CyberWire Daily - iPhone exploits go mainstream.

Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. AI is changing how enterprises operate and how they stay protected. It's time to eliminate risk and protect innovation. From March 23rd through the 26th, join Trend AI for actionable AI security insights. Catch impactful sessions at RSC, then unwind and grab a bite at their lounge in Trapasue. Experience industry-leading AI security. person, engage with the experts, and get your chance to win $500,000. San Francisco lets AI fearlessly. Learn more at trendmicro.com slash RSA.

Starting point is 00:00:50 Dark Sword targets iPhones for indiscriminate exploitation. Cybercrime in the Iran War. The FBI confirms purchasing commercially available location data. The DHS Secretary nominee gets grilled on SISA funding. A Zimbra Collaboration. and sweet vulnerability is being used in targeted espionage. A new Android malware targets sensitive data stored in user notes. AWS warns of ongoing interlock ransomware activity. Tracking pixels grab more than they should. Perry Carpenter and Mason Amadeus from the Fake Files podcast,

Starting point is 00:01:36 speak with Haney Farid about the real-world harms of synthetic media. And do boomers balance breaches better? It's Thursday, March 19, 2026. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. A newly discovered iPhone hacking technique called Dark Sword marks a shift from rare targeted attacks to large-scale indiscriminate exploitation. Researchers at Google, I-Verify, and Lookout found the tool embedded in compromised websites,

Starting point is 00:02:39 allowing attackers to silently hack iPhones that simply visit those pages. It primarily affects devices running older versions of iOS 18, which still account for roughly a quarter of iPhones. Dark Sword can extract sensitive data, including passwords, messages, photos, and even cryptocurrency wallet credentials. It uses file-less methods, hijacking legitimate system processes to avoid detection and operates in a quick smash-and-grab fashion before disappearing after a reboot.

Starting point is 00:03:14 The tool has been linked to Russian espionage campaigns and earlier attacks in multiple countries, but its code was left exposed online, making it easy for other hackers to reuse. Researchers warn this reflects a growing market where advanced iPhone exploits are being widely shared, increasing risks for everyday users, not just high-value targets. Has cybercrime activities surged since the start of the Iran War? Well, that depends on who you ask. Akamai reports a 245% increase in attacks, particularly targeting banking and fintech sectors.

Starting point is 00:03:55 Most activity involves reconnaissance and infrastructure scanning, including spikes in botnet traffic, credential harvesting, and distributed denial of service preparation. While some attacks originated from Iran, many were routed through Russia and China, often via proxy services used by hacktivists. Researchers also observed increased activity from pro-Russian groups and Iran-linked actors like Handala, which claimed a destructive attack on a U.S. medical firm. Despite this, Sisa reports no significant rise in nation-state threats, noting a steady overall

Starting point is 00:04:33 landscape. The findings highlight how geopolitical conflict is expanding the cyber attack surface, with both state-linked and criminal groups exploiting the situation. The FBI has confirmed its purchasing commercially available location data to track individuals, according to Director Cash Patel's Senate testimony yesterday. This marks a shift from 2003 when the agency said it was not actively buying such data. Officials say the practice complies with existing laws and has produced useful intelligence. The disclosure raises concerns among lawmakers who argue it bypasses warrant requirements established by the Supreme Court. Proposed legislation would require warrants for such purchases,

Starting point is 00:05:22 while others defend the practice as a necessary tool for law enforcement. Senator Mark Wayne Mullen, nominee for DHS Secretary, faced questions over, whether he would restore staffing and funding cuts at the Cybersecurity and Infrastructure Security Agency. Lawmakers highlighted that the agency's workforce was reduced by about one-third and its budget significantly cut under current leadership. Mullen did not commit to reversing those changes, instead emphasizing the need to recruit the right people and ensure mission readiness without specifying staffing levels. Senators warned that rising geopolitical tensions, including conflict with Iran, could increase

Starting point is 00:06:07 cyber threats, underscoring the need for a fully resourced cyber defense agency. Critics argued that recent cuts have weakened national cybersecurity, citing program reductions and disruptions at SISA. Mullen is expected to advance to a full Senate confirmation vote. Speaking of SISA, they've added a critical Zimbra collaboration suite. vulnerability to the known exploited vulnerabilities catalog, citing active exploitation. The flaw is a stored cross-site scripting issue in Zimbra's classic UI that allows attackers to embed malicious code in emails. When opened, the code executes within the user's session,

