CyberWire Daily - GoshDarn it, that’s advanced.

Episode Date: July 10, 2026

Researchers track ransomware they say is getting GoshDarn sophisticated. Zimbra patches a critical vulnerability affecting its Classic Web Client. A sophisticated vishing campaign targeting Microsoft ...365 accounts. GigaWiper combines espionage capabilities with multiple destructive payloads. The EU sues member states over lax cybersecurity. The NSA revives TAO. A Puerto Rican agency exposes roughly a million Social Security numbers. A former ransomware negotiator heads to prison for assisting BlackCat. Our guest is Maxim Zavodchik, Senior Director of AI Security Research at Akamai, with insights on the upcoming MCP specification. Bad Wifi leaves a trophy up for grabs.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We are joined by Maxim Zavodchik, Senior Director of AI Security Research at Akamai sharing insights on new security risks that can arise from upcoming MCP specification. Selected Reading New Ransomware Exploits Malicious Driver to Remove Cybersecurity Protections (Infosecurity Magazine) Zimbra urges customers to patch critical web client XSS flaw (Bleeping Computer) Okta Warns of Vishing Attacks Targeting Microsoft 365 Customers (SecurityWeek) GigaWiper Combines Multiple Malware for System-Level Sabotage (SecurityWeek) Commission preliminarily finds the addictive design of Instagram and Facebook in breach of the Digital Services Act (European Commision) European Patience With Cybersecurity Laggards Snaps (BankInfoSecurity) NSA revives 'Tailored Access Operations' name for elite hacking unit (The Record) A Puerto Rico Government Agency Exposed 1 Million Social Security Numbers (ProPublica) Third US Security Expert Sentenced to Prison for Helping Ransomware Gang (SecurityWeek) Thief posed as Wi-Fi fixing hero, then stole priceless trophy (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. Heading to this year's Black Hat USA, the N2K Cyberwire team will be on site recording from our podcast studio in the SpectorOps Kennel Club. If you're interested in joining us for a conversation or learning more about what we're recording throughout the week, visit sponsor.com for more information. And make sure you stop by the studio and meet the N2Siberwire. 2K Cyberwire team. We'll see you there. What's the one thing in business that's spreading as fast as AI? AI risk.
Starting point is 00:00:53 Every new tool your team signs up for, every vendor that turns on AI features, every new integration. Each one is an opportunity for something to go wrong. And most security programs weren't built for AI's pace of growth. Enter Vanta. Vanta is the number one agentic trust platform, used by over 16,000. fast-moving companies like Ramp, Cursor, and Harvey to ensure they're always audit-ready. And now Vanta is helping companies like yours watch for the risks that show up between audits, across your vendors, your AI tools, and your whole environment.
Starting point is 00:01:30 How? The Vanta agent works like a 24-7 GRC engineer in the background, finding issues, drafting fixes, and cutting vendor assessment time by up to 50%. Whether you're a fast-growing startup or a global enterprise, Vanta is here to help you automate your security and compliance and earn and prove trust. Get started today at Vanta.com slash cyber. That's V-A-T-A dot com slash cyber. Researchers track ransomware, they say, is getting gosh darn sophisticated.
Starting point is 00:02:21 Zimbra patched a critical vulnerability affecting its classic web client, A sophisticated vishing campaign is targeting Microsoft 365 accounts. Gigawiper combines espionage capabilities with multiple destructive payloads. The EU sues member states over lax cybersecurity. The NSA revives TAO. A Puerto Rican agency exposes roughly a million social security numbers. A former ransomware negotiator heads to prison for assisting Black Hat. Our guest is Maxim Zavadcic, Senior Director of AI Security Research.
