CyberWire Daily - Reports from RSAC and beyond.
Episode Date: March 24, 2026RSAC spotlights public-private partnership gaps. DarkSword leaks to GitHub. The FCC blocks new foreign-made routers. Citrix patches a critical NetScaler flaw. DOE rolls out an energy-sector cyber stra...tegy. CanisterWorm spreads through npm. Researchers flag suspected KACE SMA exploitation. QualDerm reports a 3.1-million-record breach. A Russian access broker gets 81 months. Intern Kevin checks in from RSAC. Maria Varmazis speaks with Jake Braun, longtime DEF CON organizer and former White House official about the DEF CON 33 Hackers' Almanack. Slow down, you vibe too fast. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Maria Varmazis speaks with today’s guest Jake Braun, longtime DEF CON organizer, former White House official, and lead on DEF CON Franklin, about the DEF CON 33 Hackers' Almanack. You can read more about it here. Selected Reading Public-private partnerships vital in disrupting China's Typhoons, says RSA panel with no government speakers (The Register) Someone has publicly leaked an exploit kit that can hack millions of iPhones (TechCrunch) US bans any new consumer-grade routers not made in America (The Register) Critical Citrix NetScaler Vulnerability Poised for Exploitation, Security Firms Warn (SecurityWeek) DOE Sets 5-Year Plan to Harden US Grid Against Cyberattacks (GovInfo Security) New CanisterWorm Targets Kubernetes Clusters, Deploys “Kamikaze” Wiper (Hackread) CVE-2025-32975 (Arctic Wolf) 3.1 Million Impacted by QualDerm Data Breach (SecurityWeek) Russian hacker who helped Yanluowang ransomware gang gets nearly 7-year prison sentence (The Record) This Web Tool Sabotages AI Chatbots By Making Them Really, Really Slow (404 Media) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
At Desjardin, we speak business.
We speak equipment modernization.
We're fluent in data digitization and expansion into foreign markets.
And we can talk all day about streamlining manufacturing processes.
Because at Desjardin business, we speak the same language you do.
Business.
So join the more than 400,000 Canadian entrepreneurs who already count on us.
And contact Desjardin today.
We'd love to talk.
Business.
RSC Spotlights
Public Private Partnership gaps.
Darksword leaks to GitHub.
The FCC blocks new foreign-made routers.
Citrix patches a critical net-scaler flaw.
The DOE rolls out an energy sector cyber strategy.
Canister worms spreads through NPM.
Researchers flagged suspected case SMA exploitation.
Qualderm reports a 3.1 million.
record breach. A Russian access broker gets 81 months. Intern Kevin checks in from RSAC.
Maria Vermazes speaks with Jake Braun, longtime DefCon organizer and former White House official
about the DefCon 33 hackers' almanac. And slow down. You vibe too fast. It's Tuesday,
March 24th, 2026. I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today as we
come to you from RSAC
2026 here in beautiful
San Francisco. It's great to
have you with us.
Yesterday at RSAC
2026, panelists highlighted
persistent gaps in real-time
information sharing between government
and private industry,
using the Cybercrime group
Scattered Spider as a case study.
Former FBI cyber official
Dave Scott recalled that officials
once proposed a joint coordination
cell to exchange intelligence
with private partners in real time,
but legal and approval barriers prevented it.
Years later, phone-based social engineering
has become the second most common initial access method
and the leading tactic for cloud intrusions,
underscoring the missed opportunity.
A panel originally focused on China's Volt and Salt Typhoon campaigns
proceeded without FBI or NSA participation,
leaving an empty chair on stage and reinforcing,
concerns about public-private coordination. Speakers stressed that private companies often detect
activity first because attacks frequently target privately operated infrastructure. They argued that timely
intelligence sharing, especially as AI accelerates threat activity, is increasingly critical.
Still, the absence of government voices at a major security forum signaled lingering coordination
challenges. A newer version of the iPhone Hacking Toolkit Darksword spyware has been leaked to GitHub, raising
concerns that attackers can easily target devices running outdated Apple operating systems.
Researchers at IVerify warned the tool requires little technical expertise to deploy and can
infiltrate contacts, messages, call history, and keychain data from vulnerable devices. A security
hobbyist reported successfully exploiting an iPad mini running iOS 18 using circulating samples.
Apple said updated devices are not affected and issued emergency patches for older systems unable
to run newer versions. Researchers estimate hundreds of millions of devices may remain exposed.
The leak follows earlier reporting that Darksword infrastructure was linked to activity
attributed to Russian government hackers targeting Ukrainian users.
