CyberWire Daily - Proposed cuts put CISA in focus.
Episode Date: April 7, 2026CISA faces a $700 million budget cut. Russian and Iranian cyber cooperation raises concerns. New BPFDoor variants emerge. Cybercrime losses climb again. Researchers advance a GPU Rowhammer attack. Nor...thern Ireland schools go offline after a breach. An alleged hacker-for-hire faces U.S. charges. And German police name the suspected REvil mastermind. Our guest is John Anthony Smith, Founder and Chief Security Officer at Fenix24, explaining why more technology hasn't made us more secure. A frustrated researcher drops the hammer. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices segment, John Anthony Smith, Founder and Chief Security Officer at Fenix24, discusses why more technology hasn't made us more secure. Check out the full conversation here. Selected Reading White House Seeks to Slash CISA Funding by $707 Million (SecurityWeek) Exclusive: Russia supplies Iran with cyber support, spy imagery to hone attacks, Ukraine says (Reuters) New Whitepaper: Stealthy BPFDoor Variants are a Needle That Looks Like Hay (Rapid7) FBI Internet Crime Complaint Center (IC3) Report 2025 (FBI Internet Crime Complaint Center (IC3)) GPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack (SecurityWeek) Cyberattack hits Northern Ireland’s centralized school network, disrupting access for thousands (The Record) Suspect in Hacking of Climate Activists Is Extradited to New York (New York Times) German Police Unmask REvil Ransomware Leader (SecurityWeek) Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit (Bleeping Computer) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
No, it's not your imagination.
Risk and regulation really are ramping up,
and these days customers expect proof of security before they'll even do business.
That's where Vanta comes in.
Vanta automates your compliance process and brings compliance, risk, and customer trust together on one AI-powered platform.
So whether you're getting ready for a SOC2 or managing an end-toe,
enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals
moving. Companies like Ramp and Writers spend 82% less time on audits with Vanta. That means less
time chasing paperwork and more time focused on growth. For me, it comes down to this. Over 10,000
companies from startups to large enterprises trust Vanta to help prove their security. Get started at vanta.com
slash cyber.
Sisa faces a $700 million budget cut.
Russian and Iranian cyber cooperation raises concerns.
New BPF door variants emerge.
Cybercrime losses climb again.
Researchers advance a GPU Rohammer attack.
Northern Ireland schools go offline after a breach.
An alleged hacker for hire faces U.S. charges.
German police name the suspected R.E.V.
mastermind.
Our guest is John Anthony Smith, founder and chief security officer at Phoenix 24,
explaining why more technology hasn't made us more secure.
And a frustrated researcher drops the hammer.
It's Tuesday, April 7, 2026.
I'm Dave Bittner, and this is your Cyberwire Intel Briefing.
Thanks for joining us here today.
It's great as always to have you with us.
The Trump administration has proposed a 707-7-millimeter
million dollar cut to the cybersecurity and infrastructure security agency's fiscal year 27 budget,
reducing it to about $2 billion.
According to the Office of Management and Budget, the move is intended to refocus SISA on protecting
federal networks and critical infrastructure while eliminating what the administration describes as
weaponization and waste.
The proposal would remove programs considered redundant, including screen,
safety initiatives, and dissolve offices handling international affairs, stakeholder engagement,
and efforts to counter misinformation. Similar cuts proposed in 2025 were reduced by Congress.
The plan follows earlier workforce reductions of roughly 1,000 staff, even as SISA now seeks
to hire more than 300 mission-critical employees. Nick Anderson is serving as acting director,
and Sean Planky has been re-nominated for director.
A Ukrainian intelligence assessment reviewed by Reuters
alleges that Russian satellites conducted at least 24 imagery surveys
of 46 military and infrastructure sites
across 11 Middle Eastern countries between March 21st and 31st,
with intelligence shared to support Iranian strikes
on U.S. and regional targets.
According to the assessment,
several surveyed sites were hit by Iranian missiles and drones within days, suggesting a coordinated
pattern. A Western military source and a regional security source also reported increased Russian
satellite activity. The report further claims Russian and Iranian hacker groups collaborated on
cyber operations targeting regional infrastructure, including Israeli energy systems. Roiders could not
independently verify the assessment. U.S. officials downplayed the operational impact, while Russia and
Iran did not comment. The findings reflect deepening security cooperation under a bilateral
strategic partnership agreement. Advanced persistent threat actors are adapting the BPF door malware
after widespread deployment of static indicators of compromise forced changes to their tactics.
Rapid 7 Labs identified seven new BPF door variants, including HTP shell and ICMP shell, which enhance stealth and persistence.
