CyberWire Daily - Hackers ignore the ceasefire.
Episode Date: April 9, 2026Iran-linked hackers signal cyberattacks will continue despite the cease-fire. Microsoft restores access after suspending open-source developer accounts. John Deere settles its right-to-repair fight. A... suspected Adobe Reader zero-day surfaces. Palo Alto Networks and SonicWall patch high-severity flaws. New macOS malware targets crypto wallets. A threat cluster abuses live chat to bypass MFA. CISA orders urgent Ivanti patching. Researchers track a stealthy DDoS-for-hire botnet. Our guest is Edgard Capdevielle, CEO of Nozomi Networks, sharing insights on threats posed by nation-states and AI on OT security. macOS has a 49 day time limit. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices, we are joined by Edgard Capdevielle, CEO of Nozomi Networks, sharing insights on threats posed by nation-states and AI on OT security. If you enjoyed this conversation, check out the full interview here. Selected Reading Shaky Ceasefire Unlikely to Stop Cyberattacks From Iran-Linked Hackers for Long (SecurityWeek) Microsoft suspends dev accounts for high-profile open source projects (Bleeping Computer) John Deere to Pay $99 Million in Monumental Right-to-Repair Settlement (The Drive) Adobe Reader Zero-Day Exploited for Months: Researcher (SecurityWeek) Palo Alto Networks, SonicWall Patch High-Severity Vulnerabilities (SecurityWeek) New macOS Malware notnullOSX Targets Crypto Wallets Over $10K (Hackread) Google Warns of New Threat Group Targeting BPOs and Helpdesks (Infosecurity Magazine) Masjesu Rising: The Commercial IoT Botnet Built for Stealth, DDoS, and IoT Evasion (Trellix) CISA orders feds to patch exploited Ivanti EPMM flaw by Sunday (Bleeping Computer) We Found a Ticking Time Bomb in macOS TCP Networking - It Detonates After Exactly 49 Days (Photon Blog) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
No, it's not your imagination.
Risk and regulation really are ramping up,
and these days customers expect proof of security before they'll even do business.
That's where Vanta comes in.
Vanta automates your compliance process and brings compliance, risk, and customer trust together on one AI-powered platform.
So whether you're getting ready for a SOC2 or managing an end-toe,
enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals
moving. Companies like Ramp and Writers spend 82% less time on audits with Vanta. That means less
time chasing paperwork and more time focused on growth. For me, it comes down to this. Over 10,000
companies from startups to large enterprises trust Vanta to help prove their security. Get started at vanta.com
slash cyber.
Iran-linked hackers signal cyber attacks will continue despite the ceasefire.
Microsoft restores access after suspending open-source developer accounts.
John Deere settles its right to repair fight, a suspected Adobe reader zero-day surfaces,
Palo Alto networks and Sonic Wall patch high-severity flaws, new MacOS malware targets
crypto wallets.
A threat cluster abuses live chat to bypass MFA.
Sisa orders urgent Avanti patching.
Researchers track a stealthy DDoS for hire botnet.
Our guest is Edgar Captivielli, CEO of Nozomi Networks,
sharing insights on threats posed by nation states and AI on OT security.
And MacOS has a 49-day time limit.
It's Thursday, April 9, 26.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. It's great as always to have you with us.
Pro-Iranian hacker groups say a fragile ceasefire involving Iran, the United States, and Israel
will not stop their cyber operations, warning that digital retaliation will continue despite
reduced military tensions. One group, Handala, said its pausing attacks on U.S. targets for now,
but will keep targeting Israel and may resume operations against America later.
U.S. authorities also warned that Iran-linked hackers have already infiltrated programmable logic controllers
used in critical infrastructure such as ports, power plants, and water systems.
Security agencies urged organizations to strengthen defenses immediately.
