CyberWire Daily - That shield has cracks in it.
Episode Date: May 21, 2026Microsoft confirms active exploitation of two Defender flaws. Europol dismantles a VPN service tied to ransomware gangs. A nine-year-old Linux kernel bug exposes SSH keys and password hashes. Cisco pa...tches a critical Secure Workload vulnerability, while Drupal fixes a highly critical SQL injection flaw. Android malware quietly signs victims up for premium SMS scams. Webworm upgrades its espionage toolkit with Discord and Microsoft Graph backdoors. Plus, China and Russia deepen cooperation on AI, cybersecurity, and satellite systems. Our guest is Jake Moore, Global Cybersecurity Advisor for ESET, sharing a glimpse into his Infosecurity Europe keynote "The Deepfake Interview." Greg doesn’t even work here anymore… Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, Maria Varmazis speaks with Jake Moore, Keynote speaker for the upcoming Infosecurity Europe conference and Global Cybersecurity Advisor for ESET, getting a glimpse into his session "The Deepfake Interview: Breaking In From the Inside." This interview is part of our partnership with Infosecurity Europe. Selected Reading Microsoft Defender vulnerabilities exploited in the wild (Help Net Security) Europol Seizes First VPN Used by Ransomware Gangs, Arrests Administrator (Hackread) Nine-Year-Old Linux Kernel Flaw Leaks SSH Keys and Password Hashes (Infosecurity Magazine) Cisco Patches Critical Vulnerability in Secure Workload (SecurityWeek) Android Malware Spotted Subscribing Victims to Paid Services Without Consent (Hackread) Drupal Patches Highly Critical Vulnerability Exposing Websites to Hacking (SecurityWeek) Webworm: New burrowing techniques (We Live Security) Xi and Putin pledge closer cooperation on AI, cyberspace and satellite systems (The Record) Zombie user account let hackers control the city’s water (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Do you know how the space and cybersecurity domains connect?
T-minus space cyber briefing is your guide through the space-based systems that expand the attack surface.
I'm Maria Varmazes, host here at N2K Cyberwire, and I'm excited to share that T-minus is back.
Now, as a weekly podcast, the T-minus Space Cyber Briefing.
We have a new dedicated focus on two great things that are even better together, space and cybersecurity.
Because whether we realize it or not, we all depend on space-based systems that are, by the way, increasingly internet-enabled.
We're talking cybersecurity technologies, policies, and organizations that are securing the critical space-based infrastructure that powers, protects, and connects our lives here on Earth.
So join me for T-minus space cyber reefing, new episodes every Sunday.
Quick question. Have you watched Project Hail Mary yet?
Humanity is facing an existential threat and racing to solve it with the clock ticking.
For security teams, that probably hits close to home with AI use rapidly spreading.
Everyone's using AI, marketing, sales, engineering.
Chris the intern without security even knowing about it.
That's where Nudge Security comes in.
in. Nudge finds shadow AI apps, integrations, and agents on day one, and helps you enforce policy
without blocking productivity. Try it free at nudgesecurity.com slash cyberwire.
Microsoft confirms active exploitation of two defender flaws.
Europol dismantles a VPN service tied to ransomware gangs. A nine-year-old Linux kernel bug
exposes SSH keys and password hashes. Cisco patches a critical secure work
workload vulnerability, while Drupal fixes a highly critical SQL injection flaw.
Android malware quietly signs victims up for premium SMS scams.
Webworm upgrades its espionage toolkit with Discord and Microsoft Graph backdoors.
China and Russia deepen cooperation on AI, cybersecurity, and satellite systems.
Our guest is Jake Moore, Global Cybersecurity Advisor for ESET, sharing a glimpse into his
Info Security Europe keynote, the DeepFace.
interview. And Greg? Greg doesn't even work here anymore. It's Thursday, May 21st,
2026. I'm Dave Bittner, and this is your Cyberwire Intel briefing. Thanks for joining us
here today. It's great as always to have you with us. Microsoft says attackers are actively
exploiting two Microsoft defender vulnerabilities, prompting action from both Microsoft and SISA.