Starting point is 00:06:49 enabling data theft, session hijacking, and broader system compromise. Researchers report the flaw has been used in targeted espionage, including a campaign attributed to Russian-linked group APT-28 against a Ukrainian government agency. The attack required no links or attachments, relying entirely on malicious HTML email content. Sisa has ordered federal agencies to patch by April 1st, urging immediate updates or discontinuation of the platform if unpatched. Perseus is a new Android malware that targets sensitive data stored in user notes, including passwords, recovery phrases, and financial details. Disguised as IPTV apps in unofficial app stores,

Starting point is 00:07:38 it exploits side-loading habits to infect devices and gain full control using Android accessibility services. Researchers at Threat Fabric report that Perseus can capture screenshots, perform overlay attacks and remotely control devices with a focus on financial and crypto apps, particularly in Turkey and Italy. Notably, it systematically scans note-taking apps a rare capability. The malware reflects a broader trend of attackers exploiting pirated streaming apps to distribute banking Trojans and steal personal data. The Interlock Ransomware Group has been exploiting a critical zero-day flaw in Cisco Secure Firewall Management Center since January, according to AWS. The vulnerability

Starting point is 00:08:29 allows unauthenticated attackers to execute code as root, giving full system control. AWS observed attackers using the flaw for initial access, then deploying scripts, custom remote access tools, and a memory resident web shell to maintain stealthy persistence. They also installed backup access via remote management software. The campaign highlights the risks of zero-day exploits, where attacks occur before patches are available, reinforcing the need for layered defenses and continuous monitoring alongside rapid patching. A new analysis from J. Scrambler finds that TikTok and meta-tracking pixels collect far more data than typical ad attribution requires, raising privacy and security concerns.

Starting point is 00:09:19 Beyond tracking user behavior, these pixels gather personal information, such as emails, phone numbers, and addresses, then convert them into persistent identifiers that can be relinked to individuals. The research shows the pixels also capture detailed commerce data, including product selections, pricing, and checkout activity, often without businesses fully realizing the scope.

Starting point is 00:09:44 In some cases, sensitive data, is collected before or despite user consent and may even be transmitted insecurely. This creates potential violations of privacy laws like GDPR and CCPA, while also exposing businesses to competitive risks, as the collected data can enhance ad targeting for larger rivals. Coming up after the break, Perry Carpenter and Mason Amadeus speak with Haney Farid about the real-world harms of synthetic media. And to boomers, balance breaches better.

Starting point is 00:10:27 Stick around. No, it's not your imagination. Risk and regulation really are ramping up, and these days customers expect proof of security before they'll even do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk, and customer trust together

Starting point is 00:11:01 on one AI-powered platform. So whether you're getting ready for a SOC2 or managing an enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving. Companies like Ramp and Writers spend 82% less time on audits with Vanta. That means less time chasing paperwork and more time focused on growth. For me, it comes down to this. Over 10,000 companies from startups to large enterprises,

Starting point is 00:11:30 trust Vanta to help prove their security. Get started at Vanta.com slash, cyber. Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker Allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave, and with Threat Locker DAC, defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.

Starting point is 00:12:21 It's powerful protection that gives CISO's real visibility, real control, and real peace of mind. Threat Locker make zero-trust attainable, even for small security teams. See why thousands of organizations choose Threat Locker to minimize alert fatigue, stop ransomware at the source and regain control over their environments. Schedule your demo at Threatlocker.com slash N2K today. Perry Carpenter and Mason Amadeus are the hosts of the Fake Files podcast right here on the N2K Cyberwire Network. On one of their most recent shows, they sat down with Haini Farid about the real-world harms of synthetic media. Hi, my name is Mason Amadeus, and I'm one of the one of the most recent shows.

Starting point is 00:13:15 one of the hosts of the Fake Files podcast here on the Cyberwire Network. And I wanted to share this clip with you of our most recent episode featuring Honi Farid, who is a professor at UC Berkeley and an expert in digital image forensic analysis. We talked to him about deep fakes and how to do deep fake detection right. In order to do this, you have to understand two things fundamentally, which is how are natural images and videos and audio recorded, what happens from the physical world through the recording to what I'm seeing. And then how does AI work?

