CyberWire Daily - MFA meets its match.
Episode Date: February 19, 2026Starkiller represents a significant escalation in phishing infrastructure. A blockchain lender breach affects nearly a million users. The Kimwolf botnet disrupts a peer-to-peer privacy network. Resear...chers identifiy vulnerabilities in widely used Visual Studio Code extensions. DEF CON bans three men named in the Epstein files. Texas sues TP-Link over supply chain security. Experts question the impact of cyber versus kinetic damage in Venezuela. African law enforcement arrest hundreds of suspected scammers. Tim Starks from CyberScoop explains CISA’s upcoming town hall meetings over ICS reporting rules. Warsaw walls off Wi-Fi-wired wheels. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Tim Starks from CyberScoop discussing “CISA to host industry feedback sessions on cyber incident reporting regulation.” Selected Reading Starkiller: New ‘Commercial-Grade’ Phishing Kit Bypasses MFA (Infosecurity Magazine) Nearly 1 Million User Records Compromised in Figure Data Breach (SecurityWeek) Kimwolf Botnet Swamps Anonymity Network I2P (Krebs on Security) Flaws in Popular IDE Extensions Allow Data Exfiltration (Infosecurity Magazine) DEF CON bans three Epstein-linked men from future events (The Register) Texas sues TP-Link over Chinese hacking risks, user deception (Bleeping Computer) The Caracas operation suggests cyber was part of the plan – just not the whole operation (CyberScoop) Police arrests 651 suspects in African cybercrime crackdown (Bleeping Computer) Nigerian man gets eight years in prison for hacking tax firms (Bleeping Computer) Poland bans camera-packing cars made in China from military bases (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Cyber threats strike in minutes. Your analysis can't take weeks. That's where Vellox Reverser from Boozalan comes in.
It's an autonomous malware reverse engineering and threat intelligence product that turns weeks of painstaking manual analysis into minutes of AI-powered insights.
With Vellox Reverser, security teams can perform deep analysis to learn how malware works and how
to stop it. It's an advanced product that works at machine speed. If you need to outpace evolving
adversaries and strengthen your defense at scale, request a demo or start your 30-day free trial
of Velets Reverser today at Booz Allen.com slash reverser. Star Killer represents a significant
escalation in fishing infrastructure. A blockchain lender breach affects nearly a million
users, the Kim Wolf Botnet disrupts a peer-to-peer privacy network, researchers identify
vulnerabilities in the widely used visual studio code extensions, DefCon bans three men named
in the Epstein files, Texas sues TP link over supply chain security, experts question the
impact of cyber versus kinetic damage in Venezuela, African law enforcement arrest hundreds of
suspected scammers. Tim Starks from CyberSoup explains Siss's upcoming town hall meetings over
ICS reporting rules and Warsaw Walls Off Wi-Fi Wired Wheels.
It's Thursday, February 19th, 2026. I'm Dave Bittner, and this is your Cyberwire Intel
briefing. Thanks for joining us here today. It's great as always to have you with us.
A new fishing toolkit called Star Killer represents what researchers describe as a significant
escalation in fishing infrastructure. Discovered by security firm Abnormal, the plastic
The platform operates as a proxy that serves genuine login pages through attacker-controlled
infrastructure rather than relying on static HTML clones.
It launches a headless Chrome instance to mirror legitimate sites in real time, allowing
victims to authenticate directly with the real service through the attacker's proxy.
Because users interact with the live site, any multi-factor authentication codes or session tokens
are forwarded to the legitimate service instantly, enabling attackers to bypass MFA.
StarKiller can impersonate major brands, including Google, Microsoft, and financial institutions,
and provides real-time session monitoring and key logging.
Sold as a subscription service on the dark web, StarKiller includes updates and support,
increasing its potential longevity and impact.
Nearly one million users were affected by a data breach at Figure Technology Solutions,
a NASDAQ listed blockchain lender.
The company confirmed an employee fell victim to a social engineering attack,
allowing attackers to access a limited number of files.
The Shiny Hunters Group claimed responsibility
and published 2.4 gigabytes of alleged stolen data on its Tor leak site.
have I been poned, identified about 967,000 exposed records, including names and contact details.
Shiny hunters linked the incident to a broader voice fishing campaign targeting Octa single sign-on accounts.
The Kim Wolf Internet of Things Botnet has disrupted the privacy network I2P after attempting to use it to evade takedown efforts, Krebson security reports.
Around February 3rd, I2P users reported outages as tens of thousands of new routers flooded the network.
