CyberWire Daily - Factory reset required.
Episode Date: June 26, 2026Tata Electronics and Bajaj Auto continue recovery from cyberattacks. FCC tightens undersea cable rules to bolster national security. CISA warns of actively exploited PTC vulnerability. Gamaredon expan...ds toolkit, hides behind legitimate services. Iran-linked hackers turn public warning systems into psychological weapons. Threat actors target critical infrastructure across Southeast Asia. DCloud framework behind global scam economy. Polish police disrupt SIM-swapping gang. French statistics agency reports cyberattack affecting nearly 13,000 staff. Our guest is Michael Fanning, CISO at Splunk, discussing how AI doesn’t create problems, it exposes them. And an open-book exam for hackers. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Michael Fanning, CISO at Splunk, discussing how AI doesn’t create problems, it exposes them. Selected Reading Apple supplier Tata tightens internal controls after data breach, sources say (Reuters) Bajaj Auto resumes normal operations as cyberattack probe continues (Storyboard18) FCC passes new cybersecurity rules for emergency systems, undersea cables (CyberScoop) U.S. CISA adds Cisco and PTC Windchill and FlexPLM flaws to its Known Exploited Vulnerabilities catalog (SecurityAffairs) Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances (ESET) A Cyber-Psychological Operation: Iran-Linked Attackers Target Warning Systems (Claroty) CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure (Unit 42) From San Pedro to Salinas: How a Chinese Framework “DCloud Uni-App” Powers a Global Scam Economy (Infoblox) Poland busts SIM-swapping gang tied to millions in crypto theft (BleepingComputer) France's statistics department reports cyberattack on staff data (Reuters) UK school’s network left wide open for invasion, student found (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
AI is making fishing attacks faster, more convincing, and harder for people to spot,
and traditional security awareness and fishing training weren't designed for this level of attack.
Hawkshunt helps security teams prepare employees for the attacks they face every day,
with personalized fishing training that adapts to each employee and reduces risky behavior over time.
For IT and security leaders looking to strengthen their human layer of defense without adding more manual work, visit hoxhunt.com slash cyberwire to learn more.
That's hoxhunt.com slash cyberwire.
Tata Electronics and Bajajaj Auto continue recovery from cyber attacks.
FCC Titans undersea Cable rules to bolster national security.
Sisa warns of actively exploited PTC vulnerability.
Gamaradon expands toolkit, hides behind legitimate services.
Iran-linked hackers turn public warning systems into psychological weapons.
Threat actors target critical infrastructure across Southeast Asia.
D-Cloud framework behind global scam economy.
Polish police disrupts sim-swapping gang.
French statistics agency reports cyber attack affecting nearly 13,000 staff.
Our guest today is Michael Fanning, Thiso at Splunk, discussing how AI doesn't create problems.
them and an open book exam for hackers. Today is Friday, June 26, 2026. I'm Maria Varmazes in for
Dave Bittner this week, and this is your Cyberwire Intel briefing. Happy Friday and thank you for
joining me today. Mumbai headquartered Tata Electronics, which is a key supplier to Apple, Tesla,
and leading chip manufacturers, has tightened internal security controls following a data breach that
came to light earlier this week. The world leaks Ransomware Group leaked more than 200,000 files
allegedly stolen from the company, including what appear to be internal design papers from Apple and
Tesla. The authenticity of this data has not been independently verified, and Tata hasn't commented
on the contents of the leak. Writers says the company has since restricted remote access to sensitive
internal tools, and Apple's security team is working with Tata on near and long-term security measures.
Another Indian manufacturing giant, Bajaj Otto, has resumed operations after sustaining a ransomware attack this week as well.
The company says its manufacturing sales and service activities are now operating normally.
The Federal Communications Commission has approved new rules aimed at strengthening the security of the undersea cables that carry roughly 99% of international internet traffic.
The measures create new licensing requirements for submarine cable terminal equipment,
tighten oversight of foreign involvement, and establish a fast-track approval process for trusted
operators that meet strict national security standards. The FCC says the changes are designed
to reduce espionage and sabotage risks, particularly from Chinese-linked companies,
while accelerating deployment of critical communications infrastructure.
The known exploited vulnerabilities catalog maintained by the U.S. cybersecurity and infrastructure
Security Agency, better known as SISA, has listed a critical vulnerability affecting PTC's
product lifecycle management tools, wind chill, and flex PLM, according to a new report from
Security Week.
The vulnerability is an improper input validation flaw that can lead to remote code execution.