Experts caution that cyberactivity may actually increase during a ceasefire,
as threat actors shift attention toward U.S. companies connected to the war effort, including
data centers and defense contractors. So far, many attacks appear more symbolic than destructive,
but analysts warn they still highlight persistent vulnerabilities and the growing role of cyber
operations as a lasting feature of modern conflict.
Microsoft suspended developer accounts used to maintain several widely used open-source
Windows projects, temporarily preventing them from publishing updates and security patches.
Affected software included WireGuard, Veracript, MemTest 86, and WindScribe.
Developers said they received no warning or clear explanation and were unable to reach
human support, raising concerns about delayed responses to potential security vulnerabilities
affecting Windows users. After public reporting, Microsoft said the suspect,
Suspensions resulted from missed mandatory account verification requirements in the Windows Hardware Program,
which partners had been notified about since October of last year.
Accounts that failed verification within 30 days were automatically suspended.
Microsoft executives later acknowledged communication gaps and said the company is reviewing its notification process.
Some accounts began moving toward reinstatement after media attention prompted direct out.
outreach from Microsoft leadership.
Farmers reached a landmark settlement with John Deere in a long-running right-to-repair dispute,
securing $99 million for plaintiffs who paid authorized dealers for major equipment repairs since 2018.
Court documents indicate participants may recover 26 to 53 percent of alleged overcharged damages
well above typical class action recoveries.
The agreement also requires Deer to provide digital tools needed for maintenance, diagnostics, and repairs on tractors and combines for 10 years,
addressing long-standing restrictions that previously forced some farmers to modify equipment software themselves.
The settlement still requires judicial approval.
Deer also continues to face a separate lawsuit from the Federal Trade Commission,
which alleges the company unlawfully restricted repair access,
a case that could influence broader right-to-repair efforts across multiple industries.
Researcher Hafei Lee reports a likely actively exploited Zero Day in Adobe Reader
after detecting a malicious PDF through his Ex-Mond sandbox system.
The file can collect system data and may enable remote code execution and sandbox escape,
though the full attack chain remains unconfirmed.
Evidence suggests exploitation may have been ongoing for at least four months,
with some samples using Russian-language lures tied to oil and gas topics.
Adobe is reviewing the findings after receiving disclosure details in early April.
Hall networks and Sonic Wall released patches for multiple vulnerabilities,
including two high-severity flaws affecting enterprise security platforms.
Haloato networks fixed a vulnerability in Cortex-XOR and X-Sim integrations with Microsoft Teams,
which could allow attackers to tamper with protected resources,
along with additional Windows agent and chromium-related issues.
Sonic Wall addressed an issue in SMA-1000 firewalls,
which could enable privilege escalation,
plus flaws exposing VPN credentials or bypassing authentication.
Neither company reports active.
exploitation but urges prompt updates.
Researchers at Moonlock Lab identified not-null OSX, a new macOS malware strain designed to steal
cryptocurrency from high-value victims with balances above $10,000.
First detected on March 30th, activity has been observed in Vietnam, Taiwan, and Spain.
The malware uses social engineering, including Facebook.
Google Docs errors and a trojanized Wallspace app to trick users into running
malicious terminal commands and granting full disk access it can read sensitive
data and maintain persistent remote control a feature called replace app swaps
legitimate wallet tools such as Ledger Live and Trezer with malicious
versions to capture seed phrases researchers attribute the platform to a
developer known as OXFFFF and
and warn its modular design could support broader future targeting.
Google Threat Intelligence Group researchers warn that a financially motivated threat cluster
tracked as UNC 6783 is targeting business process outsourcers
and large enterprises through help desk and live chat social engineering
to enable data theft and extortion.
Principal analyst Austin Larson said attackers direct employees to spoofed
Octa login pages using deceptive Zendesk-style domains that capture credentials and clipboard-based
multi-factor authentication data, allowing persistent access. The group also distributes fake security
updates that install remote access malware and later sends ransom notes via proton mail after
exfiltration. Researchers say the tactics resemble earlier help desk-focused extortion campaigns
and urge organizations to deploy fishing-resistant authentication
to monitor chat channels and audit newly enrolled MFA devices.