The kernel-level back door uses Berkeley packet filters to monitor traffic inside the operating system and activates through specially crafted magic packets.
The variants enable stateless command and control routing and ICMP relays, allowing attackers to,
to evade advanced defenses and maintain covert access
in global telecommunications infrastructure.
The FBI's Internet Crime Complaints Center
reported continued growth in cyber-enabled crime activity in 2025,
highlighting ongoing financial losses from scams, fraud, and account takeover schemes.
Since January 2025, IC3 received more than 5,100 complaints
tied to financial account takeover fraud alone, with losses exceeding $262 million.
The report also notes continued impersonation campaigns targeting victims through messages
claiming to originate from IC3 officials, as well as spoofed websites designed to harvest
sensitive data. Mail theft-enabled check fraud and infrastructure-focused cyber incidents
remain active concerns. Overall, IC3 reporting emphasized.
that social engineering,
credential theft, and impersonation
continue to drive losses across sectors.
The data underscores the importance
of rapid incident reporting
to support law enforcement response
and trend tracking
across evolving cybercrime campaigns.
Researchers at the University of Toronto
have demonstrated a new Rohammer-based attack
called GPU breach
that enables privilege escalation
by targeting
GPU memory. Rohammer exploits electrical interference from repeated memory access to trigger
bit flips, historically affecting CPU memory. The team previously showed GPU Hammer, which degraded
deep neural network accuracy by flipping bits in Nvidia GPU memory. Their latest work shows attackers
can corrupt GDDR6 GPU page tables to gain arbitrary read-write access to memory.
Combined with memory safety flaws in
invidia drivers, the attack can escalate privileges
to root-level system compromise.
The technique poses a particular risk in cloud environments
where GPUs are shared among users
and requires only GPU code execution privileges,
not physical access.
Invidia, Microsoft, AWS, and Google were notified.
Researchers recommend enabling error-correcting code memory,
though it is not a complete mitigation.
A cyber attack on Northern Ireland's centralized C2K school IT network
has disrupted access to digital learning systems used by most schools across the region,
affecting services relied on by roughly 300,000 students and 20,000 teachers.
The Education Authority said it detected the incident last week
and shut down system access to contain the breach.
officials report the investigation remains ongoing and it is not yet confirmed whether personal data was compromised,
though there is currently no evidence of data loss or corruption. The EA is working with service provider
capita and an incident response firm to assess the situation and restore access. Recovery efforts are
underway with some schools already back online and priority given to students preparing for exams.
Authorities say restoration will continue over the coming days.
A man named Emmett Forlet has been extradited from the United Kingdom to New York
to face U.S. charges tied to an alleged hacking for hire operation, targeting environmental groups
and other entities.
Prosecutors say Forlet led a global enterprise from 2012 to 2019 that generated tens of millions of
dollars through computer hacking and wire fraud schemes.
He's charged with conspiracy to commit computer hacking and wire fraud,
offenses carrying potential sentences of up to 45 years.
The indictment also links him to previously convicted hacker Aviram Azari
and identifies lobbying firm DCI Group working for ExxonMobil among the operation's clients.
Germany's federal criminal police office, BKA, has identified Russian national Danil Maximovich Schuchin
as the alleged leader behind the Gandkrab and Are Evil Ransomware operations between 2019 and 2021.
Authorities link him to 130 extortion attempts, including 25 ransom payments totaling more than $2 million,
with overall damages estimated above $40 million, operating under a ransomware as a service model,
the group's targeted enterprises and public institutions.
Schuchin, also known by several aliases, is believed to remain in Russia
and has previously been linked to our evil by U.S. authorities and investigative reporting.
Coming up after the break, my conversation with John Anthony Smith, founder and chief security
officer at Phoenix 24. We're discussing why more technology hasn't made us more secure. And a frustrated
researcher drops the hammer. Stay with us. Maybe that's an urgent message from your CEO,
or maybe it's a deep fake trying to target your business. Doppel is the AI-native social engineering
defense platform fighting back against impersonation and manipulation. As attackers use AI to make their
tactics more sophisticated, Dopple uses it to fight back, from automatically dismantling cross-channel
attacks to building team resilience and more. Doppel, outpacing what's next in social engineering.
Learn more at doppel.com. That's D-O-P-P-P-E-L.com.
John Anthony Smith is founder and chief security officer at Phoenix 24, and in today's
sponsored industry voices segment, we discuss why more technology has.
hasn't made us more secure.
I think the key disconnect is that we leaders commonly believe,
and frankly, IT professionals as well,
that purchasing a new tool is going to solve problems.