Starting point is 00:13:45 We're first engineering all these tools that we've been talking about. How does a face swap work? How does SORA work? How does voice cloning work? And then finding statistical, physical, geometric properties that distinguish those two. And importantly here, this is not a full-blown brute force black box approach. Just throw a bunch of data at it and hope that the machine can figure it out. We start by more or less figuring it out and then using the machine to simply make the measure

Starting point is 00:14:15 that we wanted to make. And that way we become a little bit more future-proof. We have explainability. We know why we are saying what we are saying. It's not just machine learning on machine learning, right? It's physics. It's geometry. It's signal processing. It's understanding the file. It's the whole sort of ecosystem of content creation. And that is where you really start to be able to tell a very rich story. So I mentioned before that I first encountered Honey's work through a TED talk that he gave a while back. And in that talk, the bit that stood out to me the most was this super cool segment where he demonstrated a forensic image analysis technique where you take the noise of the image, you take the Fourier transform of that noise, which is like breaking down the frequency

Starting point is 00:14:55 components of that noise, and then you can see these patterns emerge that don't happen normally when you take a photo, but are a side effect of the way that AI generates images. And I've never seen anyone go that deep on how to analyze whether something is real or not. I thought it was fascinating, it was scientific, it was grounded, it was explainable, And it's super freaking cool. Honey's going to break down part of that process for us now. So we're going to get a little bit into nerd stuff, but he's really good at keeping it very easy to understand.

Starting point is 00:15:24 So stick with us through this, because I think this is one of the coolest parts. So when you take an image, when you pick up one of these phones, you are fundamentally converting an analog signal, photons, light, into a digital signal. And that process is imperfect for a number of reasons. That sensor has some imperfections in how it translate the number of photons

Starting point is 00:15:43 that are incident on the cell to a digital. signal. And those imperfections, broadly speaking, we say, are noise. And they depend on how old is the camera? What is the light levels? What is the ISO settings? What is the aperture size? And you've seen this if you've taken a photo in your house at nighttime where it's really dark and you'll see almost like this grainy pattern. Yeah, that's what we call noise. Noise is very specific. It's the result of a physical process. Other side of the aisle, AI generated images. So how do you go from a text prompt to a full-blown image that is semantically consistent with that prompt. So the way these diffusion models work, GANS are a little bit different, but let's talk about

Starting point is 00:16:21 diffusion models, is you literally start with random noise, by which I mean you plop down a bunch of random pixels, which just looks like snow, colored snow, and then you slowly start denoising that in a way that it makes it consistent with the caption. This is what's called the diffusion process. Diffusion is very expensive computationally. So what the diffusion models do is they start by creating a very low-res image, maybe 100 by 100 And then they take that to seed the next resolution, 200 by 200. And then they take that to seed the next level.

Starting point is 00:16:53 And in that process of upsampling and then running diffusion is when you introduce an artifact in the noise pattern, which as you were pointing out, you can see that in what's called the Fourier transform of the residual noise. And it's a really nice pattern. We know why it comes about. It's a little hard to quantify. I showed you a very clean one in the text. talk, of course, but in reality, these patterns can be quite noisy and quite subtle. And so that's where we bring machine learning in.

Starting point is 00:17:22 We say, okay, we're going to extract the noise residual. We're going to extract the magnitude of the 40-transform, and then we're going to feed that into the machine learning algorithm to find the patterns that are specific there. Now, the really cool thing about this pattern is it's been around since the early diffusion models, and it doesn't seem to be going away because this process that I described to you, denoising, diffusion, upsampling, just is big. into these models. It's just baked in. Now, but five years from now, who knows, right? But, and that's important, and I think I said this in the talk, too, is everything we do has a shelf

Starting point is 00:17:55 life, right? You get it for a little while, and then, you know, the models work around it. So there is definitely this sort of chicken and egg problem, which is why over at Get Rio, we have a full-time threat and tell person who works for us, because his entire job is to make sure we understand the adversary, right? He's in those same chat rooms. He's listening in the dark web. He is seeing what the North Koreans are doing. He's seeing what the cyber criminals are doing. And then we are reverse engineering. They're reverse engineering. I mean, that's the way to do it, right? Having a proper team of threat researchers and forensic analysts looking at this content, using AI to help them in that process, that's the proper way to do it. But that's a lot of work,