Researchers at Trellix report that the Majesu Botnet
has operated continuously since 2023 as a stealth-focused DDoS-for-hire platform
targeting routers, gateways, and other IoT devices
across multiple processor architectures,
marketed primarily through telegram, the service supports large-scale TCP, UDP, and HTT
and claims attack volumes reaching hundreds of gigabytes per second.
The malware spreads by scanning for known vulnerabilities and devices from vendors such as
D-Link, G-PON, and Netgear, while using XOR-based obfuscation, cron persistence, and process spoofing
to evade detection.
It also avoids block-listed government IP ranges to reduce scrutiny.
Updated samples show expanded command and control redundancy and broader device targeting,
underscoring the botnet's evolution into a resilient, commercially operated extortion and disruption platform.
SISA has ordered federal agencies to patch a critical vulnerability in Avanti Endpoint Manager Mobile within four days,
after confirming active exploitation since January.
The flaw allows unauthenticated remote code execution on exposed systems.
Avanti previously warned only a limited number of customers were affected,
but nearly 950 internet-facing instances remain visible.
Sisa added the issue to its known exploited vulnerabilities catalog
and urged all organizations to prioritize patching immediately due to ongoing risk.
Coming up after the break, my conversation with Edgar Captivielli, CEO of Nazomi Networks.
We're talking about threats posed by nation states and AI on OT security.
And MacOS has a 49-day time limit.
Stay with us.
Maybe that's an urgent message from your CEO, or maybe it's a deep fake trying to target your business.
Doppel is the AI-Native social engineering defense platform,
fighting back against impersonation and manipulation.
As attackers use AI to make their tactics more sophisticated,
Dopple uses it to fight back,
from automatically dismantling cross-channel attacks
to building team resilience and more.
Dopple, outpacing what's next in social engineering.
Learn more at Dopple.com.
That's doppel.com.
This episode is brought to you by Tell Us Online Security.
Oh, tax season is the worst.
You mean hack season?
Sorry, what?
Yeah, cybercriminals love tax forms.
But I've got TELUS online security.
It helps protect against identity theft and financial fraud
so I can stress less during tax season or any season.
Plan started just $12 a month.
Learn more at tellus.com slash online security.
No one can prevent all cybercrime or identity theft.
Conditions apply.
Edgar Cap de Vile is CEO of Nazomi Networks.
I recently sat down with him at the RSAC 2026 conference
for this sponsored industry insights conversation
about threats posed by nation states and AI on OT security.
Now, it's not like IT, which, you know,
I decide the brand of the laptop of the CEO,
as well as the brand of the laptop of the plan manager.
It's more in partnership,
because it is still the plan manager or the operations people
or the production people that decide, you know,
what kind of, whether it's Rockwell or Siemens or Schneider or GE or Mitsubishi,
what combination of vendors they're going to have.
Sometimes it's not a decision.
Sometimes they come via an acquisition.
And as we discussed, the life of this assets is longer.
So you can't just say, okay, I bought this plant.
And I decided that I don't like the vendor that they use.
I'm just going to go change it.
That is not in the cost structure of the plant.
And we are here at RSAC 2026 right on the show floor.
and joining me is Edgar Katteviel.
He is the CEO of Nazomi Networks.
Edgar, thank you so much for joining us.
Thanks for having me.
We find ourselves in a very interesting moment in history
with the activities going on in Iran, the conflict there.
What does that mean for the world of industrial control,
critical infrastructure, all those things?
As you might expect, Iran and that region relies heavily on critical infrastructure.
both on the defensive and the offensive side.
Iran has been a long-time active threat actor
in terms of various APTs
and in particular addressing critical infrastructure
and industrial control networks.
Now that the conflict is, you know, very, very active
and very, very kinetic, the threat landscape has been, you know,
Heightland really very much.
We have a ton of customers in the region,
and we have been able to get a lot of threat intelligence
around what Iran is doing.
