CyberWire Daily - Meta’s recovery plan needed recovery.
Episode Date: June 8, 2026Meta exposes 20,000 Instagram accounts through a support tool bug. CISA warns of active attacks on SolarWinds Serv-U. WordPress sites face takeover through a widely used plugin. A new Gafgyt variant b...roadens its reach. Pink extortionists steal cloud data with vishing and legitimate tools. Plus, allegations against IBM and AT&T, a dark web drug dealer gets 26 years, and the Monday business brief. Tim Starks from CyberScoop discusses the ongoing debate over staffing and budget cuts at CISA. NATO lets Ukraine play the bad guy. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We are joined by Tim Starks from CyberScoop, who is discussing the ongoing debate over staffing and budget cuts at CISA, the political battles surrounding the agency's future, and what the Trump administration's plans could mean for U.S. cybersecurity efforts. Selected Reading Meta AI Bug Exposes Over 20,000 Instagram Accounts (Infosecurity Magazine) NSO Group back in Meta's crosshairs after alleged WhatsApp targeting (The Register) CISA: Patch actively exploited SolarWinds Serv-U DoS vulnerability (CVE-2026-28318) (Help Net Security) Everest Forms Vulnerability Exploited to Hack WordPress Sites (SecurityWeek) C0XMO botnet spreads via DD-WRT router flaw, kills rival malware (Bleeping Computer) New Pink Extortion Group Targets Microsoft 365 Cloud Data Via Vishing Scams (Hackread) Ex-Threat Intel Exec Accuses IBM and AT&T of Hiding Hacks (GovInfo Security) California man sentenced to over 26 years for dark web drug trafficking (SC Media) AI observability platform Coralogix raises $200 million in a Series F round. (N2K Pro Business Briefing) Nato narrowly beats Russia-style enemy in cyber attack simulation (Financial Times) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Do you know how the space and cybersecurity domains connect?
T-minus space cyber briefing is your guide through the space-based systems that expand the attack surface.
I'm Maria Varmazes, host here at N2K Cyberwire, and I'm excited to share that T-minus is back.
Now, as a weekly podcast, the T-minus Space Cyber Briefing.
We have a new dedicated focus on two great things that are even better together, space and cybersecurity.
Because whether we realize it or not, we all depend on space-based systems that are, by the way, increasingly internet-enabled.
We're talking cybersecurity technologies, policies, and organizations that are securing the critical space-based infrastructure that powers, protects, and connects our lives here on Earth.
So join me for T-minus space cyber reefing, new episodes every Sunday.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave.
And with Threat Locker, DAC, defense against configurations, you get real assurance that your environment is free of
misconfigurations and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
Threat Locker make zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
Meta exposes 20,000 Instagram accounts through a support tool bug.
Cicill warns of active exploitation of SolarWinds Serve You.
WordPress sites face takeover through a widely used plug-in.
A new Gaff Git variant broadens its reach.
Pink extortionists deal cloud data with vishing and legitimate tools,
plus allegations against IBM and AT&T,
a dark web drug dealer gets 26 years,
and our Monday business brief.
Tim Starks from CyberSoup has the latest of the ongoing debate over staffing and budget cuts at Sisa,
and NATO lets Ukraine play the bad guy.
It's Monday, June 8, 26.
I'm Dave Bittner, and this is your Cyberwit.
Intel Briefing.
Thanks for joining us here today.
It's great as always to have you with us.
Happy Monday.
Meta says a flaw tied to its AI-powered account recovery system
allowed unauthorized attackers to take over thousands of Instagram accounts.
The issue involved Meta's high-touch support tool,
which helps locked out users regain access.
According to Meta, the tool functioned as intended,
but a separate bug failed to verify that a password reset request matched the accounts registered email address.
As a result, password reset links were sent to unassociated email addresses.
Meta reported that 20,225 Instagram users were affected.
Exposed information may have included contact details, profile data, messages, photos, videos,
stories and account activity.
Account recovery systems can become attractive attack targets when verification controls fail.
Users without two-factor authentication were especially vulnerable.
Meta has disabled the affected tool, invalidated reset links,
and is reviewing similar recovery processes across its platforms.
Separately, Meta is asking a federal judge to hold NSO group in contempt of
court, alleging the spyware vendor continued targeting WhatsApp users despite a permanent injunction
prohibiting it from doing so. According to Mehta, investigators disrupted NSO-linked social engineering
activity that attempted to lure users to malicious websites outside WhatsApp through fishing-style links.
The company also reported the creation of test accounts and groups on the platform and released
to indicators of compromise tied to the campaign.
Meta did not disclose when the activity occurred, how many users were targeted, or whether
any compromises were successful. The allegations raise questions about the effectiveness of legal
restrictions against commercial spyware vendors. Meta argues that continued activity would
represent a direct violation of a court order issued after its earlier legal victory against
NSO over Pegasus-related attacks.
