CyberWire Daily - Mind the gap between IT and OT.
Episode Date: May 29, 2026Iranian hackers hit LA transit. Chinese cyber operators target Middle East infrastructure. Dutch police take down a 17-million-device botnet. Researchers uncover a phishing risk in ChatGPT. Anthropic ...prepares its Mythos model for release. Chrome patches 22 critical bugs. Zapier fixes a dangerous vulnerability chain. ShinyHunters claims a Charter breach. A data broker who fueled scams against millions of seniors heads to prison. Maria Varmazis joins Dave Bittner for a look back at a decade of ransomware. A Google insider allegedly went from threat hunting to bet hunting. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today CyberWire hosts Maria Varmazis and Dave Bittner take a look at how ransomware has evolved over the past decade, from opportunistic attacks to today’s sprawling criminal enterprises, and discuss the tactics, trends, and turning points that shaped the threat landscape. You can catch the full conversation on Sunday in the CyberWire Daily podcast feed. We hope you’ll join us! Selected Reading Iranian hackers behind March's LA transport cyberattack, Gambit finds (The Jerusalem Post) Chinese Hackers Exploit Iran War to Target Maritime and Energy Firms (Infosecurity Magazine) Dutch cops wrest 17M devices from mystery botnet's clutches (The Register) ChatGPT blindly trusts browser content, turning the page into a payload (The Register) Anthropic confirms Claude Mythos-class models will roll out to the public (Bleeping Computer) Chrome 148 Update Patches 151 Vulnerabilities (SecurityWeek) Zapier fixes bug chain that researchers say risked widespread account takeover (CyberScoop) Charter Communications data breach affects 4.9 million accounts (Bleeping Computer) Man sent to prison for selling data of 7 millions elderly Americans (Bleeping Computer) US charges Google security engineer with Polymarket insider trading (Bleeping Computer) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Do you know how the space and cybersecurity domains connect?
T-minus space cyber briefing is your guide through the space-based systems that expand the attack surface.
I'm Maria Varmazes, host here at N2K Cyberwire, and I'm excited to share that T-minus is back.
Now, as a weekly podcast, the T-minus Space Cyber Briefing.
We have a new dedicated focus on two great things that are even better together, space and cybersecurity.
Because whether we realize it or not, we all depend on space-based systems that are, by the way, increasingly internet-enabled.
We're talking cybersecurity technologies, policies, and organizations that are securing the critical space-based infrastructure that powers, protects, and connects our lives here on Earth.
So join me for T-Minus Space Cyber Reefing, new episodes every Sunday.
No, it's not your imagination.
Risk and regulation really are ramping up,
and these days customers expect proof of security before they'll even do business.
That's where Vanta comes in.
Vanta automates your compliance process and brings compliance, risk, and customer trust together
on one AI-powered platform.
So whether you're getting ready for a SOC2 or managing an enterprise,
governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving.
Companies like Ramp and Writers spend 82% less time on audits with Vanta.
That means less time chasing paperwork and more time focused on growth.
For me, it comes down to this.
Over 10,000 companies from startups to large enterprises, trust Vanta to help prove their security.
Get started at Vanta.com slash cyber.
Iranian hackers hit LA Transit, Chinese cyber operators target Middle East infrastructure,
Dutch police take down a 17 million device botnet, researchers uncover a fishing risk in chat GPT,
Anthropic prepares its mythos model for release, Chrome patches 22 critical bugs,
Zapier fixes a dangerous vulnerability chain, shiny hunters claims a charter breach,
a data broker who fueled scams against millions of seniors heads to prison.
Maria Vermazas joins me for a look back at a decade of ransomware,
and a Google insider allegedly went from threat hunting to bethunting.
It's Friday, May 29, 26.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today, and happy Friday.
It's great as always to have you with us.
Iranian-linked hackers were likely behind a March cyber attack
that disrupted parts of the Los Angeles County Metropolitan Transportation Authority,
according to Israeli cybersecurity firm Gambit Security.