And I think at the onset when a tool is actually deployed,
maybe it does solve some significant security challenge,
but having performed hundreds of assessments in my career
looking at various security tools in various organizations,
I can say with emphatic belief that most of these tools are largely not configured in the context of what threat actors are able and willing to do.
Maybe they were in the time that they were put in, but most of the time, I'm even doubtful that they were even implemented properly.
The real problem is as organizations are making these investments.
Frankly, they're looking for silver bullets by buying something and making a problem go away.
And simply, it's not playing out that way in truth.
Can we dig into that?
I know you've said that security failures usually aren't about missing technology.
As you mentioned, they're about configuration and execution.
What does that look like in the real world?
Yeah, I'll give you some real world examples of this.
Actually, coalition, a cyber liability carrier based in California,
a researcher there recently released a piece where he actually said that during significant breach,
companies that have filed claims, cyber liability claims,
58% of them discovered a partial or significant failure of their recovery capabilities
during said breach or said significant security event.
What we know from our own data is that 84% of organizations that we meet in breach,
first time we've ever met them to actually orchestrate their recovery from a disastrous exfiltration
or destructive event, that 84% of those organizations do not have a single survivable copy of backups.
And so I would just say to you, organizations are commonly spending a lot of money on expensive
backup and recovery tooling, things like Zerto, Rubric, Coquicity, Vime, Dato, Drewba, insert backup
product here. And these products are commonly not orchestrated to actually use the features that they're
designed for properly.
And frankly, because most of the time these things are not being implemented from the context of breach,
I'll give you another example, what we commonly see, especially with the proliferation of SaaS and cloud environments and in work from home.
Of course, since COVID, it's been more extreme.
But organizations have increased the convenience at which their users can work by allowing them to log into things like Office 365 and Salesforce and Service Now, whilst off of the,
corporate network off of the corporate infrastructure and machines, desktops, laptops, et
cetera, and allowing them to use their personal devices to do so. In doing so, they have actually
exposed effectively their entire credential basis and their authentication tokens to malicious
harvest, to name a few issues that we see in assessment and breach.
What about alert fatigue? It seems to me like a lot of folks,
they're dealing with this flood of alerts.
I can't help but think that that makes the security teams less effective.
Yeah, I think most organizations that have attempted to build their own security
operation centers, frankly, will never be tooled properly.
Not only when I say tooled, I don't mean like tools, like, you know, Sims and EDRs.
I mean because I frankly believe most orgs have several tools that are capable of doing right
things. I mean tooled as in people and process and policy. To be honest with you, I think that
organizations that attempt to build socks on their own are setting themselves up for failure.
I do see in assessments that to your point, Dave, there is a lot of alert fatigue, right?
Alerts are ignored or they're simply not staffed enough to actually review them all.
And frankly, even with AI technologies, while it is amplifying the effectiveness of all of this,
there's still much to do, right?
I just don't think that organizations that have attempted to build this on their own are ever going to be successful.
I frankly think that it is better to outsource log review, log response, frankly, because I just don't think orgs will ever be tooled for it.
There is a lot of alert fatigue.
I will bluntly tell you in breach, many orgs have had the alerts that should have demonstrated to them that there was an attacker in their environment,
but they were being ignored or they weren't being responded too quickly.
What we know from breaches that dwell time is commonly short.
It's sometime between 15 minutes and 72 hours, most commonly.
And so if it takes you every minute thereafter,
15 minutes, I would say you have exponentially decreasing likelihood
of actually stopping the threat actor from causing some form of a significant exfiel
or destructive act.
So the alerts are a big deal, and I just don't think orgs are tooled for them well.
What are your recommendations for organizations to, I guess, self-assess?
What I'm getting at here is people add tools and it increases the complexity.
And it seems to me like there's a threshold where if you keep adding tools and adding tools, that complexity itself could become a vulnerability.
That's a great point. I would say to you, a dear friend of mine once said, for every complex problem, there is a
simple solution, and it is always wrong.
What I mean by saying that in this context is, I think the only way to actually solve a complex
problem is with a complex solution.
However, I would say it's not commonly a factor of spin, right?
If you look at the market, right, there's the defense and prevention market is a 200 billion
plus market, right?
The resiliency market is a 20 billion.
market. I would just say to you that more appropriate place to focus would be on the resiliency
side of the equation, right, and double down in that area. And I do believe that complexity is
required, right, to actually orchestrate a survivable recovery that's also going to provide
timely recovery is going to require complexity because, in essence, have to create an environment
that frustrates the attacker to the point that they simply give up
on trying to find all of your means to recover.
And then secondarily to that, on the defensive side,
and only secondarily to that,
I think with existing tools,
I think organizations have to be hyper-focused on frustrating the attacker.
