CyberWire Daily - State of the router.
Episode Date: July 13, 2026The U.S. and its allies warn of Russian cyber threats targeting critical infrastructure as Europe rolls out new sanctions. Apple sues OpenAI over alleged trade secret theft. Progress investigates a po...tential ShareFile security incident, Zimbra patches a critical flaw, and researchers uncover the new CrashStealer macOS malware. Plus, the EPA tests water utility resilience, scammers clone trusted news sites, and our Monday business briefing. Our guest is Brandon Karpf, from NTT, discussing the 11th Japan-U.S. Cyber Dialogue. Californians smash that delete button. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Brandon Karpf, friend of the show discussing the 11th Japan-U.S. Cyber Dialogue. Selected Reading US and allies warn of Russian critical infrastructure attacks (Bleeping Computer) EU sanctions Russian GRU military hackers over cyberattacks (Bleeping Computer) OpenAI Hardware Biz Built with Apple Secrets, Apple Says (Gov Infosecurity) Progress Software Warns of “External Security Threat” to ShareFile (Infosecurity Magazine) Zimbra Patches Critical Code Execution Vulnerability (SecurityWeek) When Hackers Cut the Internet, Will the Water Still Flow? (BankInfo Security) ‘A very good clone’: news stories faked to lure victims to scam investment sites (The Guardian) CrashStealer: C++ macOS infostealer posing as crash reporter (Jamf) Business Briefing for 07.08.26 (N2K Pro Business Briefing) 322,000 Californians sign up to have data brokers delete their personal information (Mercury News) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Heading to this year's Black Hat USA, the N2K Cyberwire team will be on site recording from our podcast studio in the SpectorOps Kennel Club.
If you're interested in joining us for a conversation or learning more about what we're recording throughout the week, visit sponsor.com for more information.
And make sure you stop by the studio and meet the N2Siberwire.
2K Cyberwire team.
We'll see you there.
This episode is supported by Black Hat USA.
If you follow the research, you know a lot of it breaks on Black Hat stages.
Hundreds of peer-reviewed briefings, more than 100 hands-on trainings, and the largest
business hall in Black Hat's history.
Six days to learn the skills you'll need tomorrow.
August 1st to the 6th.
Use code Cyberwire for $200 off your briefings pass at Blackhat.com.
We'll see you in Vegas.
The U.S. and its allies warn of Russian cyber threats targeting critical infrastructure as Europe rolls out new sanctions.
Apple sues open AI over alleged trade secret theft.
Progress investigates a potential share-file security incident.
Zimbra patches a critical flaw, and researchers uncover the new crash-stealer MacOS malware.
Plus, the EPA test water utility resilience.
Scammers clone trusted news sites.
and our Monday business briefing.
Our guest is Brandon Karp from NTT discussing the 11th Japan-U-S-Siber dialogue,
and Californians smash that delete button.
It's Monday, July 13, 26.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great as always to have you with us.
Happy Monday.
Cybersecurity agencies from the United States
and eight allied countries have issued a joint advisory, warning that Russian state-sponsored hackers
linked to the FSB's Center 16, are targeting vulnerable and poorly configured routers to gain
access to critical infrastructure networks. The group scans internet-connected devices for default
or weak SNMP credentials, steals router configuration files, and exploits known Cisco vulnerabilities,
including the smart install flaw.
Sectors at greatest risk include energy, communications, health care, finance, defense, and
government.
The advisory urges organizations to upgrade to SNMP version 3, disable Cisco smart install, use strong
unique passwords, block SNMP and trivial file transfer protocol traffic where appropriate,
keep devices updated, and replace end-of-life hardware.
It also follows a separate international operation that disrupted Russian router-based espionage infrastructure.
The European Union and the United Kingdom have imposed new sanctions on dozens of Russian individuals and entities,
accusing Moscow of directing a network of cyber operations targeting governments and critical infrastructure across Europe.
The measures target Russian military intelligence officers, cyber criminals, private companies,
and members of the Luma Steeler malware operation and Riber Media Network.