The company said it uncovered at least 700 gigabytes of stolen emails, backups, and other files
after the data was accidentally exposed online.
Gambit's investigation traced the server hosting the data to a known hacking operation
previously linked by Israeli officials and researchers to Iran.
The attack disrupted passenger-facing digital services, including arrival time displays and digital fare card systems.
Gambit reported that the operation went beyond data theft, with attackers allegedly deleting virtual machines, databases, storage volumes, and backup infrastructure in an apparent effort to hinder recovery efforts.
A group called Ababil of Minab, claimed responsibility shortly after the intrusion.
While the group presents itself as an independent activist organization,
security researchers have long suspected ties to Iranian state-backed cyber operations.
U.S. authorities, including the FBI, are investigating the incident,
though official attribution remains unresolved.
Chinese state-aligned hacking groups are increasingly exploiting geopolitical
instability in the Middle East to target maritime, energy, and government organizations,
according to ESET's latest APT activity report.
Researchers observed Chinese cyber operations focused on improving Beijing's visibility
into regional political and economic developments following U.S. military actions against Iran.
Activity included attacks on maritime-related government entities in Venezuela,
Syria government networks, and an AI and robotics company in South Korea,
reflecting China's broader strategic and economic interests.
The report also highlighted continued Russian cyber activity targeting Ukraine,
including attacks on military-linked organizations, drone manufacturers, and logistics
providers, as well as destructive malware campaigns attributed to sandworm.
Meanwhile, Iran-linked cyber operations appeared to shone.
from established state-backed groups to proxy and hacktivist actors,
with Israel remaining a primary target for espionage and disruptive attacks.
Dutch police have dismantled a botnet containing at least 17 million compromised devices
after a tip from a researcher at the Netherlands National Cybersecurity Center.
Investigators identified roughly 200 servers supporting the botnet's infrastructure within the country
and seized several systems for analysis.
A hosting provider subsequently shut down the network
after determining it was being used for criminal activity.
Authorities did not disclose the botnet's name,
the specific devices involved, or how it was used,
though officials noted botnets are commonly leveraged
for fishing, distributed denial of service attacks, and online fraud.
The takedown comes amid growing concern
over residential proxy networks,
which cybercriminals increasingly used
to disguise malicious traffic.
Separately, the NCSC reported
cyber attacks against Dutch organizations
fell to a nine-year low in 2024,
a trend it partly attributed
to broader adoption of multi-factor authentication.
A prompt injection technique
dubbed chat G. Fish
could allow attacker-controlled web content
to influence chat Gpt's responses when users request page summaries.
According to permissos threat hunter Andy Ametti,
hidden instructions embedded in a web page's markdown
can cause the chat bot to display convincing fishing links
or fake security alerts that appear to originate from chat GPT itself.
Ametti demonstrated how attackers could insert fraudulent account warnings
and malicious links into otherwise legitimate summaries.
He also showed that embedded QR codes could redirect victims from their desktops
to attacker-controlled websites or mobile devices,
potentially bypassing browser-based security protections.
The vulnerability stems from chat GPT treating untrusted external content
as trusted input during summarization.
Ametti reported the issue to open AI through bug crowd,
but said he has not received confirmation that a fix has been implemented.
Researchers recommend treating AI-generated content as untrusted
and strengthening safeguards around rendered external content.
Anthropics says it plans to make its powerful Mythos-Class AI models
available to all customers in the coming weeks
after initially restricting access over cybersecurity concerns,
introduced in April for select organizations,
and security researchers,
Mythos was withheld from public release
because of concerns that advanced coding and reasoning capabilities
could be misused by attackers.
The company now says it has made significant progress
developing safeguards to reduce those risks.
Anthropic claims Mythos delivers substantial improvements
in code reasoning and autonomy
compared to its current flagship model,
Claude Opus 4.8,
though it has not confirmed exactly which version,
will be publicly released.
Google has released a Chrome 148 update that patches 151 vulnerabilities, including 22-rated
critical.