The Federal Communications Commission has added all foreign-made consumer routers to its covered list
under the Secure Networks Act, citing national security risks tied to supply chain exposure.
The move blocks approval of new models, but does not affect existing authorized devices
already in use or on the market. The decision follows an executive branch assessment,
aligned with national security strategy priorities to reduce dependence on foreign infrastructure
components. Officials argue routers have been exploited in campaigns such as Volt Typhoon,
Flax Typhoon, and Salt Typhoon. Critics note most routers, including those from Cisco and Netgear,
are manufactured abroad, leaving few domestic alternatives beyond Starlink Wi-Fi router.
The policy may pressure vendors to shift production to the United States,
though exemptions remain available through National Security Review.
Citrix has released patches for a critical net-scaler ADC and net-scaler gateway flaw,
affecting deployments configured as security assertion markup language identity providers.
The bug allows potential sensitive memory disclosure and could be exploited by unauthenticated
attackers. A second issue may cause user session mix-ups. No active exploitation is confirmed,
but researchers warn attacks are likely once exploit code appears. Because SAML configurations are common
in single sign-on environments, organizations are urged to patch immediately.
The U.S. Department of Energy has released its first comprehensive five-year strategy to strengthen
cybersecurity across the nation's energy infrastructure, translating White House priorities into operational
guidance. Developed by the Office of Cybersecurity, Energy Security, and Emergency Response,
the plan focuses on three pillars, advancing cybersecurity technologies for operational technology
environments, hardening grid and supply chain infrastructure, and improving incident response
and recovery coordination. Officials say the strategy,
clarifies DOE's role as sector risk manager and emphasizes a resilience-first approach.
However, analysts warn execution risks remain, citing reduced funding and reliance on partners,
such as SISA, which has lost staffing capacity.
The plan promotes voluntary security practices and highlights persistent capability gaps among
smaller utilities.
A malware campaign dubbed canister worm is rapidly spreading through developer ecosystems
after attackers ceded malicious code into more than 45 NPM packages.
Researchers at Akito Security link the activity to stolen credentials from an earlier compromise
of Aqua Securities Trivy Scanner,
enabling attackers to hijack maintainer accounts and publish infected updates within minutes.
The Worms steals authentication tokens and SSH keys to propagate across systems and distribute additional malicious packages.
The campaign uses a decentralized command system hosted on the ICP blockchain, complicating disruption efforts.
Behavior varies by environment.
On Kubernetes networks in Iran, it deploys destructive wiping malware, while elsewhere it installs a back door.
Researchers warn the attack demonstrates.
rapid supply chain propagation and unusually resilient command infrastructure.
Arctic Wolf observed suspected exploitation of a vulnerability in publicly exposed
Quest Software K-A-C-E Systems Management Appliance instances beginning March 9th.
The critical authentication bypass flaw enables attackers to impersonate users and gain
full administrative control.
Observed activity included remote.
command execution, credential harvesting with mimicats, creation of admin accounts, and lateral
movement into backup systems and domain controllers. No public proof of concept is known. Defenders are
urged to patch affected versions and remove internet exposure of SMA appliances.
Healthcare management firm Qualderm Partners is notifying more than 3.1 million individuals that
personal, medical, and insurance data was stolen during a December 2025 network intrusion lasting
two days. Exposed information includes names, contact details, medical records, diagnoses,
insurance data, and in some cases, government ID numbers. The incident was reported to the U.S.
Department of Health and Human Services breach portal. The company says it contained the activity,
notified authorities and is offering 12 months of identity theft and credit monitoring services
while its investigation continues.
Alexei Volkov, a Russian initial access broker linked to the Jan Luwang Ransomware Gang,
has been sentenced to 81 months in prison for helping breach U.S. organizations and enable ransomware attacks.
Prosecutors said Volkov identified network vulnerabilities and sold assets,
access to co-conspirators who deployed ransomware against banks, telecommunications providers,
and engineering firms across multiple states. The campaign caused more than $9 million in losses
and involved ransom demands exceeding $24 million. Volkov was arrested in Rome and extradited
to the United States where he pleaded guilty in federal cases in Indiana and Pennsylvania.
Investigators also found he communicated with members of the lockbit ransomware group.
As part of sentencing, he agreed to pay restitution and forfeit equipment used in the attacks.
Kevin McGee is Global Director of Cybersecurity Startups at Microsoft,
but this week at RSAC, he's better known as intern Kevin.
Well, it's that time of year again. It's RSA conference week.