The first is a local privilege escalation flaw in the Microsoft malware protection engine.
Successful exploitation could grant attackers' system-level privileges.
The second vulnerability can force Microsoft defender into a denial of service state,
potentially disrupting endpoint protection.
Microsoft says both flaws are publicly disclosed and exploited in the wild.
Patches are available in updated defender engine and platform-referral.
releases. Microsoft Defender is widely deployed across enterprise and government environments. SISA has
added both vulnerabilities to its known exploited vulnerabilities catalog and ordered federal
civilian agencies to patch or discontinue affected products by June 3rd.
European law enforcement agencies have seized first VPN, a private service investigators say,
was widely used by ransomware gangs and other cybercriminal groups.
to conceal operations online.
The operation called Operation Safron
involved authorities from 16 countries
with support from Europol and Eurojust.
Investigators seized 33 servers,
shut down multiple domains,
and interviewed the alleged administrator in Ukraine.
According to Europol,
the VPN advertised heavily
on Russian-speaking cybercrime forums
and offered anonymous payments
and concealed infrastructure
designed to evade law enforcement.
Authorities also gained access
to the server's user database,
which investigators say
contains information tied to thousands
of suspected criminal users.
The takedown highlights
a growing law enforcement focus
on disrupting the infrastructure
that enables cybercrime,
not just the operators behind the attacks.
Seized customer data
could support future ransomware,
fraud, and data theft investigations
across multiple countries.
Researchers at Qualis have discovered a Linux kernel vulnerability that could allow unprivileged local users to access sensitive files,
including SSH private keys and password hashes on default Debian Fedora and Ubuntu systems.
The flaw has existed in the Linux kernel since 2016.
Qualis says the bug affects the kernel's P-trace mechanism, which manages process tracing and debugging.
By exploiting a race condition tied to credential changes,
attackers can inherit access to protected file descriptors from privileged processes.
Qualis demonstrated proof-of-concept exploits,
exposing SSH host keys, and shadow password hashes.
Researchers warn the issue is especially dangerous in shared hosting and multi-tenant environments,
where untrusted users can obtain local shell access.
kernel patches are available, and Ubuntu and Qualis recommend tightening P-Trace restrictions as a temporary mitigation.
Cisco has patched a critical vulnerability in secure workload with a maximum CVSS score of 10.
The flaw affects internal rest API endpoints and could allow attackers to access sensitive information and modify configurations across tenant boundaries with site admin privileges.
CISCO says the issue impacts both SaaS and on-prem deployments, but does not affect the web
management interface.
Patches are available.
Cisco has also addressed three medium severity flaws affecting 1,000 I's products and Nexus switches.
The company says it has not observed active exploitation.
Researchers at Zimperium Z Labs have uncovered a large-scale Android malware campaign
that secretly subscribed victims to premium SMS services without their consent.
The operation involved roughly 250 malicious apps impersonating popular brands,
including TikTok, Instagram threads, Minecraft, and Facebook Messenger.
The malware targeted mobile carriers in Thailand, Croatia, Romania, and Malaysia
by checking SIM card details before activating fraud routines.
Researchers say the apps disabled Wi-Fi.
intercepted one-time passwords using Google's SMS Retriever API
and automated hidden subscription workflows through background web views.
One malware variant also exfiltrated victim data
and subscription confirmations through Telegram.
The campaign highlights how attackers continue to weaponize
legitimate mobile platform features and weak SMS-based authentication systems
to support long-running fraud operations.
Researchers say the infrastructure operated for nearly 10 months and was optimized to evade detection while maximizing carrier billing abuse.
Drupal has released patches for the highly critical SQL injection vulnerability affecting sites that use post-GSQL databases.