Kim Wolf operators later acknowledged on Discord that they had tried to connect roughly 700,000 infected devices to I2P,
overwhelming a network that typically supports between 15,000 and 55,000 nodes.
The incident amounts to a Sibyl attack, where one actor controls large numbers of fake identities
to destabilize a peer-to-peer system.
Researchers say Kim Wolf is experimenting with I2P and Tor as resilient command and control channels.
I2P remains operational at reduced capacity, while reports suggest the botnet size has recently declined significantly.
Researchers at OX security have identified four vulnerabilities in widely used visual studio code extensions,
warning they could enable serious cyber attacks.
Three flaws which have been assigned CVEs by MITR,
affect extensions including live server, markdown preview enhanced,
and code runner, with combined downloads exceeding $128 million.
The most severe, rated 9.1,
could allow remote attackers to infiltrate files from a developer's machine.
Another enables arbitrary JavaScript execution and local network scanning,
while a third permits remote code execution through social engineering.
A fourth issue in Microsoft Live Preview was silently patched in September 2025.
OX Security said the flaws expose a critical blind spot in developer environments
and warned that a single compromised extension could enable broader organizational breaches.
DefCon has banned three technology figures named in the Epstein files,
despite no accusations of criminal wrongdoing.
The individuals were cited by organizers for their documented contact with Jeffrey Epstein.
Emails show past professional interactions,
including introductions, funding discussions, and offers of conference tickets.
DefCon said the bans apply to all future events.
The conference rarely publicizes bands,
with only a handful disclosed since 2017.
Texas has sued TPLink systems, alleging the networking company misled consumers about security
and supply chain origins while exposing devices to exploitation.
Attorney General Ken Paxton claims TPLink marketed routers as secure and labeled them made in
Vietnam despite sourcing most components from China.
The lawsuit argues this creates national security risks, citing Chinese laws that could
compel data sharing. The complaint references firmware vulnerabilities allegedly exploited by
Chinese state-backed hackers and a botnet, tracked by Microsoft as Quad 7 or Covert Network 1658,
built largely from compromised T.P. Link routers. Federal agencies have also flagged actively
exploited flaws in T.P. Link devices. Texas seeks civil penalties and disclosure requirements.
TPLink denies the allegation.
calling them meritless and stating U.S. user data is stored domestically.
Public reporting has framed the January 3rd Caracas power outage during the mission targeting
Nicolas Maduro as a precision cyber attack. But videos, photos, and expert analysis suggest
visible physical damage to multiple substations could alone explain the disruption.
imagery showed destroyed equipment, bullet impacts, oil leaks, and fires at facilities, including Panamericana and Fuerte Tijuana.
Experts told CyberScoop the kinetic damage appeared sufficient to cause localized outages, raising doubts about a cyber-only narrative.
Officials have not publicly confirmed a cyber cause, despite early statements referencing cyber layering effects.
analysts say cyber operations may have supported the mission by reducing situational awareness or
identifying weak points but likely did not act alone how the incident is characterized matters
a cyber only framing could distort policy decisions overstating digital capabilities while
underestimating physical grid vulnerabilities that experts say remain critical
African law enforcement agencies arrested 651 suspects and recovered more than $4.3 million
during Interpol's Operation Red Card 2.0, targeting investment fraud, mobile money scams,
and fake loan schemes. Conducted across 16 countries between December 8th and January 30th,
the operation identified over 1,200 victims linked to over $45 million in losses.
Authorities seized over 2,300 devices and dismantled over 1,400 malicious websites and servers.
Nigeria, Kenya, and Cote de Lvoix reported major arrests tied to fishing rings,
fraudulent investment platforms, and abusive loan apps.
Interpol officials emphasize the importance of cross-border cooperation
against organized cybercrime networks.
Separately, Nigerian National Matthew Aconde was sent to,
in the United States to eight years in prison for hacking tax firms,
stealing client data with war zone remote access malware,
and filing fraudulent returns seeking $8.1 million in refunds.
Coming up after the break,
Tim Starks from CyberSoup explains Sissa's upcoming town hall meetings over ICS reporting rules,
and Warsaw walls off Wi-Fi-Wired wheels.
Stick around.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security incident last year,
and 92% of responders reported threat levels have increased in the past two years.
Guard Square delivers the highest level of security for your mobile apps without compromising performance, time-to-market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps at www.gardsquare.com.
Most security conferences talk about Zero Trust. Zero Trust world puts you inside. This is a hands-on cybersecurity event designed for practitioners who want real skills, not just theory.