Sisa has confirmed that a test.
attackers are actively exploiting a denial of service vulnerability in the SolarWinds'
ServeU file transfer servers and has directed federal civilian agencies to remediate it by June 19th.
The flaw allows remote unauthenticated attackers to crash ServeU services by sending
specially crafted HTTP post requests containing a deflate header. Solar Winds has released a fix
and recommends patching immediately
or blocking affected requests
through a web application firewall.
ServeU is widely used in regulated sectors
where file transfer ability is critical.
While the flaw enables service disruption
rather than a system takeover,
denial of service attacks can interrupt operations
and potentially divert defenders' attention
from other malicious activity.
A critical vulnerability in the Everest Forms Pro
WordPress plugin has been actively exploited for months, allowing attackers to seize control of
vulnerable websites. The flaw affects the plugin's complex calculation feature and allows remote
unauthent attackers to inject and execute PHP code on a server. According to Defiant,
attackers have used the bug to create administrator accounts and deploy web shells. The issue was
patched in March, but exploitation began in April. Defiant says it has blocked more than 29,000
attack attempts. With more than 100,000 sites using Everest forms, unpatched systems remain exposed to
full-site compromise. Defenders should update immediately and review administrator accounts for signs of
unauthorized access. Researchers at Fortinette have identified COXMO, a new very
variant of the Gaff Git Botnet that targets DDWRT routers and can spread across a wide range of
internet-connected devices. The malware supports multiple CPU architectures and is delivered by
exploiting an unauthenticated remote code execution flaw. Fortinette says COXMO uses a modular design
that allows operators to update exploits, expand targeting, and enhance lateral movement independently of the
core payload. Once installed, it scans for vulnerable systems, brute forces, weak SSH and telnet credentials,
establishes persistence, and removes competing malware and tools. The botnet is built primarily for
DDoS attacks and supports 19 attack methods. Fortinette notes that its architecture and feature set
demonstrate a higher level of sophistication than earlier GafGIT-based malware, highlighting the continued
evolution of IoT botnet threats.
Researchers have identified a new financially motivated cybercrime group called Pink,
which is using voice fishing and stolen cloud credentials to conduct data theft and extortion campaigns.
According to Palo Alto Network's Unit 42, the group launched a data leak site in late May
and is believed to be connected to the broader comm network.
Pink impersonates IT staff in phone calls and directs employees to credential harvesting websites.
Once access is obtained, the attackers use compromised Microsoft 365 accounts and built-in Microsoft
tools to rapidly collect data from OneDrive and SharePoint.
Victims then receive extortion demands through internal email and Microsoft Teams messages.
Gorakul reports that Pink also uses fileless techniques designed to evade detection and hide from security
analysis tools. The group's reliance on legitimate accounts and cloud services highlights the
growing challenge of detecting identity-based attacks that avoid traditional malware.
A newly unsealed lawsuit accuses IBM and AT&T of failing to implement basic security controls
and concealing evidence of nation-state intrusions into IBM cloud environments.
The allegations come from former IBM Vice President of Threat Intelligence,
William Barlow, who filed a False Claims Act lawsuit in 2020.
According to the complaint, AT&T managed VPN connections,
lacked logging, network segmentation was inadequate,
and security monitoring gaps prevented investigators from fully assessing suspected
intrusions linked to the Chinese threat group APT-10. The lawsuit cites an internal report that
identified more than 56,000 indicators of potential APT-10 activity between 2013 and 2016, but said the
activity could not be fully investigated because logs were unavailable. The case highlights how
missing visibility and monitoring can undermine incident response and leave organizations unable to
determine the scope of a compromise. IBM disputes the allegations and noted that the U.S.
Department of Justice declined to intervene in the case. A California man has been sentenced to
more than 26 years in federal prison for trafficking fentanyl and methamphetamine through
nemesis market, one of the world's largest dark web marketplaces. According to documents,
39-year-old Darren Hughes operated a vendor account on Nemesis Market and used free methamphetamine
samples to attract customers. Prosecutors said Hughes sold meth and fentanyl pills to an undercover
law enforcement agent on multiple occasions in 2023 in exchange for cryptocurrency. When he was arrested
in June 23, authorities found approximately 672 grams of meth and a loaded ghost
gun in his vehicle. The case underscores law enforcement's continued focus on dark web
marketplaces and cryptocurrency-enabled drug trafficking. It also highlights the lasting impact of
international operations that dismantled major criminal platforms such as Nemesis Market back in
2024. Turning to our Monday business briefing, investors continue pouring money into AI and cybersecurity,
with several companies announcing new funding rounds and strategic acquisitions aimed at accelerating
growth.
Observability platform Coralogics led the pack with a $200 million series F round to expand
its AI capabilities and enterprise reach.