The EU also publicly identified the FSB's 16th Center as overseeing several hacking groups,
including Turla, which officials say has conducted espionage campaigns against European
government and defense organizations for more than a decade.
Authorities linked Turla to a failed attack on Poland's energy infrastructure and cited other
recent Russian cyber operations targeting Polish institutions. The sanctions coincide with broader European
efforts to strengthen cybersecurity and counter state-backed cyber threats. Apple has sued OpenAI in federal
court, accusing the company of building its emerging AI hardware business using stolen trade secrets
and confidential information from former Apple employees. The lawsuit centers on OpenAI
$6.4 billion acquisition of I.O. products, co-founded by former Apple executive Tang U.Tan,
who Apple alleges emailed himself confidential supplier information before leaving the company,
and later encouraged Apple job candidates to bring proprietary hardware details to interviews.
Apple also accuses former employee Chang Liu of accessing its internal network after departing
and downloading confidential files on unreleased products by exploiting an authentication flaw.
Apple claims it warned OpenAI about its concerns in February but received no response
and argues the alleged misconduct extends beyond the known cases.
OpenAI denied the allegations, saying it has no interest in other companies trade secrets.
The lawsuit could complicate OpenAI's planned initial public offering by raising legal,
and investor concerns.
Progress Software has warned of a potential security incident affecting share file storage zone controllers,
its private enterprise storage solution, after detecting what it described as a credible external threat.
As a precaution, the company temporarily disabled customer access and instructed organizations
to shut down servers hosting affected storage zone controllers while investigations continue.
Progress said it has found no evidence of unauthorized access to customer accounts or data
and has not identified an active threat,
although it has provided few details about the nature of the incident.
Customer frustration grew after several days without public updates,
fueling speculation about possible vulnerability exploitation,
which the company has not confirmed.
By July 12th, cloud access had been restored,
but customers were told to keep storage zone,
controllers offline pending the completion of progress's internal and external security investigations.
Zimbra has released patches for a critical vulnerability in its classic web client that could allow
zero-click code execution when a user opens a specially crafted email. The stored cross-site
scripting flaw could expose mailbox data, session information, and account settings. Although the
vulnerability has not yet received a CVE,
E-identifier, Zimbra is urging all customers using the classic web client to upgrade.
The flaw was reported by Google's threat analysis group, which often identifies vulnerabilities
exploited by state-sponsored threat actors.
The U.S. Environmental Protection Agency conducted a national cybersecurity exercise to help
water utilities prepare for a worst-case communications outage caused by a simulated cyber attack
on a major telecommunications provider. Based on intelligence about the Chinese threat group
Salt Typhoon, the scenario forced utilities to consider how they would maintain safe water operations
without internet, phone service, cloud applications, or remote SCADA access. More than 200
utilities participated in discussions covering incident response, alternative communications,
staffing, and transitioning to manual or local operations.
participants highlighted challenges such as maintaining water quality, sustaining 24-hour staffing, and balancing operational priorities during extended outages.
The exercise underscored that preparedness varies widely among utilities depending on their size, infrastructure, and reliance on remote operations,
emphasizing the importance of planning for prolonged communications disruptions.
fraudsters are creating convincing clones of trusted news websites, including The Guardian,
to lure victims into fake investment scams. The counterfeit articles feature fabricated stories
about well-known figures such as Jim Ratcliffe, David Attenborough, and Martin Lewis,
often using AI-generated images and the bylines of real journalists to appear authentic.
The stories include links to fake versions of legitimate.
trading platforms, where victims are prompted to provide personal information before being persuaded
by scammers to invest money in non-existent opportunities. Security experts warn that the goal is
simply to steal victims' funds. Readers are advised to verify website URLs, be wary of sensational
investment claims, and remember that reputable news organizations do not endorse investment platforms.
Companies such as Cracken say they actively work to remove impersonation sites and report those responsible to law enforcement.