The flaw exists in an API responsible for sanitizing database queries and could allow unauthenticated attackers to obtain sensitive information,
escalate privileges or potentially achieve remote code execution.
Drupal warned users before disclosure that exploit code could emerge quickly after patches became public.
Updates are available for multiple versions.
The release also addresses additional vulnerabilities in symphony and twig dependencies.
Researchers at ESET say the China-aligned Webworm threat group has significantly evolved its operations
in 2025, shifting focus from Asia toward European government organizations and deploying new stealth-focused
malware and proxy infrastructure. The group introduced two new backdoors, Echo Creep and Graph worm,
which used Discord and Microsoft Graph API for command and control communications. Researchers decrypted
more than 400 Discord messages tied to Echo Creep and uncovered evidence of targeting in Belgium,
Italy, Poland, Serbia, and South Africa. Webworm also expanded its use of custom proxy tools
designed to create layered, encrypted traffic chains across compromised systems.
ESET says the group stages malware through GitHub repositories and used a compromised Amazon
S3 bucket for configuration retrieval and data exfiltration.
The findings reflect a broader trend among advanced persistent threat groups toward blending
malicious activity with legitimate cloud services and collaboration platforms to evade detection.
Researchers also identified reconnaissance activity using open-source vulnerability scanners
and web directory brute-forcing tools against dozens of targets across Europe and Africa.
Chinese President Xi Jinping and Russian President Vladimir Putin
pledged deeper cooperation on artificial intelligence, cybersecurity, satellite systems,
and internet governance during a summit in Beijing.
In a joint statement, the two countries outlined plans
to expand collaboration on satellite internet technologies,
open-source software, and joint development initiatives
aimed at reducing dependencies on Western technology.
Moscow and Beijing also agreed to improve interoperability
between Russia's Glonas and China's Bay-Dao satellite navigation systems
and coordinate more closely on cyber policy and information security.
Both governments reaffirmed support for Internet sovereignty,
which gives states broader control over domestic digital environments.
The agreement reflects a growing strategic alignment between China and Russia
in cyberspace and emerging technologies,
particularly as both countries seek alternatives to Western controlled infrastructure and standards.
The announcement also comes amid increasing,
concerns over the military and cyber applications of artificial intelligence.
Coming up after the break, Maria Vermazas speaks with Jake Moore, Global Cybersecurity Advisor for ESET,
sharing a glimpse into his Info Security Europe keynote, The Deep Fake Interview.
And Greg, Greg doesn't even work here anymore.
Stay with us.
Jake Moore is Global Cybersecurity Advisor for ESET.
Our own Maria Vermazz is caught up with him to get a glimpse.
into his recent Info Security Europe keynote, the DeepFake interview.
All right, Jake, thank you so much for joining me today.
It's a lovely, I'm so glad to meet you.
I heard so much about you, so that I appreciate it.
Well, Jake, you are, to me, a very well-known person, so I feel a little silly asking you
to introduce it yourself.
But you've done a lot of public speaking, so I know this is de rigour.
So if you wouldn't mind starting us off with an intro, brag a little bit.
Tell us about how awesome you are.
Well, I'm not going to do that.
But thank you ever so much.
It's always great to be chatting to you, and it's amazing to be at Infosec this year.
Yeah, I can always start with the fact I love crime because I genuinely do,
but I like to test what cyber criminals are up to.
I always like to come on the future a little bit as well and see what's coming around the corner
that's maybe going to affect businesses in the future.
And I'm lucky enough to test a lot of it out.
So really, I've got this huge long background and just enjoying watching her.
how criminals work, but now I can ethically play around with those tools and really see how
businesses can be protected. So it's a great win-win for everyone. I get to have fun. And hey,
all in the good spirit of learning about good old cyber education. Yeah. And the work that you've done
has been so fascinating to follow over the year. So I'm thrilled to hear that you're doing a keynote at
Infosec Europe this year where you're going to be sharing some of your findings that I feel
almost obligatory AI mentioned.
They are AI-related.
