies, policies, and organizations that are securing the critical space-based infrastructure that powers, protects, and connects our lives here on Earth.
So join me for T-minus, Space Space.
Cyber Reefing, new episodes every Sunday.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave, and with Threat Locker
DAC defense against configurations, you get real assurance that your environment is free of
misconfigurations and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CSO's real visibility, real control, and real peace of mind.
Threat Locker make zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environment.
environments. Schedule your demo at Threatlocker.com slash N2K today.
Sisa directs agencies to patch smarter, not harder. The house fails to extend FISA.
Europol pulls over Audi A6. GitHub announces NPM security updates. Anthropic rejects Fable 5
jailbreak claims. Sisa gives Feds three days to patch a critical Avanti century vulnerability. Google confirms
shiny hunters exploited a critical Oracle people soft vulnerability. Fancy Bear shifts part of its
infrastructure to compromised edge devices. Pundits push for CyberCore scholarship budgets.
Our guest is Dr. Renee Burton, VP of threat intelligence at InfoBlocks, discussing scams
targeting the World Cup. And Amazon drivers sweat through a software update.
It's Friday, June 12, 26. I'm Dave Bittner, and this is your CyberWy
Intel briefing. Thanks for joining us here today. Happy Friday. It is great as always to have you with us.
SISA has issued a new directive that requires federal agencies to prioritize vulnerability
remediation based on four key risk factors. Whether a vulnerability affects a public-facing asset
can be exploited automatically, enables full system compromise, or is being actively exploited in
the wild. The move reflects a broader shift toward risk-based vulnerability management,
which SISA describes as patch smarter, not harder. Under the directive, vulnerabilities
meeting all four criteria must be fixed within three days, and agencies must conduct forensic
reviews to check for potential compromise. Agencies are also required to update vulnerability
management policies immediately, revised remediation processes within 60 days, and fully comply with
new timelines within 180 days. Sisa says the policy is driven in part by artificial intelligence
accelerating the discovery and weaponization of software flaws. Officials argue that focusing resources
on the most dangerous vulnerabilities will improve security outcomes and reduce patching burdens.
While the directive applies only to federal agencies, SISA is encouraging private sector organizations
to adopt a similar risk-based approach.
Industry experts generally support the move, though some question whether aggressive three-day
remediation deadlines will be achievable at scale.
The U.S. House of Representatives' effort to temporarily extend Section 702 of the Foreign Intelligence
Surveillance Act, FISA, failed Thursday on a U.S. House of the U.S. House of Representatives' efforts,
a 218 to 198 vote, likely allowing the surveillance authority to expire for the first time since
its creation after 9-11. 19 Republicans joined nearly all Democrats in opposing the measure.
The dispute centered on President Trump's appointment of Bill Pulte, a mortgage agency director
with no national security background as acting director of national intelligence.
argued that extending surveillance powers, while Pulte oversees the intelligence community,
would pose a greater risk than allowing the program to lapse.
Republicans countered that Section 702 is vital to national security and provides critical
intelligence on foreign threats. The failed vote came just before Trump nominated former
SEC Chair Jay Clayton as a permanent intelligence chief, while the FISA court has ruled that Section 702
operations can continue temporarily, even without congressional renewal. Uncertainty remains over whether
telecommunications providers will continue cooperating absent explicit legal authorization.
The episode highlights ongoing tensions between national security priorities, privacy concerns,
and political battles over intelligence oversight. An international law enforcement operation
has dismantled Audi A6, a cryptocurrency laundering service, accused of processing more than
$336 million in illicit funds between 2022 and 2025 for ransomware gangs and other cybercriminals.
Authorities believe the service acted as a major financial hub for criminals seeking to conceal
the origins of stolen cryptocurrency.
The coordinated action led by agencies, including the U.S. Secret Service,
IRS criminal investigation, Polish police, Europol, and Eurojust,
resulted in the arrest of two alleged administrators in Georgia,
the seizure of more than 30 servers,
takedown of 25 domains,
confiscation of vehicles and properties,
and the freezing or seizure of cryptocurrency assets.