You'll take part in live hacking labs, where you'll attack real environments, see how modern threats actually work,
and learn how to stop them before they turn into incidents.
But Zero Trust World is more than labs.
You'll also experience expert-led sessions, practical case studies,
and technical deep dives focused on real-world implementation.
Whether your Blue Team, Red Team, or responsible for securing an entire organization,
the content is built to be immediately useful.
You'll earn CPE credits, connect with peers across the industry,
and leave with strategies you can put into action right away.
Join us March 4th through the 6th in Orlando, Florida.
Register now at ZTW.com and take your zero-trust strategy from theory to execution.
And joining me once again is Tim Starks.
He is a senior reporter at CyberScoop.
Tim, welcome back.
Good to be back.
Looking at this report that you recently published, this is about SISA looking to host some feedback sessions, some town halls.
if you will, about some cyber incident reporting regulations.
Can we start with a little bit of the background here,
the legislation that makes this something that SISO wants to pursue?
Absolutely.
I mean, there's been a lot of attention lately on that 10-year-old law
that Congress has not been successfully reauthorizing.
On the list of meaningful, important pieces of cybersecurity legislation
that Congress has ever passed,
it's really kind of a two-horse race.
And the other one is a law that Congress got through in 2022 called the Cyber Incident Reporting for Critical Infrastructure Act.
And the gist of it is, you know, it was right around the time of a lot of things like solar winds were fresh in people's minds.
And some of the bigger incidents that were happening around that time were people concerned that there just wasn't enough government awareness into what was happening.
And they weren't able to essentially weaponize that information by guy.
giving it out to critical infrastructure owners and operators.
So the law at its core says if you're a critical infrastructure owner or operator,
you have to notify SISA within 72 hours if they suffer a major cyber attack.
And there's some definitional terms in the law, what that means.
And then if you make a ransomware payment as one of those owners and operators,
you have to let SISA know within 24 hours.
That's the gist of it.
Yeah.
And Congress has had passed that back then, and they've been working on the regulation ever since.
So there are some points of contention here.
What is at play in terms of people not having complete understanding of what this may or may not apply to?
Yeah.
So, I mean, there has been a lot of drafting of the legislation, of the regulation under the Biden administration.
They put out a proposed rule.
and it addressed things like, you know, we said the law talks about critical infrastructure owners and operators,
but who specifically, right?
Who is considered a covered entity under this law has been the kind of definitional things that this law has to handle.
So some of those definitions industry did not like.
They thought they were too broad.
They thought they were too burdensome.
And so now Sisa is saying that something they're coming.
considering our virtual town halls?
Exactly.
So this was supposed to have been all wrapped up by, I believe, last fall.
And three years to write a regulation.
But I guess it's a complex regulation.
Not even, I guess, it is.
But it's still a little surprising to me that they couldn't get it done in that time frame.
Even knowing that government doesn't operate at the speed of light,
you know, three years is an awful lot of time to write a regulation.
And they did devote a lot of manpower to doing it.
Now, with the Trump administration coming in and saying,
we're not going to meet that deadline, we're going to look at May.
They said, you know, we need to have more discussions with industry about this regulation.
They do seem to be inclined to make some changes to it and seem to be friendlier to the industry point of view on this.
But we won't know until we see anything final, which we won't see for a while,
because these town halls are presumably going to be done before there's a final, final, final regulation.
So these will run through March and April, beginning of April.
And then maybe we can start thinking about what the final regulations might look like.
Well, in your reporting, you talked to some insiders who were skeptical that this is what's really needed.
Yeah, there's been a lot of calls from industry for engagement.
And that doesn't mean listening sessions, right?
They think that they've made their points pretty clear on this,
that these definitional things are problems,
that the things they don't like,
they've repeatedly said them.
So another session where they just give feedback
isn't what some in industry are looking for.
They want more details on what this regulation,
whether the difficulties in implementing it,
they want to know things,
that are more of a two-way dialogue
about how we're going to get this done
and what's going to look like in the end.
And there hasn't been,
according to the people I spoke to,
there hasn't been a lot of that with Sissa.
Obviously, they're shorter staffed
these days than they were.
You can question whether they consider this
or SIRCLA much of a priority.
Maybe it's not a huge deal for them.
To hear administration officials say it,
it's still a very big deal to them.
But I think those are the kinds of questions
people have,
are they really prioritizing this?
What is your sense for how things are going at SISA,
just in terms of morale and just in general within that organization?