AI security startup Gray Swan raised $40 million to scale security for organizations deploying
AI, while AI governance company Jordi AI secured.
$30 million to support enterprise adoption of AI agents.
Attack surface management provider Mock N raised $15 million, and security compliance startup
cracky and biometrics firm VoxMind also announced new funding.
Meanwhile, consolidation in the sector continued.
Industrial cybersecurity company Dregos acquired embedded device security specialist
phosphorus to expand protection across operational technology environments.
Engineering firm Scientant also agreed to acquire AI-focused data engineering company,
TAO Digital Solutions.
The activity reflects continued demand for technologies that help organizations secure,
govern, and operationalize AI at scale.
Coming up after the break, Tim Starks from CyberScoop discusses the ongoing
debate over staffing and budget cuts at SISA, and NATO lets Ukraine play the bad guy.
Stay with us.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application
security incident last year, and 92% of responders reported threat levels have increased in the past
two years.
Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps at www.gardsquare.com.
It is always my pleasure to welcome back to the show. Tim Starks, he is a senior reporter at CyberScoop.
Tim, welcome back.
Hi, Dave.
So a couple of stories that you have published here in rapid fire order, and both of them have to do with SISA and some of the challenges they're facing.
And I guess fair to say, some support that they're getting from some of the Democrats on the Hill.
What's going on here, Tim?
Yeah, so Mark Wayne Mullen was on the Hill.
the DHS Secretary
knew in the job
testifying about
DHS's budget.
And the very next day,
that was in House Homeland Security Committee.
The very next day,
the House Appropriations Committee
released its planned
fiscal 2027 appropriations bill
for DHS,
which both of these cases,
we learned a little bit about
plans for SISA
and what the administration
and Mullen intended to do with it.
And the news is
Well, some interesting news in both cases, right?
One is that Mullen talked about exactly how he wants SISA to be staffed.
You might recall that before the second Trump administration, there were 3,400 people at Sisa, which is a decent number, that's been cut pretty dramatically.
It's down to 2,200, which is even down from the last time we heard from DHS about how deeply they'd be.
cut into it. But, you know, there'd been a little bit of talk about them wanting to rehire some
people because some of the people were people they pushed out. Some of the people left on their
own. And so I guess they've decided they want to get it back to more like 2,800 people.
Okay. So that's interesting information. It's a little out of line with the actual,
what the actual Trump budget itself calls for. But that was produced before Mullen was really,
had really taken over the home of DHS. And on the appropriations,
side, going back to what the Trump administration has said they want to do with SISA,
this would be a $250 million cut for SISA under the bill that then the appropriators approved
on Friday.
So a little bit of some shifting numbers here in the sense of what is the target?
What are we going to end up with?
It's a little confusing.
And when you talk about the Democrats getting support, they were very critical of this.
They said this is the wrong time to be doing this when we have all the threats we do,
and Sissah being the important agency, it is in cyber.
So, you know, they have the support from Democrats, but, you know, with the House numbers being the way they are,
it's almost certainly going to go through the way the Republicans want to see it go through.
So there's little chance of any sort of meeting in the middle here when it comes to both the funding and the staffing?
I suspect that there is not a lot of room for meeting in the middle.
I mean, it's entirely possible that Mullen could go to the appropriators and say,
hey, I know what we said, we wanted, but can you up that a little bit?
I mean, they'll have, yeah, this is the long process that's getting underway with just the very first bill being just released and approved at the subcommittee level.
They've got to approve it at the committee level.
They've got to approve it in the House.
They've got to approve in the Senate.
Then they've got to meet in the middle on that, whatever House and Senate do.
I think the Senate will probably be more inclined to give SISA a little bit more money than the House if we're going by recent years.
So there will be room for the potential to meet a little bit in the middle, but maybe not in the middle between what Democrats want and what Republicans want, but more between what the Senate wants and the House wants and what Mullen might say or not say to appropriators about.
This is what he wants for Sissau.
Has there been any specific information from Republicans over why they want to extolli's.
execute these cuts, or is it just broader, vaguer cutting of government in general?
It's a little bit of both, I think. The message from House Republicans has been that they don't
actually really want to cut Sessa that much. You know, Andrew Garberino, the House Homeland Security
Chairman, has said he's concerned about this. We've seen lawmakers on both sides of the aisle say
syses being cut too deeply. I think partly this is Republicans doing some of the,
of what Trump wants.
You know, the numbers are difficult to get into sometimes
because of apples to apples comparisons
between what Trump says the budget is or will be.
But this is a less steep cut under any measurement
than what Trump wants.
So it feels like they're doing a little bit of like,
you know, we don't want to cut the agency that badly.
We're still going to cut it for you, Trump.