Investigators say Audi A6 operated a professional laundering scheme
using thousands of fraudulent exchange accounts
and more than 6,000 know-your-customer-customer-counter records tied to money mules.
Europol linked the service to over 15 ransomware and cryptocurrency theft investigations worldwide.
The case highlights the growing professionalization of crypto laundering,
which has become a critical support service for the global cybercrime ecosystem.
GitHub's NPM team has announced major security changes coming to NPM version 12,
scheduled for release in July, aimed at reducing software supply chain attacks by shifting from
implicit trust to explicit approval. The update will block three previously permitted behaviors by
default, automatic execution of install scripts, dependencies pulled directly from Git repositories,
and packages sourced from remote URLs outside official registries. Developers can prepare now
by upgrading to NPM 11.16 or later, which includes warnings and a new NPM-appro-approved script tool for creating
allow lists of trusted scripts. Security experts largely welcomed the changes. Semgrep CEO Isaac Evans
said stronger defaults are needed as supply chain attacks become cheaper and easier to execute.
However, researchers also warned of potential downsides. Paul McCarty cautioned that developers may
simply approve blocked scripts to avoid workflow disruptions, while attackers could shift their
focus to private software repositories or hide malicious activity among legitimate workarounds
created to bypass the new restrictions. Anthropic has rejected claims that its newly released
Claude Fable 5 model was successfully jailbroken. Researcher Pliny the Liberator claimed to bypass
safety restrictions using advanced prompting techniques and published screenshots and an alleged
system prompt. Anthropic responded that the examples did not demonstrate a true jailbreak,
which would require bypassing independent safety classifiers and enabling meaningful assistance
for high-risk activities. The company said some outputs were not generated by Fable 5,
while others contained only publicly available information.
Anthropic added that extensive red-teaming and post-released reviews found no evidence that its core safeguards had been circumvented.
Sisa has ordered federal agencies to patch a critical Avanti sentry vulnerability within three days.
The maximum severity flaw is an OS command injection vulnerability affecting Avanti's security gateway appliance,
formerly known as Mobile Iron Sentry.
The directive follows reports from shadow.
server that attackers had already compromised numerous internet-exposed century gateways,
just one day after Avanti released patches and stated it had no evidence of active exploitation.
The move highlights SISA's new emphasis on rapid remediation of actively exploited high-risk
vulnerabilities.
Google has confirmed that the Shiny Hunter's Threat Group exploited a critical Oracle People's
soft vulnerability as a zero-day to steal data from organizations.
before mitigations were released.
The unauthenticated remote code execution flaw
affects PeopleSoft Enterprise People tools
and related applications.
According to Mandient and Google Threat Intelligence Group,
attacks occurred between May 27th and June 9th,
primarily targeting higher education institutions.
Google notified more than 100 potentially exposed organizations
with some experiencing data theft.
The University of Nottingham
is the first confirmed victim.
Oracle has issued mitigations,
but patches do not yet appear to be available.
Researchers from Sequoia's threat detection and research team report
that the Russian GRU-linked APT-28 group,
also known as Fancy Bear,
has shifted part of its infrastructure
to compromised edge devices,
including ubiquity edge routers
infected with the Mubot botnet
and routers targeted in its Frost Armada campaign.
Rather than relying primarily on cloud servers,
APT-28 is using compromised routers to relay stolen credentials,
host fishing pages, proxy authentication traffic,
and support mailbox takeover operations.
The approach provides stealth, resilience,
and geographic diversity by blending malicious activity
with legitimate residential and small business internet traffic.
Researchers also observe DNS hijacking techniques that redirect users to attack our controlled infrastructure,
enabling interception of authentication flows and potential theft of Oath tokens.
Despite past law enforcement disruptions, compromised edge devices continue to support operations.
The findings highlight the growing importance of securing routers,
monitoring DNS changes, and detecting unusual authentication activity.
An opinion piece co-authored by retired Rear Admiral Mark Montgomery and Sophie McDowell from the Foundation for Defense of Democracies
argues that the Federal Cyber Corps Scholarship for Service Program is critical to preparing the U.S. cybersecurity workforce for the growing impact of artificial intelligence.