Starting point is 00:02:55 search at Akamai with insights on the upcoming MCP specification. And bad Wi-Fi leaves a trophy up for grabs. It's Friday, July 10th, 2026. I'm Dave Bittner and this is your Cyberwire Intel briefing. Thanks for joining us here today. Happy Friday. It is great as always to have you with us. We're a family show here. So in the interest of keeping things FCC friendly, we're substituting the name of a new ransomware group with gosh darn. Researchers at Semantic say the latest version of the gosh darn ransomware marks another step forward in attacker sophistication. The malware is the newest evolution of the Hyadena ransomware family, which dates back to 2022 through earlier beast and monster variants. In the observed attack, the operators used the remote access tool
Starting point is 00:04:15 any desk, then deployed a malicious kernel driver called Poison X that carried a legitimate Microsoft signature. That allowed the attackers to disable endpoint security tools before installing credential theft utilities such as Mimicats and Neersoft. After expanding their access and capturing administrator credentials, they encrypted victim systems and delivered a ransom demand. The researchers don't yet know how the attackers gained initial access, or obtained the signed driver, but they say the campaign highlights how ransomware operators
Starting point is 00:04:50 continue refining their techniques, particularly by improving their ability to evade security defenses. Zimbra is urging customers to immediately upgrade to fix a critical, stored cross-site scripting vulnerability affecting its classic web client. The flaw can be triggered through a specially crafted email,
Starting point is 00:05:13 potentially allowing attackers to steal session data, mailbox contents, and account settings when a message is opened. Although there's no evidence the vulnerability has been exploited in the wild, it was reported by Google's threat analysis group, which has a strong track record of identifying threats used by advanced nation-state actors. Zimbra has repeatedly been targeted by Russian-linked hacking groups in recent years, with multiple cross-site scripting vulnerabilities exploited to compromise governments and other high-value organizations. The latest advisory reinforces the importance of promptly patching internet-facing collaboration platforms. Octa is warning organizations about a sophisticated vishing campaign targeting Microsoft 365 accounts.
Starting point is 00:06:03 Active since April, the operation uses phone calls to convince employees they need to enroll a new Microsoft pass key, then directs them to convincing fake Microsoft Entra ID login page, hosted on attacker-controlled domains. Rather than relying on automated credential theft, the attackers guide victims through the login process in real time, adapting the phishing pages to match each organization's multifactor authentication requirements. Researchers believe the goal is to trick users into approving an attacker-controlled pass-key, giving the threat actors persistent access to compromised accounts.
Starting point is 00:06:43 The campaign has targeted organizations across multiple, industries and highlights how attackers are increasingly exploiting users' unfamiliarity with newer authentication technologies. Microsoft is warning about a sophisticated new malware platform called Gigawiper, a modular backdoor that combines espionage capabilities with multiple destructive payloads. Active since at least October 2025, the Go-based malware gives attackers persistent remote access, while allowing them to trigger ransomware-like encryption, overwrite files, wipe entire disks, or even force systems to crash. Unlike traditional wipers that are built solely for destruction,
Starting point is 00:07:28 Gigawiper blends backdoor functionality with on-demand sabotage tools, giving operators the flexibility to quietly gather information before launching a disruptive attack. Microsoft says the malware appears to share code with earlier destructive tools, and may be linked to the developer behind Crucio malware. The combination of stealth, persistence, and destructive capabilities marks a notable evolution in wiper malware. The European Commission has preliminarily concluded that META may have violated the Digital Services Act
Starting point is 00:08:04 by using design features on Facebook and Instagram that encourage compulsive use. Regulators say META failed to adequately assess and mitigate the risks posed by features such as infinite scroll, auto play, push notifications, and highly personalized recommendation systems, particularly for minors and other vulnerable users. The commission also found that existing safeguards, including screen time tools and parental controls, are not effective enough to reduce excessive use. Officials say META should consider disabling some engagement-driven features by default and introduce stronger protections. These findings are preliminary, and META will have an opportunity to respond before a final decision is made. If the Commission ultimately confirms the violations, the company could face fines of up to 6% of its global annual revenue.