The agency also added a high-severity server-side request forgery or SSRF vulnerability in Cisco
Unified Communications Manager that was observed being exploited this past weekend.
Cisco released fixes for this flaw on June 3rd.
SISA has ordered federal agencies to apply patches for both vulnerabilities by Sunday, June 28th.
ESET researchers say the Russia-aligned Gamaradon threat group remain highly active throughout 2025,
exclusively targeting Ukrainian government and military organizations.
The group developed new PowerShell-based malware, expanded its use of cloud storage for data theft,
and increasingly relied on legitimate messaging, blogging, and file-sharing services
to conceal command and control infrastructure and exfiltrate stolen information.
ESET also observed Gamaradon, collaborating with other Russia-linked threat actors,
underscoring a growing trend of operational cooperation among Kremlin-aligned cyber espionage groups
that are targeting Ukraine.
Researchers at Clorote's Team 82 have uncovered an Iran-linked campaign targeting Internet
connected public warning systems, but not to destroy them, but to manipulate public perception and
so fear. The attackers compromised sirens and emergency alert infrastructure, displaying false or
politically charged messages designed to undermine trust in official communications. The researchers
describe the activity as a cyber psychological operation, using operational technology as a tool
for influence rather than disruption.
Palo Alto Network's Unit 42
is tracking a cluster of threat activity
operated by Chinese-speaking actors
that's targeting critical infrastructure
across Southeast Asia.
The threat actors are tracked by Unit 42
as CL-STA-1062
and have been active since at least March 2022.
The attackers have previously been observed
targeting web hosting infrastructure in Taiwan,
and Unit 42 says the latest campaign
highlights a broader long-term strategy in the Asia-Pacific region.
The recent attacks focused on energy and government organizations.
The attackers deployed a newly documented Trojan dubbed Tiny RCT,
which is a lightweight backdoor written in C-sharp
that enables attackers to execute arbitrary system commands,
exfiltrate files, capture screenshots,
and remotely managed the infected host.
InfoBlock's researchers say a legitimate Chinese development framework
called DeCloud Uni app has become common infrastructure for a massive global scam ecosystem.
The company identified more than 236,000 scam domains since 2022, supporting fake crypto exchanges,
pig-butchering schemes, wallet drainers, gambling fraud, WhatsApp, fishing, and brand impersonation.
Researchers stress DeCloud itself is not malicious, but its reusable templates and technical
fingerprints help expose how decentralized fraud operators share scaffolding, infrastructure,
and tactics across international scam campaigns.
Polish police have arrested four alleged members of a cybercriminal gang known for targeting
telecom vendors to conduct sim-swapping attacks, according to a new report from bleeping
computer. The operation was led by the Polish Cybercrime Bureau and supported by the U.S. FBI
and Homeland Security investigations. The suspects are at a
accused of using sim-swapping attacks to gain access to victims' cryptocurrency accounts.
The Polish Cybercrime Bureau stated that it is estimated that the total value of funds laundered
in this manner exceeds at least $5 million U.S. dollars.
The defendants are each facing up to 25 years in prison for charges related to money laundering,
participation in an organized criminal gang, and hacking IT systems to commit theft.
France's National Statistics Agency NC says a cyber attack,
expose the personal data of about 12,800 current and former employees,
along with members of related civil service organizations.
According to the agency, the compromised information was limited to identities
and professional contact details.
NC says no passwords, home addresses, banking information,
social security numbers, or health records were accessed.
Now stick with us after the break.
Dave Bittner sits down with Michael Fanning,
C-So at Splunk, as they discuss how AI doesn't create
problems it exposes them and an open book exam for hackers. Stay with us. When it comes to mobile
application security, good enough is a risk. A recent survey shows that 72% of organizations reported
at least one mobile application security incident last year, and 92% of responders reported threat
levels have increased in the past two years. Guard Square delivers the highest level of security
for your mobile apps without compromising performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps at
www.gardesquare.com.
What's the one thing in business that's spreading as fast as AI?
AI risk.
Every new tool your team signs up for.
Every vendor that turns on AI features, every new integration, each one is a lot.
creates another opportunity for something to go wrong.
And most security programs just weren't built for AI's pace of growth.
Enter Vanta.
Vanta is the number one agenetic trust platform,
used by more than 16,000 fast-moving companies like RAMP, Cursor, and Harvey
to help ensure they're always audit-ready.
And now, Vanta is helping companies watch for the risks
that show up between audits, across vendors,
AI tools and their entire environment.