The program, which has placed nearly 5,000 cybersecurity professionals into government roles over the past 25 years,
provide scholarships and training in exchange for federal service.
The authors contend that AI is accelerating both cyber defense and cyber threats,
making specialized expertise increasingly important.
In response, CyberCore now requires participants to develop skills
in both applying AI to cybersecurity operations and securing AI systems themselves.
The piece criticizes the Trump administration's proposed budget cuts,
which would reduce program funding from congressional levels of roughly $63 million to $21.7 million.
The authors praise Congress for restoring funds and encouraging greater AI integration,
arguing that expanding CyberCore is essential to addressing government cybersecurity workforce strategies
and preparing for future AI-driven threats.
Coming up after the break, my conversation with Dr. Renee Burton,
VP of threat intelligence at InfoBlocks, we're discussing scams targeting the World Cup.
And Amazon drivers sweat through a software update.
Stay with us.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security incident last year,
and 92% of responders reported threat levels have increased in the past.
two years. Guard Square delivers the highest level of security for your mobile apps without compromising
performance, time to market, or user experience. Discover how Guard Square provides industry-leading
security for your Android and iOS apps at www.gardesquare.com. Could AI help you do more of what you
love? Workday is the AI platform for HR and finance that actually knows your business. We help you
handle the have-to-dos so you can focus on the can't-wait-to-dos. It's a new workday.
Dr. Renee Burton is Vice President of Threat Intelligence at InfoBlocks. We recently got together to
discuss scams targeting the World Cup. So, Renee, we have a big sporting event coming up here.
Some folks are going to be playing some soccer, or as the rest of the world calls it, football.
And this brings with it a bunch of people who really want to check these games out, which is understandable, but it doesn't come without risk here.
What are we talking about today?
Yeah.
Well, of course, I think there will be in-person risk with all of the millions of people flooding cities around the United States.
But there's also the fact that, you know, you can't actually travel there.
So we're seeing a really interesting range of threats that we're using.
lookalike domains essentially associated with the World Cup from what you would expect,
right?
Like you expect ticketing scams.
But the sophistication of some of those has been quite incredible and all the way to actors
who are really connected to long-term malware distribution.
So it's a very interesting mix of things that are happening around the World Cup.
Well, one of the things that caught my eye.
and I know this is something you and your team have been looking into,
is this option for viewing the World Cup?
It's called Superbox.
Now, that's not something I'm familiar with.
Can you fill us in?
What is Superbox about?
Yeah, so Superbox is one of many cheap TV devices that are out there.
It's a specific brand.
There's been a lot of coverage about them within, I don't know, the last year
because of software that was deployed.
on them, which essentially allows that box.
So you go when you go on Amazon, you buy this cheap TV device because you want to get, you know, streaming sports for free or for cheap.
And so you buy that.
And it turns out that like when you plug that in, it already has software loaded on it that takes your device and makes it part essentially of a botnet, right?
They wouldn't use that term.
They use the term what's called residential proxy service.
But essentially it makes your device part of a network which an external provider owns and can now control sending traffic through that kind of thing.
And Superbox is one of the many, many ways in which this happens.
And we did see specific examples where there was advertisement for being able to use your Superbox to get to see the games.
And so the infection is that actually on the super box itself, or are they actually making their way into your television?
It is on that super box.
That's one of the ones that's been pretty well studied.
And there was action taken by Google, I think it was last year and then in January related to these.
But aside from them, there are many other things.
Like we've seen an actor who is a Vietnamese actor, who.
who's offering, again, streaming, right?
But when you download these different apps,
they also have these SDKs, right?
This ability that you as a user are suddenly opted in
to allowing your device to be used as a node in their network.
So the streaming of the sporting event is the lure,
and that's how they get you to get the device in your home.
And then before you know it,
you're helping be a part of this botnet.
Yeah, exactly.
And a lot of it, it's really interesting, like, pre-planning that the Vietnamese actor is an
actor who runs a also runs ASIC rat, remote access Trojan.
And they actually procured one of the domains for the 2026 World Cup.
They bought it back in 2024 through an auction.
So they paid $600 for it.