Starting point is 00:09:02 Additionally, the European Commission is increasing pressure on several member states over delays in implementing key cybersecurity laws. Ireland, Spain, France, and the Netherlands have been referred to the European Court of Justice for failing to fully adopt the European Union's NIS II directive, which strengthens cybersecurity requirements for critical sectors, such as energy, healthcare, transportation, and cloud services. The Commission is also launching separate enforcement actions against Spain, France, and Latvia over delays in implementing national enforcement measures for the digital operations, Resilience Act, or DORA, which establishes cybersecurity standards for the financial sector. While most EU countries have now adopted the required legislation, the Commission says timely
Starting point is 00:09:54 implementation is essential to improving cyber resilience and ensuring consistent security and incident response across the block. The National Security Agency has revived the name tailored access operations, or TAO, for its elite offensive cyber unit, reversing a restructuring that had folded the group into a broader office of computer network operations. The change is part of a wider reorganization, intended to improve the agency's ability to respond to evolving cyber threats from countries including China and Russia. Former officials say restoring TAO also reunites developers and operators, a move expected to accelerate the creation and deployment of advanced cyber capabilities.
Starting point is 00:10:41 TAO has long been associated with some of the NSA's most sophisticated hacking operations and became widely known through leaks involving the shadow brokers. The agency says reviving the name honors TAO's history while positioning the organization for further cyber missions. Investigative reporting from Centro de Paradismo Investigativeo and ProPublica found that Puerto Rico's municipal revenue collection center inadvertently exposed the social security numbers of roughly one million people through its online property record system.
Starting point is 00:11:22 Researchers discovered that attackers with basic technical knowledge could access sensitive data without authentication and alerted the agency in June. Although the vulnerability was quietly patched soon afterward, CRIM continues to deny that any confidential information was at risk, and has not notified affected individuals or Puerto Rico's Central Technology Agency. The incident is the latest in a series of cybersecurity failures affecting Puerto Rico's government. Security experts say many agencies have yet to fully implement cybersecurity standards
Starting point is 00:11:57 required under 2024 law, leaving critical systems vulnerable to future attacks. A Florida cybersecurity professional who secretly worked with Black Cat or Alfie ransomware gang has been sentenced to nearly six years in federal prison. Prosecutors say Angelo Martino abused his role as a ransomware negotiator to provide the hackers with confidential information about victims negotiating strategies, helping maximize ransom payments in exchange for a share of the proceeds. Authorities seized roughly $10 million in assets tied to Martino. He is the third former cybersecurity consultant sentenced in the case, underscoring the insider threat posed by trusted security professionals who betray their clients.
Starting point is 00:12:50 Coming up after the break, my conversation with Maxim Zavadchik, senior director of AI security research at Akamai. He has insights on the upcoming MCP specifications, and bad Wi-Fi leaves a trophy up for grabs. Stay with us. AI is making fishing attacks faster, more convincing, and harder for people to spot, and traditional security awareness and fishing training weren't designed for this level of attack. Hawkshunt helped security teams prepare employees for the attacks they face every day, with personalized fishing training that adapts to each employee and reduces risky behavior over time. For IT and security leaders looking to strengthen their human layer of defense,
Starting point is 00:13:55 without adding more manual work, visit hoxhunt.com slash cyberwire to learn more. That's h-o-x-h-U-N-T.com slash cyberwire. This episode is supported by Black Hat USA. If you follow the research, you know a lot of it breaks on Black Hat stages. Hundreds of peer-reviewed briefings, more than 100 hands-on trainings,
Starting point is 00:14:26 and the largest business hall in Black Hat's history. Six days to learn the skills. you'll need tomorrow, August 1st to the 6th. Use code Cyberwire for $200 off your briefings pass at blackhat.com. We'll see you in Vegas. Maxim Zavadchik is Senior Director of AI Security Research at Akamai. We recently got together to discuss insights on new security risks that can come from upcoming MCP specifications.