But they also have the message when they are cutting,
that Trump has used, which is this agency has been weaponized and was doing a bunch of work
that it didn't need to be doing. And you and I have talked about this before. At a certain point,
you have control of that agency. So if you're still cutting it because it's still somehow not,
quote, unquote, on mission, then I don't know who's responsible for that. At a certain point,
it's your agency. If you say it's still not on mission, then you've got to, you think you need to
make some changes to get it on mission, make the changes already.
Yeah, I guess is my perception of SISA being kind of stuck in the middle as a political football?
Is that still accurate?
Or have we gotten past that?
Trump's animus towards the organization, of course, is well documented.
I don't see any sign other than perhaps that Mullen talked about higher staffing levels than what the original Trump budget proposed and where they are now.
I don't see any sign that that that agency isn't still hated essentially by Trump.
Maybe Mullen can shift things the way he wants them to go with the president.
If he has the president's here, I don't think we have a strong sense yet of the degree to which he is an extremely trusted advisor with Trump.
The people he loves, he gives them what they want, basically.
He gives them more responsibilities.
Mullen's just too new in the job for us to get a sense of that.
he has talked about
having these unique authorities at Sessa
and how he believes that they're not being used
correct, they need to be used better.
So it sounds like he's a guy who would like to see Sessa
be a little bit more muscular than it is now,
but he's got an uphill climb there, I think.
For one, the agency still doesn't have a director.
We hear names every now and then,
but then they turn out to not be accurate.
It doesn't seem like an agency that's getting a lot of attention.
Now, on the director front, I've heard different things about what's going on there,
that there have been some names bandied about legitimately from the White House and from the agency,
but they just haven't quite met on those names yet.
But, you know, I don't know if the fact that they don't have a director means that this is definitively a sign that the agency is still in the doghouse,
but it's not a good sign that it's on the doghouse.
Right.
I would push back a little in your statement and say maybe it's not so much that they're not getting attention,
that they're not getting love.
Aw.
You had to go and make it sentimental.
Well, so what kind of timeline are we on here
for things being settled
and the folks at Sisa knowing where they stand?
With the way this administration has handled agencies,
I don't know if that that will come.
I don't know that that's a relief that is ever going to happen
while Trump is president, frankly.
I think everybody's going to be unsettled.
in all of their jobs in the federal government,
basically until Trump is not like a president.
But in terms of getting things more settled than they are now,
you know, I think if the administration wants to put its person
in the Cicerole, if they want to get their pick,
they're probably going to need to do it before November.
That's not some of the talk that people I've been talking to about
because, you know, they might not get who they want if Democrats take over.
You know, it's entirely possible they could pick somebody who's not,
nonpartisan and non-controversial, but that's not exactly the history of this administration.
And then in terms of the budget, that's been a mess too.
DHS has had funding lapses repeatedly in the last year and a half.
I don't see any sign that that's probably going to abate anytime soon either.
But if we're talking about normal appropriations process, they would be in line to get this all settled by October
and know what their agency was going to have for a budget.
I'm not confident that that's going to happen on the time frame.
It hasn't happened that way in Congress in a long time in general.
But typically DHS has been an agency that's toward the front of the line, right?
It's a bill that typically moves a little faster than the other bills,
but with everything going on with ICE and all the other things
of the administration is doing on immigration, it's much more at the end of the line these days.
Yeah. All right. Interesting times. Interesting times.
Yeah. Tim Starks is senior reporter at CyberScoop.
Tim, thanks so much for taking the time for us.
Thanks, Dave.
And finally, in a NATO exercise in Poland, the fictional nation of Peranza suffered a very bad week.
First came a cyber attack that knocked out the power grid, then a flood, then a banking crisis.
Behind it all was the equally fictional state of Carty, which flooded social media with AI-generated messages blaming government incompetence,
and conveniently offering help.
The twist?
Ukrainian officials played the role of the disinformation operators.
The three-day simulation held at NATO's Joint Analysis Training and Education Centers,
held at NATO's Joint Analysis Training and Education Center in Bidjosk,
tested how governments respond to the kind of information warfare Ukraine faces daily.
Ukrainian participants launched coordinated influence,
campaigns, while allied teams work to maintain public trust and communicate during the crisis.
By most accounts, the Ukrainians were faster, more creative, and more adept with AI,
though judges said their fictional propaganda effort lost points for narrative consistency.
The exercise reflects NATO's growing effort to learn from Ukraine's wartime experience.
Officials say the collaboration improves alliance readiness and helps Ukraine build
closer interoperability with NATO, even his membership, remains distant.
Participants also acknowledged a familiar reality. Simulations can teach valuable lessons,
but they struggle to capture the pressure, uncertainty, and emotional intensity of a real conflict.
And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at
thecyberwire.com. We'd love to know what you think of this podcast, your feedback,
ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at N2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound designed by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer I.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.