It shows the pre-planning, right?
Like in 2024, they have the forethought to buy a domain that has been used by a blogger,
who is like a soccer fan, and paid $600 for it and are now using it as part of a whole
look-like domain illegal streaming type scam world.
Now, suppose you become part of this botnet as a user,
of one of these super boxes.
Does the box continue to function the way that you expect it would be?
Would you have any awareness that anything was amiss?
Generally, you're not going to.
I think, you know, in theory, if you're using your box,
well, it's part of, you know, being used for part of a denial of service,
maybe then.
But my understanding is that the volumes going out aren't high enough for you,
you as an individual to necessarily notice.
But when they're combined, right, with tens of millions of devices around the world,
that can be quite dramatic and have caused some of the largest denial of service attacks
that have been seen ever.
Could this potentially get me in trouble with my ISP?
Well, that's a good question whether ISPs are enforcing, but they certainly are looking at it, right?
And from a volume metrics, you're essentially being, say, for instance, even in a legitimate way,
a lot of AI companies are using these for scraping.
When you come out of a residential IP address rather than a data center,
you're going to get access to more stuff.
You're going to get blocked less.
So the scraping world, and by the way, the security world,
uses residential proxies to be able to access stuff.
They have free access to your node within a certain volume.
And as you say, like the ISPs should be able to see at least that volume.
coming through.
Well, for the fans out there who want to check out the World Cup, what's your advice to be
able to do that, but also stay safe?
Well, the main thing is really make sure you're going through legitimate services.
You know, in addition to this Superbox situation with residential proxies, we've seen a number
of really good mimicked domains, so that the domain looks good and the site looks good.
and they've got incredibly complicated fake ticketing services.
So the whole setup is quite elaborate.
But in that case, you're trying to buy a ticket for a game.
You're not going to be able to get the ticket.
They're just going to steal your money.
And in other cases, they are stealing, you know, your credentials, for instance.
So paying a lot of attention and trying to ensure that, you know, if you want to go,
then you're going to FIFA.com, right?
So rather than going to.
something that's like FIFA-2826.org.
So complicated.
Yes.
And I, you know, I can't help.
I imagine the heartbreak of someone, you know, walking up to the venue with their tickets
in hand or, you know, a QR code on their mobile device thinking, this is the day I'm
going to be able to see this match that I've been looking forward to for however long and
it getting scanned and someone saying, I'm sorry, this is.
not a valid ticket, how devastating that would be. Yeah, can you even imagine? It's like not only
the cost, but just the whole expectation and not being able to do it. It's unfortunate that there's a lot
of criminals in the world who care less. That's Dr. Renee Burton, VP of Threat Intelligence at InfoBlocks.
And finally, Amazon delivery drivers are voicing frustration over a recent software.
update in their Rivian-built electric delivery vans that changes how air conditioning operates
during stops. Drivers say the system now shuts off cabin cooling if the sliding door remains open
and the driver is out of the seat for more than 30 seconds, a common occurrence on routes that
involve constant hopping in and out of the vehicle. Amazon disputes the characterization,
arguing the update actually extends climate control by keeping the AC running for up to 10 minutes after a driver exits,
with the timer resetting at each stop. The catch, however, is that leaving the side door open triggers a battery-saving shutdown after 30 seconds.
For drivers racing through summer deliveries, that distinction feels a bit academic.
Many say they spend more time outside the van than inside it, meaning the cabin often has.
has ample opportunity to reheat itself between stops.
In theory, the update improves comfort.
In practice, some drivers say it's transformed the air conditioner
into an enthusiastic but short-lived participant in the delivery process.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's research Saturday
and my conversation with Martin Zujic,
Technical Solutions Director at Bit Defender.
The research is titled Famous Sparrow APT targets Azerbaijani oil and gas industry.
That's Research Saturday. Check it out.
Hello, Maria Vermazas here.
On Sunday's T-minus-Face Cyber Briefing, we have my interview with journalist Sean Waterman
on recent initiatives for incident detection and response on satellites, not just on ground stations.
That Sunday on T-minus, don't miss it.
We'd love to know what do you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at n2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.