Starting point is 00:15:09 MCP actually was invented last year. And before MCP, the models could reason, could answer questions, responsive from a knowledge base. But MCP actually allows connecting the agents to systems. Think about it's like having the arms now and lengths to do operations. So MCP is the connecting protocol between the agents and the tools and functions they can do. So I know you and your colleagues at Akamai are tracking some changes to, the MCP specification, what's caught your attention here? So that was interesting.
Starting point is 00:15:49 I think that's kind of, you know, MCP since its inception last year, actually had a lot of different versions and variants and incremental ads, but this time it's different. And that's how they said on the announcement page as well, is that the upcoming specification actually represents the most significant architectural evolution of the project. protocol itself since it began.
Starting point is 00:16:15 What began as a local single-user AI integration tool is transforming now into a platform-capable and enterprise-grade protocol to support businesses and big organizations exposing their services, AI-native services using entity. So what are some of the things that you think folks need to pay attention to here with these coming changes? To be enterprise-radium, to, to, to, make yourself suitable to the cloud architectures and proxy architectures,
Starting point is 00:16:47 the protocol actually became stateless. Meaning beforehand, usually an agent will open a session and that MCP protocol supports, and then it's a long-leaving session that you interact with the server back and forth, a bi-directional conversation. Currently, it's a very stateless means that it will have a request-response interaction, client opens a connection, ask something, and then close this connection. So it sounds technical,
Starting point is 00:17:15 but actually that introduces also kind of a building paradox here as well. So from one hand, removing the session actually removes some of the threats related to the sessions, such as session hijacking, but on the other hand, actually it pushes the responsibility
Starting point is 00:17:33 to manage those states to the application itself. The protocol is stateless now, but the application is not. And, you know, someone still has to remember which workflow is running, which tool and vocation belongs to which user, which also synchronous task belongs to which tenant. And cipers need to avoid predictable identifiers and poorly protected state objects. The state now belongs to the application,
Starting point is 00:18:00 means that the developers now own this security. Now, I understand there are also concerns about metadata injection. Yeah, besides moving to be stateless, which is one with biggest things, there's also more additions that actually introduced new attack surface. One of them is this metadata object, which is not well-defined, let's say, like the object that the client can add to the request and also the server can add to the response, meaning that that's not structured or restricted by schema things,
Starting point is 00:18:34 which allows, you know, we can imagine, creativity for developers, write a new object that can flow on every request and response and actually introduce a new attack surface dot as well. For example, if some state information is being sent from the client
Starting point is 00:18:53 to the server, but it's not properly signed or not properly validated at the server that can create some problems though. And one of the other things that caught my eye, you all describe it as hit and run task abuse. What's going on there? So that's interesting. So as I mentioned, besides moving to stateliness,
Starting point is 00:19:16 now it also introduces MCP apps and tasks as first-class citizen extensions. Something that was informally some implementations used this one, but now it's part of kind of more formal part of the protocol. So tasks are those long-running the synchronous workflows. Sounds wait until attack was abused them. One of the major threats, as you mentioned, is the hit-and-run attack where client can open a connection, start a task, and then disappear, while the server still consumes heavy server resources for a longer time. Tasks are usually those long execution asynchronous workflows, and without proper timeouts on tasks and limiting the number of tasks each client can start, the service under serious resource exhaustion and, you know, wallet threats.