And I think if you look across what most orgs are doing,
they are trying to increase convenience for their users,
whilst also increasing compliance.
and both of those things do not commonly frustrate the attacker.
And so I do think actually more complexity is required.
Certainly, I think there is a straw in there that will break the camels back, right?
Obviously, there's a point in which you don't need any more complexity and you have diminishing returns.
Yeah.
What about the decision-making process, the governance?
I'm looking at the leaders in an organization deciding whether,
or not to add these tools, deciding where to spend their attention, their resources,
what sort of executive decisions come into play here?
I would say to an executive, you're probably spending enough money today on prevention.
It's highly likely you're spending enough money today on prevention tools.
I would say to executives that statistically, it is unlikely that, one, you're going to have a
recovery, two, that you're going to have a timely recovery, and your IT org needs to be,
should be, hyper-focused on resiliency. In essence, ensuring that the org will have a recovery
and secondarily that it will be timely. I would say that if you're going to spend focus,
time, and money elsewhere, or own something, it needs to be resilience, because frankly,
if you look at the statistics, simply no work really is.
You know, I sometimes think about organizations, security folks, you know, fantasizing that they have
like one of those big scissors switches like from an old Frankenstein movie on the wall.
And when things go down, they can just go over and reach to that switch and, you know,
throw it down and everything will come back up and be just the way it was moments before.
But that, as you say, that's rarely the reality.
nearly never the reality. Matter of fact, most orgs we see during assessments, because obviously
we believe that orgs, when you talk about executives, I believe the best and fastest way to know
if you have a resilient organization is actually to measure your resiliency against what
threat actors are actually doing, not what compliance standards say, not what you're reading
in the news, but really hiring a professional that understands how threat actors are compromising
backup and recovery infrastructures, virtual infrastructures, cloud environments, and actually orchestrating
these destructive acts, I think that that is a much better way to spend time and money.
But to your point, many orgs are, they have stated objectives, right?
RTOs, RPOs that frankly are not achievable in the context of human cause destruction,
right?
If you are an org that believes that your critical enterprise resource planning app like SAP,
hosted internal is going to be back online in four hours with less than 30 minutes of data loss
after a human cause destructive back, you're probably living in a farce.
Actually, I can almost guarantee you're living in a farce.
So what's the difference here in your mind between organizations who are set up for success
and organizations who are not?
I love this question.
So firstly, I would say an organization that is set up for success is one that has invested significantly in resilience.
Instead of believing falsely that they can prevent all forms of breaches and a breach is unlikely and therefore they don't have to prepare for it,
they instead say it's highly unlikely that we will be able to prevent breach and that breach will eventually occur.
And when it does, how ready are we going to be?
And instead, we, organizations that have focused there, focus there first, and really doubled down on their investments around resiliency, leveraging breach reality, orchestrated multiple copies of backups, in multiple identity planes using multiple immutability algorithms on segmented hardware and segmented infrastructure, implementing things like digital air gaping.
These types of organizations, I believe, I believe, are really set up for success because they have doubled down on.
recovery first.
That's John Anthony Smith, founder and chief security officer at Phoenix 24.
This episode is brought to you by Tell Us Online Security.
Oh, tax season is the worst.
You mean hack season?
Sorry, what?
Yeah, cybercriminals love tax forms.
But I've got Tellus Online Security.
It helps protect against identity theft and financial fraud,
so I can stress less during tax season, or any season.
Plan started just $12 a month.
Learn more at talus.com slash online security.
No one can prevent all cybercrime or identity theft.
Conditions apply.
Great news.
The federal EV rebate is back.
Eligible customers get up to $5,000 with the federal EVAP rebate on select 2027
Volt and 26 Equinox EV models.
Visit your local Chevrolet dealer today for more details.
And finally, exploit code has appeared online.
for an unpatched Windows privilege escalation flaw
known as Bluehammer, after a frustrated researcher
decided to skip further polite conversation with Microsoft
and go straight to GitHub.
The vulnerability, now a zero-day by Microsoft's definition,
can let a local attacker access the security account manager database
and potentially promote themselves all the way to system privileges,
effectively taking over the machine.
The researcher, posting as chaotic eclipse, declined to explain the exploit in detail, suggesting others could figure it out, while also thanking Microsoft's response process for the inspiration.
Analysts confirmed the technique combines timing and path confusion flaws, though the proof of concept code is reportedly buggy and unreliable in some environments.
Microsoft says it's investigating.
Meanwhile, defenders are reminded that local access required is often less reassuring than it sounds,
especially once attackers arrive locally by other means.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at n2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you.
back here tomorrow.