Not great.
Yeah.
Yeah, it's something I'm reporting on.
It's something I hope to have some more stuff on soon.
But the general, you know, while there might be some spots of potential optimism,
there's a lot of dismay about what SISA has become.
Well, and concern that if the next round of government shutdowns come,
it means what, half of their staff being furloughed.
I mean, yeah, I actually was just on the phone
with the chairman of the House Homeland Security Committee,
and we were talking about sort of the future of SISA.
And it's a point that's been made before
that government service becomes a lot less appealing
if you're working without pay or if you're furloughed and if it just happens every year,
it's not a real appealing thing for people who want any kind of stability in their life.
You might believe in the mission of government service and you might have the training
and you might have the education.
You might have the drive to do that.
But it does become a huge impediment to wanting to keep doing it or to want to start doing it.
If you just don't know with this administration, whether they're going to cut your job that week,
that day. At Sissau, you know, we see stories all the time about reorganization plans and things
they're shifting and moving around. It's a tough environment to work for the federal government these
days. And Sista is one of those agencies that might have it a little rougher, frankly.
Yeah, it's a great point. I mean, I think about, you know, folks in government positions who
would say, well, you know, we may not get paid as much as our colleagues in the private sector,
but we have stability. And, you know, I think we have good.
good benefits and all those sorts of things.
And this is kind of taking a shot at that deal, at that arrangement.
It really is.
I mean, I'm reminded of Russell Lott saying that their goal was to traumatize federal employees.
It's not a real recruitment ad for working in the government, is it?
Right, right.
And, you know, they want to shrink the size of government.
You know, that's one of their goals.
But maybe there are ways to do it that don't involve.
deliberately harming people.
Yeah, that wouldn't, that would be great.
It's going out there.
It's really hard to not be cynical these days,
but we will do our best, Tim, you and I.
I've given up.
I'm going to stay simple.
Well, then just me.
All right, Tim Starks is senior reporter at CyberScoop.
Tim, thanks so much for joining us.
Thanks, James.
What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual works so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and
and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection,
flag risks, and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster,
scale confidently, and finally get back to sleep.
Get started at Vanta.com slash cyber.
That's V-A-N-T-A-com slash cyber.
Maybe that's an urgent message from your CEO, or maybe it's a deep fake trying to target your business.
Dopple is the AI-native social engineering defense platform fighting back against impersonation and manipulation.
As attackers use AI to make their tactics more sophisticated, Dopple uses it to fight back,
from automatically dismantling cross-channel attacks to building team resilience and more.
Dopple, outpacing what's next.
in social engineering. Learn more at doppel.com. That's do p-p-p-el.com. And finally, Poland's Ministry of Defense has
decided that if a car can record you, it probably should not park next to anything classified.
The ministry this week banned Chinese-made vehicles and any others equipped with technology
capable of recording location, images, or sound from entering protected military facilities.
Officials are also barred from plugging workphones into infotainment systems in China-built cars,
citing the risk of uncontrolled acquisition and use of data.
The ban is not absolute.
Warsaw plans to introduce a security vetting process so manufacturers can earn clearance
with carve-outs for inspections and rescue missions.
Poland says the move aligns with NATO practices,
though enforcement could get tricky given that some years,
European brands manufacture models in China.
The decision fits a broader pattern of restricting Chinese tech over espionage concerns.
In short, if your car might be listening, it can wait at the gate.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cyberwire.
security. If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at
N2K.com. N2K's senior producer is Alice Caruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is
Jennifer Eibben. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
If you only attend one cybersecurity conference this year, make it R-SAC 2026.
It's happening March 23rd through the 26th in San Francisco,
bringing together the global security community for four days of expert insights,
hands-on learning, and real innovation.
I'll say this plainly, I never miss this conference.
The ideas and conversations stay with me all year.
Join thousands of practitioners and leaders tackling today's toughest challenges
and shaping what comes next.
Register today at rsacconference.com slash cyberwire 26.
I'll see you in San Francisco.
Ever wished you could rebuild your network from scratch
to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack, zero-trust networks,
including hardware, firmware, and software,
all designed to work seamlessly together.
The result? Fast, reliable, and secure connectivity without the constant patching, vendor juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN, every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles.
meter even buys back your old infrastructure to make switching effortless transform complexity
into simplicity and give your team time to focus on what really matters helping your business and
customers thrive learn more and book your demo at meter dot com slash cyberwire that's meteer
dot com slash cyberwire.