Starting point is 00:20:11 What are your recommendations for organizations to be best prepared for these changes? Yeah, that's a good question. I think it kind of goes to like whether those are new threats, evolving threats, right? So I think the MCP repeats well history, you know, some threats feel familiar. IDOR or BOLA becomes workflow manipulation, protocol confusion returns, store-dexS returns now with the MCP apps, but agents change everything. I think agents need semantic context. They discover capabilities dynamically, intents become exposed, and the coincidence becomes easier on MCP servers, MCP tools become business actions, not just simple API calls
Starting point is 00:21:01 and simple request response transactions. One tool, many systems. One request, entire workflows. MCP servers become brokers for thinking capabilities. Trust becomes centralized and the blast struggles growth as well. And security moves beyond just requests. Now you need to protect business workflows. And I think for the CISOs, it's not just asking one question,
Starting point is 00:21:25 do you support the new MCP protocol, but ask a better one. How is it implemented? Now it's all about the implementation. How do you validate state? How do you validate metadata? What guardrails exist? How do you prevent MCP apps and tasks abuse? The protocol is stronger by removing some of the vulnerability, vulnerable parts and related
Starting point is 00:21:48 functionality, but the implementation matters. Trust boundaries changed, execution models changed, state management changed, security move up the stack. So the protocol is in the risk, the implementation. that's maxim zavadchik from akamai as organizations grow so does complexity new applications are deployed vendors are granted temporary access and remote support tools are installed many of them never go away in my recent conversation at rsacc 26 with rob allen chief product officer at threat locker he explains how these forgotten tools create hidden pathways into enterprise environments
Starting point is 00:22:43 and why attackers increasingly exploit what's already inside the network instead of trying to break through the perimeter. Learn how to reduce lingering access, shrink your attack surface, and implement zero trust more effectively by listening to the full conversation at explore.thecyberwire.com slash threat locker. My name is Peter Parker, but I'm also Spider-Man. This July.
Starting point is 00:23:14 We're faced with a threat. That can be anyone. The world may have forgotten Peter Parker. I'm just a neighbor. Friendly neighbor. But he hasn't forgotten them. Sometimes Spider-Man has to do the hard thing. That's my responsibility.
Starting point is 00:23:28 Talk to Banner? I didn't know you could get that big. Spider-Man, brand-new day. In theaters, July 31st. Across Canada in a Volvo. Destination. Vancouver. Turn left to leave.
Starting point is 00:23:46 Travel west through. Approaching. Continue toward. You've arrived. Adventure in comfort with Volvo. Whether you prefer gas, plug-in hybrid, or fully electric, there's a Volvo for everyone. Learn more at VolvoCars.ca.
Starting point is 00:24:10 And finally, a story shared by the register proves that if you carry a laptop, with an antenna sticking out of it, people will assume you know what you're doing. Professional red-teamer David Schloss was testing the physical security of a Fortune 500 company while its offices were under construction, and the Wi-Fi was driving employees crazy. As he and his team wandered the building with conspicuous networking gear, no one questioned why they were there. Instead, they kept asking the same question.
Starting point is 00:24:48 Are you here to fix the Wi-Fi? Schloss eventually wandered into the marketing department, opened a display case, removed a trophy worth hundreds of thousands of dollars, slipped it into his backpack, answered yes when asked if he was fixing the Wi-Fi and walked out. No one noticed the missing trophy for two and a half weeks. He finally returned it by placing it on the conference table before delivering his security briefing. The lesson here is simple. People tend to trust anyone who looks like they belong. Sometimes that's all an attacker needs. And that's the Cyberwire. For links to all of today's stories,
Starting point is 00:25:35 check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Jeff White, host of Cyberhack and a BBC journalist. We're taking a closer look into his work into the Conti ransomware game. That's Research Saturday. Check it out.
Starting point is 00:25:53 And hello, Maria Vermaz is here. on Sunday's T-minus space cyber briefing. We're diving into space cyber considerations for the fast-approaching post-Quantum world. That's in conversation with Eddie Zervigon, CEO of Quantum Exchange. Hear more on Sunday on T-minus. Don't miss it. We'd love to know what you think of this podcast.
Starting point is 00:26:12 Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
Starting point is 00:26:29 N2K's lead producers, Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazas. Our executive producer is Jennifer Iben. Peter Kilpe is our publisher and I'm Dave Bittner.
Starting point is 00:26:44 Thanks for listening. We'll see you back here next week. Hey, y'all. It's Kelly Clarkson with Wayfair. Ever order furniture online and wonder what if, like what if it doesn't hold up? That sofa was four days old. You should have ordered from Wayfair.
Starting point is 00:27:18 With Wayfair, there's no what-if. Just style you love and quality you can trust. Visit Wayfair.ca. Wayfair, every style, every home.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.