The most severe flaws include an out-of-bounds right in the GPU component and a use-after
free bug in network, with each churning researchers a $43,000 bug bounty.
Most critical issues involve memory safety weaknesses that could potentially enable remote
code execution or sandbox escapes. The update also fixes 123 high severity vulnerabilities.
Google says it has paid more than $130,000 in rewards so far, though many payouts remain
undisclosed. The company has addressed more than 350 vulnerabilities across Chrome 148 releases
since late March, with many discoveries attributed to Google's internal research efforts.
researchers at token security uncovered a chain of five vulnerabilities in the automation platform
Zapier that could have allowed attackers with only a free account to compromise millions of users
and their connected services. By linking several seemingly routine flaws, the researchers were
able to access internal systems, recover credentials, and identify a code-signing key
tied to software running in every logged-in user's browser.
In a worst-case scenario, an attacker could have modified automations,
sent emails, moved data, or interacted with connected applications
while appearing to be a legitimate user.
The researchers also demonstrated access to a third-party executive's Gmail account
through an exposed key.
Token security reported the issues in February,
and Zapier says all vulnerabilities were patched within weeks,
with no evidence of exploitation.
The Shiny Hunter's extortion group has claimed responsibility for a breach of charter communications
that exposed data from 4.9 million accounts, according to have I been poned.
The attackers allegedly gained access through a voice fishing attack targeting an employee's
Microsoft Entra account and then stole data from charter's Salesforce environment.
Exposed information reportedly included name,
email addresses, phone numbers, physical addresses, and some employee records.
Charter confirmed the breach but stated that no sensitive personal information or customer
proprietary network information was exfiltrated. After Charter refused to pay a ransom,
Chinese hunters allegedly published the stolen data on its leak site. A North Carolina man has been
sentenced to more than 10 years in prison for supplying personal information on over 7 million
elderly Americans to scammers who use the data in lottery fraud schemes.
Troy Murray, who operated under the alias Steve Dixon, pleaded guilty to conspiracy to commit wire fraud
and received a 121-month prison sentence, along with forfeiture of $5.2 million.
Prosecutors said Murray stole thousands of lead lists containing names, addresses,
phone numbers, and email addresses between 2016 and 2023, generating more than $5.2 million,
while contributing over $9.5 million in victim losses. He allegedly distributed at least 22,000
lead lists and later accepted payment through prepaid gift cards. Authorities also charged his
son with laundering $1.6 million in fraud proceeds. Coming up after the break,
Maria Vermazas joins me for a look back at a decade of ransomware,
and a Google Insider allegedly went from threat hunting to bethunting.
Stay with us.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave.
and with Threat Locker DAC, defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
Threat Locker makes zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security incident last year,
and 92% of responders reported threat levels have increased in the past two years.
Guard Square delivers the highest level of security for your mobile apps
without compromising performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps
at www.gardesquare.com.
Longtime listeners know that we are celebrating our 10th anniversary.
here at the CyberWire.
And today, Maria Vermazas joins me for a look back at a decade of ransomware.
All right.
Well, welcome back, everybody.
It is my pleasure yet again to welcome Dave Bidner, host of the CyberWire Daily, to speak with me today.
Hi, Dave.
Hello.
Good to be back.
Yes, good to see you, Dave.
And we are, as we have been this past year, celebrating 10 years of the CyberWire Daily,
which, again, what a feat.
congratulations Dave.
Hard to believe.
Time flies when you're having fun.
Oh, that's so sweet.
So 10 years is a decent amount of time.
You know, blink of an eye for some and quite an age for others.
And when I think of the last 10 years,
I'm pretty sure I've said this every conversation we've had.
But to me, the true story of the last 10 years in the cybersecurity realm has been ransomware.
That is the number one thing that I think of.
So we're going to dedicate our time today to talking about ransomware,
how it has changed.
extraordinarily over the last 10 years, and you've watched it all happen.
So if we do our Wayne's World, going back 10 years.