JAMP Threat Labs has identified a new MacOS information stealing malware family dubbed Crash Stealer,
which has evolved from an apparent development stage sample into an actively deployed threat.
First spotted in May, the malware masquerades as Apple's crash reporting framework,
and is written in native C++,
distinguishing it from many other macOS dealers.
Crash dealer validates a victim's login password
before collecting data from browsers,
cryptocurrency wallets, password managers, and the macOS keychain.
It encrypts stolen information before exfiltrating it
and establishes persistence by copying and resigning itself.
Researchers also discovered a signed and Apple notarized dropper,
distributed as a disk image named Workbit setup that bypasses Gatekeeper,
downloads the payload, and launches it.
JAMPF considers Crash Steeler a distinct malware family due to its unique architecture and
capabilities.
Turning to our Monday business briefing, cybersecurity companies continued to attract
significant investment and consolidation activity this past week.
encryption management firm Key Factor raised more than a billion dollars in a growth round led by summit partners
to support product development, global expansion, acquisitions, and hiring.
Dutch managed security services provider I-security secured 60 million euros to expand across Europe
and invest in AI capabilities, while AI surveillance firm Hakimo,
Identity Security Company, Wultra, and Maritime Cybersecurity,
startup SITOR also announced new funding rounds to fuel growth and international expansion.
Merger and acquisition activity remained strong with seven deals across five countries.
Notable transactions included InfoBlox's planned acquisition of network observability company Kentik,
Akamai's completion of its $205 million acquisition of enterprise browser security firm Layer X,
Qualcomm's purchase of Sam Seamless Network and Iquito's acquisition of Israeli container security startup route.
The deals reflect continued investment in AI, identity security, zero trust, and infrastructure protection.
Be sure to check out our complete business briefing. That's part of Cyberwire Pro.
You can find that on our website.
Coming up after the break, Brandon Karp from NTT discusses the 11.
7th Japan-U.S. Cyber Dialogue.
And Californians smash that delete button.
Stay with us.
What's the one thing in business that's spreading as fast as AI?
AI risk.
Every new tool your team signs up for, every vendor that turns on AI features, every new integration.
Each one is an opportunity for something to go wrong.
And most security programs weren't built for AI's pace of growth.
Enter Vanta.
Vanta.
the number one agentic trust platform, used by over 16,000 fast-moving companies like RAMP,
cursor, and Harvey to ensure they're always audit-ready. And now Vanta is helping companies,
like yours, watch for the risks that show up between audits, across your vendors,
your AI tools, and your whole environment. How? The Vanta agent works like a 24-7 GRC engineer
in the background, finding issues, drafting fixes, and cutting vendor assessment time by up to
50%. Whether you're a fast-growing startup or a global enterprise, Vanta is here to help you
automate your security and compliance and earn and prove trust. Get started today at vanta.com
slash cyber. That's V-A-N-T-A.com slash cyber.
The Hulu original series Furious is coming to Disney Plus, starring Emmy Rossum. Furious follows
FBI agent Alice Black on the hunt for a mysterious and calculating serial killer.
Both walk their own paths toward justice, and as their lives start to intertwine,
the line between right and wrong begins to blur.
Don't miss the three-episode premiere of the Hulu original series Furious on July 27th,
only on Hulu on Disney Plus.
It is always my pleasure to welcome back to the show, Brandon Karp.
He is the leader of international public-private partnerships at NTT.
Randon, welcome back.
Dave, great to be here with you again.
So we recently had in Washington, D.C.,
the 11th Japan-U.S. Cyber Dialogue, which is kind of a boring name for an interesting thing.
Yes.
Leave it to diplomats to make things super dry and sound uninteresting when there's tons of meat on that bone.
Right, right.
Well, let's dig into it.
I mean, you were there, correct?
Yeah, we participate in.
NTT in particular, of course, participated being one of the, or being the largest telecommunications
company in Japan. And so we certainly had a role to play here. So did a number of other companies.
And of course, the governments of Japan and the U.S. participated.