I'm Kevin McGee, and most of the time I'm the global director of Cybersecurity.
security at Microsoft for startups. But during RSA, I get to live my dream and become a real
media influencer. Or at the very least, I get to be the intern to one, Mr. David Bittner. Now,
the intern budget is not really all that great, so I understand I had to make four stops on my flight
here, but I have no idea why two of them had to be at the same airport. But it's all worth it to be here
and part of the show. All week, I'll be covering the stories that don't make the mainstream.
I'll be walking the floor, or at least the places of my intern badge will allow me
access to. I'll be interviewing those unsung heroes that work the sock and keep us safe,
and trying to find some of the latest and coolest technology being developed right now.
So that's what I'll be doing all week. Well, at least as soon as I'm finished ironing,
Mr. Bittner's hoodies. Our thanks to Kevin McGee from Microsoft for serving as intern Kevin
this week here at RASAC Conference. Kevin, I like my shirts with extra starch.
Keep that ironing going. Thank you, sir.
Coming up after the break, Maria Vermazas speaks with Jake Braun, long-time DefCon organizer and former White House official about DefCon 33 Hacker's Almanac.
And slow down.
You vibe too fast.
Stick around.
No, it's not your imagination.
Risk and regulation really are ramping up.
And these days, customers expect proof of security before they'll even do business.
that's where Vanta comes in.
Vanta automates your compliance process and brings compliance, risk, and customer trust together on one AI-powered platform.
So whether you're getting ready for a SOC2 or managing an enterprise governance risk and compliance program,
Vanta helps keep you secure and keeps your deals moving.
Companies like Ramp and Writers spend 82% less time on audits with Vanta.
That means less time chasing paperwork and more time.
focused on growth. For me, it comes down to this. Over 10,000 companies from startups to large
enterprises trust Vanta to help prove their security. Get started at vanta.com slash cyber.
Our N2K contributing host Maria Vermazas recently sat down with Jake Braun, long-time DefCon
organizer and former White House official to discuss the DefCon 33 Hacker's Almanac.
It's a fascinating read, Jake, honestly.
So I have the PDF right in front of me, and I've read through it a few times.
And I know we were chatting about space cyber, given that that's sort of my area of special interest.
It does certainly cover a lot of different areas.
And I found it especially fascinating, coming from a point of view myself, not as a policy person,
but recognizing that there is such, I don't know if animosity is the right word,
but especially from a lot in the hacker community of,
I feel justified skepticism about, I think, the Hill in general
and just folks in D.C.,
not understanding a lot of the technologies
and then potentially creating harmful legislation
in the direction of the hacking community.
And there's a gap there of understanding
in both directions.
I think folks like you are working hard to bridge,
and that's quite a challenge.
Oh, my God, yes.
It's really amazing when we put these,
the report together. And in fact, we have a lot of folks on the hacker's side who were like,
oh, but what about this particular hack? It's so cool. And it's amazing that this person pulled
it off the way they did everything. And often we're like, yeah, but does that have a public policy
implication? Or what often happens is we're trying to explain the research folks have done,
you know, we're constantly sitting there going, okay, imagine that you're a congressman who can,
you know, who can turn on a computer. But after
that, like aside from typing, that's about what their expertise level is, you know, or even a senior
policymaker in the executive branch, we're like, you know, you have to kind of really explain this
stuff in a way that these folks who, you know, look, I mean, they didn't train to be cyber professionals.
They haven't taken IT or cyber courses in school, nor have they ever had to hack a router or mess
with a raspberry pie or any of these things. So, you know, I don't fault them for not knowing
of these things. But that's kind of the big challenge is how do we explain these things so that
policymakers understand it and understand the relevance. Yeah, I think people in Infosec really should
give it a read just so they can see sort of how their work is being understood by a different
audience. Just to think about things through a different lens to re-contextualize that work,
it's a fascinating exercise, honestly. And I know when I was going through it, I, I,
I found myself surprised in a bunch of good ways of like,
oh, these questions are really interesting.
I don't know if I've thought of them before.
And there are also some areas within the Almanac
that I'd love to hear you walk me through.
Just in general, that category I hadn't thought of.
And one of them that I'm thinking of actually was about power, down with despots.
And that made me go, what?
Tell me more about that.
It was so fascinating.
One of the things that we believe, and I think a lot of people who've thought about this would agree,
is likely to be one of the biggest developments in human history is that pretty soon, in our lifetime,
every human on the planet is going to be connected to the Internet one way or the other.
We're in the process of connecting basically the last two billion people on the planet to the Internet.
And those two billion are the last two billion for a reason, right?
Either they're in a country that has purposely kept them from plugging into the modern world, both literally and figuratively.
So think like in North Korea.