Of course, there has to be these days, isn't it?
Of course, they have to be.
Yes, indeed.
Yeah.
So maybe we start with the elevator pitch for your keynote.
I know we don't want to give too much away.
So what are you going to be sharing with the audience this year?
Well, it's pretty much what it says in the talk.
It's a deep fate interview.
I thought this year, why not just say exactly what it is?
I've been fascinated with these deep fake interviews for a couple of years.
knowing that it's been possible
that people have been actually getting jobs
as other people,
I've been trying it for a couple of years
and I did try it two years ago
and failed miserably.
It was so bad.
I just couldn't get it right
using the deep fake technology
that was available.
Then, moving on,
I've been able to actually do it
and then I came up with this idea
that I'd actually try it on someone,
see if I could actually manipulate someone.
So with permission,
from the CEO of the business,
they let me try for a job.
And I got through a first interview,
which I was so nervous about.
So not just because I was using technology
that could have failed at any moment.
But I realized I hadn't been for many interviews in my life.
I worked in the police force for 14 years.
I only really had one interview.
And then I've been working at ESET for eight years,
and yeah, I only had one interview at the start then.
So it all came back to me.
all those nerves.
That terrible feeling.
Yeah.
But do you know what?
I thought that might help that I was nervous.
Of course, if you were in an interview, you might be nervous.
So I went with it.
And I had some fun.
And within a few minutes, I realized that the deep fake technology that I was using had ultimately
fooled them into thinking that I was a real person.
They weren't asking me to do any tests or anything.
Ironically, we even start talking about AI in the interview.
It was brilliant.
I was trying not to laugh.
We had lots of fun.
But yeah, I got around to another interview.
I start doing a presentation.
I got AI to write this PowerPoint.
We had loads of fun.
And ultimately, I did get offered the job.
But it actually doesn't stop there.
That isn't actually the ending of the whole talk.
There's more to it.
But I don't want to give way too much more.
It gets funnier.
That is wild.
And yeah, definitely.
So folks who are going to be attending at Infosec Europe,
you have to tell me what happens next because I'm trying to know.
I have been so fascinated to be following these stories about deep fake interviews.
Seeing the viral videos from often the other end when someone goes,
I caught someone trying to apply for this job wreck that I had open.
And it's been like so many things in Infosec, that cat and mouse game.
But the pace at which the technology has developed has been really astounding,
especially when I think of the techniques that people have been told to sort of try and spot a deep fake interviewer.
But very quickly, those techniques don't work anymore.
What are your thoughts on all those kinds of things that you've been seeing there?
I'm just curious because you've been in that world so much.
Yeah.
You've hit the nail on the head right there.
There are loads of techniques.
You can ask people to wave their hand in front of their face or talk about North Korea, funnily enough, what their thoughts are about the government there.
I mean, it's kind of funny, but these don't always work, you know, because there are workarounds and the technology improves.
I mean, I've seen that.
myself with the software that I've been using, how it improves over time.
And I just think, gosh, in two years' time, it's going to be even better.
So it's difficult to say, hey, do this one thing, and it's foolproof,
because as it's technology, it improves all the time.
And criminals know exactly how to get around things because we as people in the industry
are saying, oh, this is what you might need to look out for.
And they go, right, okay, that's what we're going to do with version two.
And they're very good at doing that.
And so really it comes down to verifying who people are in much better ways.
But what I found is speaking to, in fact, I've been doing a lot of work with HR departments
in different industries, which has been a brilliant insight for me,
because it's not just cyber security professionals that I've been dealing with here.
Right.
So it's HR people who are brilliant people people, people.
They know how to talk.
They know how to get people to talk themselves.
But they're not always aware of the technology that's advanced.
and they are inundated with people going for their jobs that they have on offer.
And so they've got us to be at the process.
And lots of them, ironically, are also using AI.
In fact, one of the interviews I went to, I actually spoke to an AI avatar in my very first interview.