Right. So unpack this meeting. What is this all about?
Yeah. So, I mean, as you mentioned, this is the 11th one of these. So these have been held every
year for more than a decade now. I would actually say that this is probably the one.
that is the clearest in terms of what was on the agenda and what is notably changing.
And for a couple reasons.
First, I think the headline is what made it onto the agenda and a couple key topic areas that I think are particularly important for the threat environment and technology environment.
One of them is sovereign cloud.
Another one is post-quantum cryptography.
And then the third one that made the agenda that was particularly interesting was shutting down scam compounds in Southeast Asia.
So there were some really interesting threat environment topics that kind of made the list for the diplomatic corps and the national cybersecurity leadership of the two countries to discuss through the two days of dialogues.
What I think was particularly notable, right, is this comes a little more than a year after Japan signed the active cyber defense law, which was their creation of the National Cyber Security Office that is coordinating cybersecurity, but also.
more kind of take-down operations and those types of activities, more kind of disrupt doctrine-type
aspects and operations that the Japanese government, specifically their national police and their national
defense forces, will be enabled to conduct. And so this was the first dialogue that has really
occurred since that act has been operationalized over the last year.
I should mention just for our audience's sake that before you were with NTT, you of course,
were a U.S. naval officer and served at Cyber Command.
How do you describe the relationship, the diplomatic relationship between the U.S. and Japan when it comes to cyber?
Strong and strengthening?
So, you know, until this act that I mentioned was signed into law a year ago, Japan had kind of a fragmented cybersecurity and cyber operations force.
that act centralized authorities and controls underneath the national cyber office,
which is kind of a combination of our FBI Cyber Division plus our SISA plus NSA and Cyber Command,
kind of all under one big heading.
And so they're responsible for intelligence collection and prioritization.
They're responsible for policy and public-private collaboration.
And they're responsible for taking more defensive or even offensive-type actions.
through cyberspace.
What that actually means on the ground, we don't know yet because they're still implementing
all these things.
But the relationship between the Japanese government and the U.S. government is very strong right now
with the Prime Minister Takayishi in Japan and her relationships with Washington, but also with
folks like Yuki Osaita, who is kind of the international strategist at the National Cybersecurity
Office, working very closely with our State Department and our Department of Homeland Security.
And so you see these people starting to come to the U.S. more and more and building this kind of commitment to sharing, which is really what we saw in the joint statement that was released after the cyber dialogue from the state department, U.S. State Department, but also the Japanese executive branch agencies and diplomatic corps, where they're committing to sharing lessons learned, sharing intelligence, sharing policy priorities and coordinating policy priorities around cyber defense.
To me, that is the first step towards moving in a direction of joint operations or coalition operations.
Can you take us behind the scenes a bit? How is an event like this organized and how do they set expectations for success?
Sure. So in the room you have U.S. organizations like the National Security Council, the Office of the National Cyber Director, the Office of the Director of National Intelligence, right, FBI, Homeland Security, SISA, even NIST and FCC.
more around standards in telco.
So that's all from the U.S. side.
Of course, the entire thing is being organized
and put on by the Department of State in the U.S.
In collaboration with the Japanese organizations,
so their Ministry of Defense,
their telecom regulator, their diplomatic corps and METI
and their version of FCC as well.
And so it's kind of a total coalition plan
where this has stood up.
There's also quite a lot of interaction
with private sector.
in relation to this. So there's a the Japanese business council, which is an organization within the
U.S., that's kind of a sort of a trade association, kind of bringing in Japanese corporations,
but also the coordination and participation of U.S. companies who have business interests in Japan.
Keep in mind, Japan is one of the world's largest economies. I think it's the third or fourth
largest economy in the world. So there's a lot of business operations and activities here.
And so this is totally a joint activity, right? There's U.S. co-chairs, Japanese co-chairs,
who were putting this on for the two days of dialogues along all those various topics.
There are certainly more than the ones I mentioned,
but the topics that I mentioned at the beginning here were kind of the key ones that I saw,
which were most important.