Or they're the most underprivileged and oppressed people in modern societies who, for whatever reason, you know, don't have access to the Internet and modern technology either.
And what is clear is that the despots of the world, you know, whether it be folks, folks,
dealing with the Ukraine war, whether it be a potential invasion of Taiwan,
whether it be migrant communities around the world that are being preyed upon,
trying to figure out what are the things that we can do to help these people
protect their culture in the case of, like, let's say the Uyghur population in China,
who is having cultural genocide committed against them,
or to potentially a group of folks in Taiwan or Ukraine who are,
who are trying to fight for their right to self-determination and democracy and so on and so forth.
And so just two examples of that in Ukraine.
And we almost didn't include this one because it's so kind of simple technically.
But this is my point about it.
Maybe it was simple technically, but it's incredibly important from a policy perspective.
So, you know, if all information is basically kept on the Internet and all the information about your culture may wind up.
end up having the only place it lives on the internet,
then if the government wipes your culture from the internet,
like they're doing to the Uyghurs in China,
then in 200 years, is your culture even going to exist?
I mean, I don't know.
If you don't know the stories and the history and all those things,
I don't know.
And so in an effort to ensure this doesn't happen to the Ukrainian population,
a group of hackers who presented at DefCon,
went in right after the war and started digitally,
not physically, but digitally backing up all the artwork in the museum.
across Ukraine so that in the event that they get blown up or whatever, where the ark had stolen,
that there'll be a record of it for the Ukrainian people so that they can protect their culture and
history from digital genocide or the physical genocide that's being perpetrated and perpetrated.
And so that's one example of folks being able to protect their culture and identity from digital
genocide. The other thing is just being able to keep fighting. And so one of the things that Jeff Moss actually,
really encouraged us to take a hard look at was these mesh networks. And for your listeners who
maybe don't know about it, although people who listen to your podcast probably do, but still,
these are network devices that exist of really low-frequency radio waves. So if like if the undersea
cables in Taiwan are cut and if what's worked in Ukraine with satellites keeping communication going
doesn't work in Taiwan because the Chinese are far more capable and well-resourced than the Russians are.
Then how are they going to keep fighting? How are they going to their resistance going to, their
resistance going until hopefully the Chinese give up or more folks can come help?
So these are like mesh-tastic. That's one of the protocols of mesh-tastic.
Yep. Yep. And so mesh-tastic was something we tested. And in a great hacker tradition, they found some bugs.
But, you know, kudos of the mesh-tastic people. They fixed them or whatever they couldn't fix at the conference.
they agreed to fix later, and I believe they did.
And so these are an ability for folks to communicate
where kind of devices, connected devices,
based on whose device you're connected to,
but you can't basically stop it by knocking out the satellites
or cutting the undersea cables,
which would mean if the Taiwanese population was in the mountains
of around Taipei fighting for years or longer,
that they'd be able to communicate.
So that was just two examples of technologies or research that's been done by the DefCon community
that we thought was highly relevant for protecting these last two billion as they come online
and also trying to thwart the advances of, you know, despots and warlords who constantly are oppressing the, you know,
the least empowered among us.
Yeah.
And honestly, this speaks to, I think, the,
the core of so much of hacker culture,
of what motivates so many,
is just kind of this spirit of keeping,
fighting a power,
but also keeping these important subcultures alive.
Gosh, I'm thinking back to the 90s on some of this stuff.
And it's just sort of that ethos that we've,
that seem to have waned a little bit,
but it's coming right back.
And it's kind of awesome to see,
to be honest with you.
So we've been talking sort of on the policy side,
but for folks who are more on the,
I'm thinking of security practitioner side,
you know,
the average defcon attendee, I suppose.
What would you want them to know about the work that you've been doing here?
Okay, so the one thing I want to talk about,
just because I think it's so important,
is one of the youth hackers.
So this particular person is in high school,
the handle that he used was Nix,
and there was somebody else involved named Rinaldo Bujo.
But anyway, they were, yeah, good for them.
But anyway, they found that a vape tracking device in the school bathroom that the schools had put in,
and that schools used all over the country, maybe all over the world,
had the capability for listening devices in it, which, of course, once this industrious young hacker figured out,
was asked a very good question, which is, why would anybody who is trying to prevent the vaping
need to listen to what people are talking about in the bathroom?
And pointed out things like, you know, right.
And point out things like, you know, look, if you were maybe a young woman who was talking about an abortion in one of the states that, you know, since the road decision have made it illegal, you know, are you or you or do school or whatever now in jeopardy?
Because, you know, you were having conversation like that in the bathroom with what are your friends?