The Vanta agent works like a 24-7 GRC engineer in the background,
finding issues, drafting fixes, and cutting vendor assessment time by up to 50%.
Whether you're a fast-growing startup or a global enterprise,
Vanta is here to help you automate your security and compliance and earn and prove trust.
Get started today at Vanta.com slash cyber.
That's V-A-N-T-A-com slash cyber.
Dave Bittner recently sat down with C-S-S-O-At-Splunk Michael Fanning,
and they discuss how AI doesn't create problems, it exposes them.
Here's more in their conversation.
What we're seeing with AI, I think, you know, does expose a number of areas.
One would be, you know, the way that we think about how we can identify vulnerabilities across products,
and infrastructure and the pace that we can do that at.
Also, knowing that adversaries likely possess, you know,
comparable capabilities to an extent.
So super, super interesting things that you're kind of seeing with, you know,
some of the models that are being made available now.
Is this a matter of properly calibrating our own expectations?
You know, the notion about the fundamental problems that looking at the idea that AI doesn't
necessarily create those, but it exposes them, that it sort of ruthlessly shows us things that
maybe we weren't exposed to before.
I think a recalibration is to an extent a good thing.
The way that I think about the way that these models work and say the discovery of some
of these problems is we have had capabilities to discover these problems in the past. They just
haven't necessarily been as efficient and as high quality as what we're seeing today. So, for
example, you can still discover, say, a vulnerability and a web application by looking at source
code or by doing a penetration testing exercise against a website that you own. All of that has already
existed. So the vulnerabilities that you see, there's nothing necessarily new there. What is new is
the pace at which we can discover new vulnerabilities across different products, different types
of web applications, infrastructure, et cetera, and how we can actually think about and of chaining
together some of the different findings for more impact. I think that's really what's changed.
Well, let's dig into that together. What are there?
real world consequences of that new reality? The real world consequences are that you aren't necessarily
treating each individual vulnerability as its own finding. So as an example, if you think about a medium
severity finding of a vulnerability, typically say a team that patches an infrastructure
would really focus on here's a medium, we need to patch it, and then we can
count that medium as no longer being applicable to our environment.
What is happening with AI is it helps us understand different attack paths.
So rather than looking at, say, a medium in isolation, you can look at a group of mediums
and chain together an attack that leads to a very high impact compromise of an environment
or of data, et cetera.
So the kind of the fundamental change.
changes is not necessarily treating these individually, but kind of grouping together and
understanding what the most, like the highest impact is for remediation, if that makes sense.
It does. So correct me if I'm wrong, is part of what you're saying that this gives us the
ability to chain things together and to explore them to a degree that before AI might not have been
practical? Before AI, it was just much, much slower. So we have a,
internal pen testing teams and hacking teams that are able to take a look at different sets of findings
and string them together to understand is there a way to reach our target goal by exploiting multiple vulnerabilities.
That's already been a very common technique for a penetration testing team.
But that has also been a very manual and intensive process to kind of understand what that looks like.
that requires expertise from a pen tester.
What AI is doing is it's actually allowing you to understand and automate that.
So the groups of vulnerabilities that can be linked together for an attack chain is that is where we're kind of really seeing, you know, a lot of great impact from some of these different models.
So given these realities, what's your advice to the folks out there who are put in charge of defending their organization?
A couple of things. One is the overall volume of vulnerabilities is likely to increase for everyone. The question is going to be, what is the right way to prioritize remediation? Because asking, say, engineering teams and operations teams to constantly patch and remediate 100% of all findings all of the time as they come in,
isn't necessarily a sustainable process.
So what you really need to understand is,
what is the right way to prioritize these new findings
as they come in and as they're discovered by AI?
And I think that there are a couple of ways,
you know, that you think about doing that.
And number one, I still think that you prioritize,
say, critical and high vulnerabilities.
It's that volume of kind of mediums and lows
that you really got to pay attention to.
And as you employ your own internal scanning
capabilities and you understand what those attack chains look like.
It's those attack chains that should really be prioritized in your backlog.
The other side of that is kind of delineating what is the information that you have that is private to you as a business versus what is information that you and that's information about vulnerabilities.
That is that is very private and specific to you versus what is what would also be publicly.
discoverable. And when you can kind of understand the difference and understand, say, hey, there's a
certain level of privilege access that might be required to execute on this vulnerability that might
buy you a little bit of time comparing to, okay, an adversary with these same tools would be able to
exploit these vulnerabilities with the knowledge that they have that's publicly available.