That being said, of course, they talked about things like AI security, et cetera, et cetera.
But, you know, I'm sure you talk about that plenty, so we don't need to go into that here.
So what was the feeling as things wrapped up?
Did the participants consider this to be a success?
Yes, most definitely.
Again, this one, I think, was seen as the most substantive in the history of this dialogue.
And why is that?
Again, part of it, I think, is the act of cyber defense and how much investment the Japanese government is putting towards cyber defense of not just the Japanese homeland, but the entire Asia-Pacific region.
But also, of course, I mean, we're still, we're just about two years post the salt typhoon and kind of revelation.
where we saw this Chinese threat actor really owned the global telco companies,
you know, more than 200 targets globally in 80 countries around the world.
And, you know, those revelations really just started kind of hitting the public wires about two years ago or so.
And, of course, just more and more information over the last two years.
And so that, the context of the threat environment in that region,
that's the Chinese threats, of course, the North Korean kind of crypto scams,
the Southeast Asian cybercriminal groups
in terms of the kind of the
scam farms and those,
this threat environment is really starting
to coalesce in that region of the world
at the same time that Japan is investing more and more
in their capabilities
and they're both the defensive
and offensive and legal authorities.
And so I think it's given the U.S. and Japan leaders
more to talk about and more to do
and start thinking about how politics,
aligns, how public-private collaboration aligns, and how we can take proactive actions against
these types of threats.
All right.
Sounds like an optimistic tone.
I think there's a lot of reason to be optimistic in this topic in particular.
Yeah.
Brandon Karp is the leader of international public-private partnerships at NTT.
Brandon, thanks so much.
Thanks, Dave.
Organizations spend years building incident response plans.
but when a real crisis hits, many discover those plans were built for auditors, not for operating through disruption.
We recently spoke with Courtney Gus, Crisis Management Director at Sempris,
about why true cyber resilience depends on more than compliance.
She explains why organizations need to move beyond static playbooks,
establish clear decision-making authority, and prepare leaders for the moments when technology and the plan itself may fail.
If you're responsible for incident response, business continuity, or cyber resilience, this is a conversation you won't want to miss.
Listen to the full interview at explore.thecyberwire.com slash Sempris.
This episode is brought to you by Accenture.
When your advertising operations fall out of sync, everything else follows.
Spotify and Accenture are working together to reinvent the rhythm of ad sales, using
automation, analytics, and smarter workflows to simplify campaign delivery and access better data
across the business. The result? Less time spent on operations, more time connecting brands with the
moments and fandoms that matter most. Learn more at Accenture.com slash Spotify.
And finally, more than 300,000 Californians have pressed what state officials call the
great delete button in the sky, invoking the nation's first delftion.
Elite Act to force hundreds of registered data brokers to erase their personal information.
Beginning August 1st, brokers must start processing requests to delete sensitive data,
ranging from location histories to financial details to health information and demographic profiles,
while also stopping future sales of that data.
The law aims to curb an industry that quietly assembles digital dossiers from loyalty cards,
web browsing, social media, and countless everyday interactions,
often selling them to advertisers, governments, AI developers,
and, as officials dryly note, seemingly anyone with a credit card.
Regulators are pursuing unregistered brokers
and warning that companies ignoring deletion requests could face steep fines.
The process takes only a few minutes,
a small investment for anyone hoping their personal life stopped circulating,
quite so enthusiastically.
And that's the Cyberwire.
For links to all of today's stories,
check at our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey and the show notes
or send an email to Cyberwire at N2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester
with original music and sound design by
Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ivan.
Peter Kilpe is our publisher,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Hey, y'all, it's Kelly Clarkson with Wayfair.
Ever order furniture online and wonder, what if?
Like, what if it doesn't hold up?
That sofa was four days old.
You should have ordered from Wayfair.
With Wayfair, there's no what if.
Just style you love and quality you can trust.
Visit wayfair.ca.
Wayfair, every style, every home.