Starting point is 00:18:34 right? Compare that to the attacker who can just generate image after image after image and just keep posting. There's that famous saying that a lie gets halfway around the world before the truth, gets its pants on. And so it can feel kind of futile, right? And I know at least for me personally, I can sometimes slip into that jaded mindset of like, well, all right, then I'll just assume everything's fake. There's no point in even trying. And I brought that up in our conversation with Hani, and he had a very elegant response. You know, the defeatist attitude is, well, you do this, they do this. You do this, they do this. So my thing there is, well, yeah, but what is the option, right? They do this and I do nothing. I was on a panel recently with somebody who was taking this

Starting point is 00:19:14 position and he was criticizing this whole trying to defend against defakes. And I said to him, well, let me ask you this. Did you lock your front door when you left the house today? And he said, yes. And I said, well, then shut the hell up. Yeah. Yeah, that's a good point. Because, you know, why do you lock your front door? Somebody can pick the locks. Somebody can break the window. Like, we do reasonable things to give us reasonable safety, right? That's okay. It's okay if something slipped through the cracks, right? But if, you know, the average knucklehead can defeat our systems and interfere with our elections and commit multi-million dollar fraud, we're in huge trouble. If you want to hear our full episode featuring Honey Fareed, you can check out our YouTube

Starting point is 00:19:51 channel or find us in your favorite podcast app. Just search for The Fake Files, but it's F-A-I-K, because it's fake but with AI in the middle. The Fake Files. Okay, thanks for listening. Be sure to check out The Fake Files podcast wherever you get your favorite shows or on our website, The Cyberwire.com. Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full-stack zero-trust networks, including hardware, firmware, and software, all designed to work seamlessly together.

Starting point is 00:20:47 The result? Fast, reliable, and secure connectivity without the constant patching, vendor-juggling, or hidden costs. From wired and wireless to routing, switching firewalls, DNS security, and VPN, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless. Transform complexity into simplicity and give your team time to focus on what really matters,

Starting point is 00:21:24 helping your business and customers thrive. Learn more and book your demo at meter.com slash cyberwire. That's M-E-T-E-R dot com slash cyberwire. When cyber threats strike, minutes matter. Booz Allen brings the same battle-tested expertise trusted to protect national security to defend today's leading global organizations. They safeguard their data, strengthen enterprise resilience,

Starting point is 00:22:02 and mobilize in minutes across energy, health care, financial services, and manufacturing. Their teams don't just respond. They anticipate, outthink, and stay ahead of evolving threats. This is powerful protection for commercial leaders, only from Booz Allen. See how your organization can prepare today at boozallin.com slash commercial. And finally, baby boomers, it turns out, approach cyber attacks a bit like a surprise storm, best handled by waiting for official instructions rather than running outside with an umbrella.

Starting point is 00:22:50 Research from know-before shows older users are more likely to wait and see after a major data breach, while younger generations rush to check if they've been exposed. But there's a twist. The same boomers who hesitate in a crisis are far more disciplined behind the scenes. They're more likely to use unique passwords and install upgrades, quietly doing the cybersecurity equivalent of eating their vegetables. Younger users, meanwhile, know the rules, but often ignore them. Despite their caution, older adults remain frequent scam targets, suggesting that good habits help,

Starting point is 00:23:29 but timing and awareness still matter just as much as strong passwords. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the Cyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey and the show notes or send an email to Cyberwire at N2K.com. N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.

Starting point is 00:24:20 Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibn, Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. If you only attend one cybersecurity conference this year, make it RSA 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands-on learning, and real innovation. I'll say this plainly, I never miss this conversation.

Starting point is 00:25:15 The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today at rsacconference.com slash cyberwire 26. I'll see you in San Francisco. When it comes to mobile application security, good enough is a risk. A recent survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising

Starting point is 00:26:05 performance, time to market, or user experience. Discover how Guard Square provides industry-leading security for your Android and iOS apps at www.gardsquare.com.

CyberWire Daily - iPhone exploits go mainstream.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.