You know, I mean, it's just, I mean, yeah, it's unbelievable.
But it's a sacred space, the bathroom, honestly.
you just don't expect surveillance in the bathroom.
It's just the absolute last thing anyone wants.
Yeah, exactly.
And so anyway, I want to highlight that because it was very clever work that these two high schoolers did.
And also just because I think DC NextGen is so important.
And, you know, this next generation of hackers coming up,
if you look at the folks who started this whole thing back in 92 or 93,
you know, they're getting a little, they've got some gray hair.
and they get a little long in the tooth at this point.
We need this next generation to step up.
One of the other things, though, that I thought was fascinating,
was research that somebody did.
Now, this was theoretical, of course.
I don't think they were able to actually do this in practice yet.
But theoretically, one of the researchers found that you could store information in human DNA
and then use that to get key information that you'd want out of a,
a dictatorship or something like that,
whether you're in North Korea or Russia or Shiner or whatever.
Yeah, I mean, storing...
That's biohacking.
Yeah, exactly.
Tell me about it.
Storing information in human DNA is about as cool
and cutting edges as it gets.
That is the kind of thing we love out of DefCon,
honestly, when we hear about stuff like that.
That's pretty great.
I know.
So this guy, Dr. James Utley is the one who did it.
And it's funny.
He talks about bio-cryptogical.
is how he refers to it.
So really, really fascinating work.
And, you know, I could go on for hours about all the cool stuff.
I'll tell you, one of my most enjoyable things I do for this is after DefCon,
since I don't really have a lot of time to go see the talks when I'm there,
because I'm running around to different things.
I listen to, I don't know, 40 or 50 talks after DefCon while I'm like, you know,
outrunning or whatever to try and think about, you know, what makes sense to be in the,
in the almanac.
And it's just some of the most fascinating, you know,
information you'll listen to in any given year is, you know, these talks.
But, yeah, and I know we're coming up close on time,
but I wanted to make sure I also asked you about DefCon Franklin itself.
I know you wanted to mention a bit about the work that you all do.
So can you tell me a bit about that?
Sure.
So one of the things we do is the almanac.
So obviously we talked about that.
You know, a bunch of folks, including some of my grad students who run around and, you know,
chronicle what happens there and then turn into this.
I want to give a huge shout out to Adam Shostack and Paul Chang, who helps so much with this.
And then separately, we recruit folks to support underserved water utilities around the country.
This is largely because of our critical infrastructure like power and finance and so on and so forth.
water seems to be both newly a top priority for big adversaries like nation states and ransomar groups,
but also one of the least protected.
So whereas finance or energy has been improving their defenses for a decade or more now,
water is really kind of just starting to get in the cyber game.
And so we recruit volunteers to support these local water utilities that,
but for volunteers, would have zero cyber support.
It's not like it's us or hiring someone or us or they bring in a contractor.
It's us or nothing.
And so we've had a whole host of folks from DefCon step up for this.
We've deployed a good amount of folks so far.
We're hoping to deploy a lot more.
By the way, one thing I would really ask anybody on this call is if you work for a small municipality
or have close ties with one
and you think your water utility might be in need
of these types of service, please reach out to us.
You can go to our, just Google us at DefCon Franklin
and we'll come up with all our content information
because we're all, getting the word out to the 50 plus thousand water utilities out there,
none of whom thought cyber was in their job jar
even a couple years ago is one.
one of our biggest challenges.
So really would welcome folks who are interested in this.
And in particular, if you are in a community that you think would benefit from the support
and could connect us in with those folks.
That's N2K's Maria Vermazes speaking with Jake Braun.
And finally, artist Sam Levine has devised a modestly malicious solution for anyone worried
that friends, students, or coworkers
are outsourcing their inner lives to chat bots,
make the bots unbearably slow.
According to 404 media, his tool, Slow LLM,
quietly stretches response times from systems like chat GPT and clawed
by tampering with a browser data retrieval function,
creating the impression that the machines themselves
have suddenly lost enthusiasm for helping.
Levine says the idea came after watching people rely on generative tools for tasks once handled by their own brains.
The project can run as a browser extension or, more boldly, as a network-wide DNS tweak that spreads the gift of patients to entire households or offices.
He frames the effort as restoring friction to learning and creativity, though he admits using Claude to help write the code, at least until his own tools.
slowed it down. The goal is not prohibition, but reflection, preferably after a long wait.
And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at
the Cyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver
the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like
our show, please share a rating and review in your favorite podcast app. Please also fill out the survey
in the show notes or send an email to Cyberwire at N2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.