And there's been very significant activity,
both in transportation, manufacturing, and energy.
Can you give us some insights of the types of things
that you're tracking?
What sort of activity are we talking about?
We're tracking various groups that have been known for a long time.
Yeah.
APT 33, 34, in the full.
as well.
And these groups are, like I said, very active.
We are able to do a lot of visibility.
I'm going to actually turn it back to maybe a different conflict.
Yeah.
When the Russian-Ukrainian conflict was starting,
we saw also a lot of Russian activity,
and we were able to see the peak and the low of those attacks
in the rise.
You see kind of the early, minor activities,
like these credentials, identity.
in the beginnings, maybe, of lateral movement.
And we're starting to see that now.
We're, you know, in the early chapters of this Iranian.
So we've seen a lot of early attacks, a lot of reconnaissance work,
a lot of credentials acquisition, and even some lateral movement.
That's interesting.
So you really see echoes of previously tracked trade craft.
History does sort of repeat itself.
Absolutely.
In the world of IT, you're able to move much faster.
In the world of OT and critical infrastructure, these attacks take longer.
They're the discovery phase or the early phases of those APT attacks are longer.
There's a lot more discovery required.
We've seen reports that Internet has basically been shut down in Iran.
How does that affect everything?
Does that get in the way of the threat actors themselves being able to do that?
Some communications have been affected, but these are very organized groups that work in tandem with the government.
their internet is not shut down.
They're very, very active.
I say, yes.
What about the other threat actors around the world?
Are they taking advantage of this as a misdirection?
Yeah, so they can do their own things.
I think the level of attacks around the world is so far relatively unchanged.
This Iranian set of activity has gone up significantly in volume.
Can we take a step back and maybe looking down from a higher altitude,
how would you describe the state of things globally
when it comes to protecting critical infrastructure?
Yeah, of course.
Critical infrastructure security has gone through a journey, right?
Nozomi is now celebrating.
It's going to be celebrating its 12 years, 11, 12 years in business.
Congratulations.
Thank you. Thank you.
And we've seen all the different journeys.
We went through the very nascent journey
where only innovators adopted the technology.
then we went through the growth journey
which is like people are aware of the threat
but it's a new investment
and therefore since budgets are not infinite
you need to work through the trade-offs
and how do you digest
this new investment
through the business model of the company
you can't just invest in something new
very much like a household budget
if you have all of a sudden a new kid
you can't just all of a sudden say
okay my salary should go up
that doesn't happen right so
so you need to
to work this new item through the business model of the companies.
And now we have entered the mainstream part of the market
where everybody is aware we have been investing in this technology for a while.
So the budget that we're working on this year
is slightly bigger than the budget that existed last year,
but we're not working from zero, right?
So most companies have budget allocated for industrial OT or IoT cybersecurity,
and we're just getting better and better.
with the adoption of AI,
the evildoers, the hackers, are always ahead of us.
They're not burdened by regulation.
They're not burdened by, you know,
decision around technologies.
They just adopted and used it right away.
So one of the new effects is that a mediocre hacker with AI
becomes a sophisticated hacker.
And in the world of critical infrastructure,
you can have an IT hacker become an O.T. hacker
fairly quickly.
They have to learn the intricacies of industrial control systems
or how each plant basically is a snowflake, right?
Each plant is very unique, even though if you're copying them,
the industrial controls, internals are very, very unique.
So navigating through that uniqueness
is something that people can do easier and easier with AI.
It strikes me that over the past,
few years. Well, the past few years that I've been
keeping track of the type of work that you and your colleagues do,
it felt like we were, for a while, in kind of a
reactive stage. You know, the conversations were about,
particularly on the O.T. side, the update cycles of these
pieces of equipment are measured in decades,
not digital machine speed.
Do you feel as though we're in a place where we're more
proactive now that there's more
recognition that we have to get ahead
of these things, the velocity is
different than it was?