Does this require that organizations re-examine their basic hygiene,
making sure that all of that table-stakes stuff,
multifactor authentication and so on,
is taken care of properly?
Yeah, of course.
I think that the fundamentals still certainly apply identity and access management
is a fundamental security control
that organizations should continue to invest in
agents and AI are creating a sprawl of identity. And so really having a solid identity and access
management strategy is critical. But I think an approach, you know, on the topic of vulnerabilities,
the approach that organizations need to be considering is, you know, how do you even prevent
the deployment of vulnerabilities to begin with? How do you, how do you prevent the development
of vulnerabilities.
Because if you're not,
you know, for lack of a better term,
shifting left,
then you're always going to be stuck in this scenario where
once you're closer to release dates
or when you're within operations,
you're constantly finding these new vulnerabilities
kind of after the fact,
after they've already been deployed when it's too late.
So really investing in kind of more infrastructure hardening,
image hardening,
secure software development lifecycle
etc. I think of those
opportunities to really get in front
of some of these problems
that we're seeing that are being exposed with AI.
What's your advice for folks who are feeling
a bit overwhelmed here who
see the rapid
acceleration of everything
thanks to AI
as if somebody had punched
the turbo button?
The rate at which these vulnerabilities
are being exposed. Do you have any
words of wisdom?
I think that the fundamentals still apply.
I'm a big believer in really nailing the basics.
And so, you know, really taking a step back and ask yourself the questions,
are you solving fundamental problems with your organization?
Would be kind of that first step.
And then secondly, you know, panic never really does anyone any good.
Everyone in the industry is kind of experiencing these same issues today.
these same concerns. Panic can create an environment where you aren't necessarily making the best
decisions for your business from a security perspective. And so I think, you know, applying a level
of methodical thinking around the way that you want to approach and solve these problems is going to
go a very, very long way rather than kind of constantly reacting to whatever the new flavor of
hysteria might be regretting regarding AI that's hitting the internet.
That was host Dave Bittner and Michael Fanning, C-So at Splunk,
talking about how AI doesn't create problems. It exposes them.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave.
And with Threat Locker DAC, defense against configurations, you get real assurance that your
environment is free of misconfigurations and clear visibility into whether you meet
compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
Threat Locker makes zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
This episode is brought to you by Accenture.
When your advertising operations fall out of sync, everything else follows.
Spotify and Accenture are working together to reinvent the rhythm of ad sales,
using automation, analytics, and smarter workflows to simplify campaign delivery and access better data across the business.
The result? Less time spent on operations, more time connecting brands with the moments and fandoms that matter most.
Learn more at Accenture.com slash Spotify.
And last up on this Friday, a UK school is serving as the latest example of how simple security measures can create enormous risk.
A former student says he discovered that connecting to the school's active directory domain required no administrator authentication, giving him visibility into domain controller tools and policy maps.
Well, things got even worse when he found the domain administrator account and its password sitting in the account's description field in plain text.
And with those credentials, the student said he could access staff and student data, remotely connect to servers and domain controllers, manage classrooms, manage classroom.
software, view Google Workspace mailboxes, and even access firewall settings and keystroke histories.
Yeah, despite having what he described as Dodd Mode, he said he never abused the access and graduated
without reporting the issue. Pinky Swear. Yeah, the story is a textbook reminder that security
doesn't always fail because of advanced attackers. Sometimes it fails because, well, someone leaves
the answers on the test. Fortunately, in this case, the student who found them appears to
to have been more interested in graduating than administering the network.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out Research Saturday this week, where host Dave Bittner sits down with Daniel Schwalby,
Chief Information Security Officer and Head of Investigations at Domain Tools.
As they discuss their work on Zion Siphon OT malware first attempts,
sciops, both.
Well, yeah, that's Research Saturday.
Check it out.
And on Sunday's T-minus, space cyber briefing, we're talking about strengthening the space
industrial supply chain with PWC's principal partner, Doug Anderson, and AIA's vice president
of space systems division, Steve Jordan Tomashefsky.
That is Sunday on T-minus.
Don't miss it.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing
world of cybersecurity.
If you like this show, please share a rating and review in your podcast.
app. Please also fill up the survey in the show notes or send an email to Cyberwire at
N2K.com. N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music
and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin, Peter Kielfee
is our publisher, and I'm your host Maria Vermazas in this week for the vacationing Dave Bittner,
who will be back on Monday. Thank you for listening. Have a wonderful weekend.