Yes, yes.
Ransomware was like back in 2016, 2017.
Yeah.
How would you have described it back then for those that maybe have forgotten or weren't there for this?
Well, I mean, you know, when I started doing this every day, so 10 years ago,
you know, ransomware had been around for a while.
the idea of it had been around for a while,
but it becoming a business,
people making their living off of it widely,
was pretty new still.
And my recollection is that in the early days,
it was what we would look back at now
and consider to be, you know,
adorable small-time street crime versions of ransomware, right?
Someone would, they were targeting individuals.
It was like, you know, walking down the street and being mugged, except on your computer.
People would get you for $100 or a couple hundred dollars, but it really wasn't going to change your life very much.
Chances are you'd pay the ransom.
Your files would be unlocked.
You'd go about your business, and that's what it was.
Yeah.
There was also the accelerant of much more potent threats that were doing much more damage and casting a much,
wider net, and I would be remiss if I didn't just say the word want to cry. I mean,
makes me want to cry. It made us all want to cry. Do you remember hearing about want to cry for the
first time, or do you remember that story unfolding? Because that really was seismic.
It was, yeah. It was 2017, I believe, that want to cry happened. And I think that was really the
moment that ransomware became generally present for the general public. People knew what ransomware was.
It wasn't just a niche thing anymore.
What did want to cry,
what did it get about a quarter million computers
all over the world,
but also what it got.
They disrupted hospitals
and transportation systems
and manufacturers.
So it was hitting people where they live,
shutting down people's work
and that sort of thing.
So really showed how ransomware
could spread globally
using unpatched vulnerabilities.
it was an eye-opener for people all over the world.
You know, I think it's also worth just taking maybe a half-step back at that point of time.
I remember right around that era, right around 2017, interviewing people, experts in cybersecurity,
who really thought ransomware was going to be winding down.
Yes, yeah. Right?
Yep. I remember it was just a, it was a bit of a footnote in the threat reports that were
coming out. It was like, yeah, it's this thing, but don't worry about it. You're fine.
Don't even think about it. And what they thought the real threat was going to be crypto mining,
because that was, I use air quotes, a victimless crime where you sneak into someone's computer
and you have it run all night mining Bitcoin for you and they don't know it. It doesn't really
affect what they're doing. So you're not going to attract law enforcement because you're not really
hurting anyone other than using up their electricity.
But of course, that didn't happen.
It went completely the other way.
And when we look back at the evolution of ransomware over the last 10 years,
I think something that's also noticeable is how the nature of the threat has evolved in,
I hate calling it interesting because it's dangerous.
But it is, as we analyze it, it's interesting.
From straight up extortion to extortion on several different levels.
not just I want your money, but also I have now your intellectual property.
That is to me darkly fascinating that that's what we ended up with.
Yeah, you're absolutely right.
I mean, we went from just locking up the files and saying,
if you want the key, please send us some money to both locking up and exfiltrating files.
And now plenty of groups don't even bother to lock up the files.
All they want to do is exfiltrate the files.
And then they'll say, hey, if you don't want these,
files leaked and you don't want to suffer the reputational damage please pay us money and you know just
recently we saw the thing with canvas where it seems like canvas canvas paid the ransom in order to
get their files back and and people are how do i describe this uh they have i guess appropriate
skepticism when the folks at canvas are saying that the bad actors assured them and and provided
somehow proof that the files had been deleted,
like had a screen capture of someone emptying a trash can?
Yeah, you can't talk through that.
That's just science.
Yeah.
Right.
So I think that also, not to get too philosophical
and out of our range of conversation here,
but it really does become a who can you trust conversation.
Your thoughts on where,
it's going with ransomware.
Not that you necessarily know
better than anybody else.
But, you know, I'm curious
your thoughts on this.
Well, it seems like it's trending
in a good way,
or maybe at least it's not,
doesn't seem to be getting worse anymore.
The numbers are going down
in terms of the number of attacks
and the amount of money
that the bad guys are getting.