So I think the proactiveness is not
going to be measured by
how the cycle of the equipment
changes, because the cycle of the
equipment and the deployment of
technology is not going to change.
When you look at a substation,
that substation is supposed to live for
20 to 30 years sometimes.
Your laptop is
only supposed to live three to five years.
And those two things are not going to change.
What is going to change is the disposition of the different partnerships,
the vendors, the users, the operators,
in terms of how frequent and how flexible we're going to be
in terms of patching equipment, incorporating security
if it wasn't there in the first place.
So I think the days of, number one,
I believe the huge myth that my facilities are air-gapped.
That's no longer the case.
That's a myth.
That's a lie.
Everybody knows that.
the fact that you still have, you know, very outdated versions of software, Windows XP running the thing,
which is an infestation, it's basically a honeypot, if you will.
And the fact that you decide that, hey, I'm just going to spend a lot of time or I'm going to let a long time pass without patching.
And I'm going to wait, maybe not this maintenance cycle or maybe the other one, but the other one.
That's also changing.
So keeping up with the versions, keeping up with the patches,
because security now is as important as consistency
in when it comes to optimum availability.
Do you feel like there's been a cultural maturation?
We used to talk about, you know, the IT folks and the O.T. folks
and they didn't always see eye to eye.
Have we, is there been improvement there?
I think we have evolved quite a bit at the very, very beginning.
The O.T folks were in charge of availability.
and production and don't bother me,
I need to keep up with my production schedule.
Right.
And the IT folks who were in charge of their kind of IT systems.
And in the past, you know,
if a vendor sold you the interconnect
of your industrial automation,
that was part of that vendor's footprint,
whether or not it was an Ethernet cable
connecting everything together, right?
Okay.
Nowadays, it would be a fireable offense
if a CISO were to believe
that, and, you know, TCPIP connection
is not under his or her responsibility.
Whether or not that's connecting a printer
or connecting a PLC.
I see. So now the CSO has
centralized authority,
centralized responsibility,
and centralized budgeting.
Now, it's not like IT, which,
you know, I decide the brand of the laptop
of the CEO, as well as
the brand of the laptop of the plan manager,
it's more in partnership,
because it is still the plan manager or the operations people
or the production people that decide
you know, what kind of, whether there's Rockwell or Siemens or Schneider or GE or Mitsubishi,
what combination of vendors they're going to have.
Sometimes it's not a decision.
Sometimes they come via an acquisition.
And as we discussed, the life of this assets is longer.
So you can't just say, okay, I bought this plant.
And I decided that I don't like the vendor that they use.
I'm just going to go change it.
That is not in the cost structure of the plant.
Well, Edgar Capdiviel is CEO of Nazomi Networks.
Thank you so much for joining us.
Thank you for having me.
There's a lot more to this conversation than we have time to share here, so please check out the full unedited interview.
You can find a link to that in our show notes.
And finally, once upon a time, classic pre-OS 10 Macs had a reputation for freezing if you merely looked at them wrong.
Modern MacOS, by contrast, feels rock solid, right up until day 49.7 of continuous uptime.
Researchers at Photon discovered that after exactly 49 days, 17 hours, 2 minutes, and 47 seconds,
a 32-bit counter in the ex-new kernel quietly overflows and freezes the system's internal TCP clock.
When that happens, closed connections in the time-weight state never expire.
Ephemeral ports accumulate, new TCP sessions fail, and services slowly lose the ability to
talk to anything at all. PING still works, which deepens the mystery. The issue surfaced in long-running
iMessage monitoring systems and was reproduced experimentally, then traced to a single comparison
guarding the colonel's TCP timestamp counter. The result is a silent countdown timer built
into macOS networking. The only reliable fix today is a reboot before the clock runs out.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to Cyberwire at N2K.com.
N2K's lead producers, Liz Stokes.
We're mixed by Trey Hester
with original music and sound designed by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Iben.
Peter Kilpe is our publisher.
I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.