It's still a lucrative business.
I wonder how much
of the decrease is due to the fact that so many people have updated their basic hygiene,
that the low-hanging ransomware fruit just isn't there anymore.
It takes a much larger investment through social engineering to make this happen.
So you kind of, you've weeded out a lot of the ransomware operators who are just doing it for giggles.
And now we've got these groups that are organized crime who are financed,
either independently or by nation states,
and they're still doing their things,
still going after the big whales.
But can we say that an upside to ransomware
is that it forced everyone into better basic hygiene?
Like how many people have multi-factor authentication
because of the fear of ransomware
or because they actually got hit by ransomware?
What a terrible success story that is if that's...
Yeah.
Yeah.
Unintended consequence.
Yeah, well, I'll take that one.
That's a good unintended consequence.
Or, yeah, on their part, unintended.
Right.
But wouldn't, I mean, truly, the criminals are looking for the quickest buck or quickest coin.
So if there are other methods that are now just so much easier for them to do,
maybe they're also just walking away from ransomware because social engineering with AI is now so much easier.
True.
Yeah.
I wonder something's taking its place.
I'm sure there is something.
Right.
And you know, Maria, I don't have to run faster than the bear.
I only have to run faster than you.
That's right.
And I don't run very fast.
As all are hacking humans listeners, no, I click all the links.
So, you know.
I am no speed demon myself.
Yeah.
I mean, look, it's here to stay, or certainly for the short term.
And it'll be interesting to see how much AI actually affects it.
but hold on to the bar because here we go.
We're heading up the lift hill.
There's more to my conversation with Maria.
We will be posting the extended version of our conversation this weekend.
Look for that in your Cyberwire feed.
In Toronto, every arrival is a statement,
and nothing says it better than this.
Cadillac Optic was the number one selling luxury EV in Canada for 2025.
Find your rhythm across a seamless 33-inch display
and an immersive 19 speaker AKG surround audio system.
This city demands agility and optic delivers with precision to make every drive extraordinary.
Let's take the Cadillac.
Find out more at Cadillac canada.ca.
Luxury sales claim based on S&P Global Mobility Canadian New Vehicle Total Registrations
for calendar year 2025 for the Cadillac definition of luxury.
And finally, a Google security engineer is facing insider trading charges
after prosecutors say he turned confidential company data into a remarkably successful prediction market strategy.
Michel Spagnuolo, a Google employee since 2014, allegedly used access to Google's unreleased
year-in-searchings to place highly accurate bets on the decentralized platform polymarket under the alias alpha raccoon.
The raccoon mask came off when investigators started running.
through the digital trash cans.
According to authorities, Spagnuolo wagered roughly $2.75 million on whether certain people would
appear in Google's annual trending search lists, then collected about $1.2 million in profits
when the results were publicly released.
The alleged winning streak attracted attention online, where users began speculating that
Alpha Raccoon had inside knowledge.
Prosecutors say the account was later scrubbed of its username, and the proceeds were moved through
cryptocurrency services designed to obscure transactions.
Now, the engineer who helped secure systems is accused of exploiting privileged access to game a market,
a strategy that proved lucrative until investigators started searching as well.
He faces fraud and money laundering charges, carrying potential decades-long prison sentences.
As investment strategies go, access to confidential data tends to perform well, at least until discovery begins.
And that's the Cyberwire, or links to all of today's stories, check out our daily briefing at thecyberwire.com.
And hey, Maria Vermezza is here. Be sure to join me on Sunday for T-minus space cyber briefing.
In this upcoming episode, we're going to be talking about GPS and why it matters in a cybersecurity context.
That's T-minus space cyber briefing on Sunday. Don't miss it.
Be sure to check out this weekend's Research Saturday and my conversation with Marco Giuliani,
Vice President and Head of Research at Threatdown.
The research we're discussing is titled Gatchee Loader Adopts A.I. Skill Lure.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at n2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound designed by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Eibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here.
next week.