And I was using an AI avatar as a female.
So it was AI talking to AI.
It felt so strange.
It was like an episode of Black Mirror, but it was fun.
I was to say, I think from the Infosec point of view, that is fun.
And then zooming out, I go, what on earth does this mean for not just companies, but job seekers and for all of us in humanity?
I mean, are we just going to go, no more remote interviews, everybody come back in person because we can't trust anything on the screen anymore.
I really wonder.
Well, I think we need a bit of both.
So remote interviews, of course, they do so much to help.
the industry because some jobs, they have a thousand applicants go for this one role. So they're
using lots of technology and remote interviews to whistle it down to the right numbers. But there has
to be an element of human interaction at some point. I've spoken to huge companies, global companies
that say that this is impossible, but then they're starting to see the help that is on offer
with third parties that get involved in other countries
that might have contractors
that before they go and send out a laptop
because that's ultimately what they're wanting here.
It's not just to get a job to get maybe
your first month's paycheck.
They want that laptop so they can break in from within.
And that's what's powerful here.
And that has been done.
And so this really was a way to prove
that anyone can fall for this.
It's not to point fingers at those people
that on the other end of the interview
because so many people would fall for it
and don't question it.
Because it's not known, especially in HR.
Yeah.
Yeah, I wonder what...
I imagine the advice would be changing
almost day to day at this point,
or is it actually?
Maybe I should not assume.
What is the advice that we give organizations at this point?
Yeah, to have at some point in that process
to meet people in real life,
the best thing would be to say,
just come to our head office
and we can give you that laptop.
and we can check all their credentials.
But at some point, that can be manipulated.
This is social engineering at the highest level.
There's always a reason.
And by that time, they've created a friendship.
I mean, in one of my interviews, one of the HR people would say,
oh, my goodness, you'd so fit in here because I pretended that I had a teaching background.
She was saying, oh, Janet used to be a teacher.
You'd really get on with her.
And by then I'm feeling like I know extra people in the organisation.
And so if I then come up with a wonderful story about even just the trains are out today
and I'm not going to be going to get down on my family member has a problem,
just like all those scams we hear in, say, romance scams, for example.
Yeah, absolutely.
By the time you've got that emotional investment in there, then it can be abused.
And that's what I'm really trying to hit on.
And it comes out, I use loads of the footage from the interviews
because it really shows how these people get attached in these interviews.
Gosh, yeah, because people want to trust.
People want to create that connection.
That's it.
It's the beautiful part of humanity, but unfortunately, it is so often exploited.
And AI is such a fascinating, accelerant of good and bad.
I feel like sometimes the best advice is for everyone to slow down,
but that is tough advice to follow in today's business.
this world, so I don't really know how that would work. So, yeah. I love AI. I think everyone is playing
with it, and that's great. And if it can be used for efficiency, then fantastic. But yeah, we do need
to have some of that time back, because I think a lot of people are saying, oh, it can make me
more productive. Well, then don't do more and that extra time you've been given back. Take some time
away if it's doing, say, a certain proportion of your job. That should be, therefore, something that
we should take hold of and, you know, go and play with the kids, play with the dog, go and see
some friends or family. That is when it really helps out. Yeah, that's what I'm waiting for,
is that part. So that's what I want to see as well. Yeah. Well, Jake, it's been a joy speaking
with you. I want to make sure that you get the last word. And again, you're going to be doing
the keynote at Infosec Europe. So folks who are going to be attending that, you're in for a treat for
sure. Anything else you want to mention to our audience today, Jake? Well, I think you mentioned
the big word there. It's all about trust. Can we trust?
Anyone these days is seeing, believing, or I can promise you this, on stage, it will be the real me.
No deepfakes there.
It won't be my avatars.
It will be the real Jake Moore.
And I'm hoping we get lots of people there.
It'd be great to see you all there.
Wonderful.
Thanks so much for speaking with me today, Jake.
Appreciate it.
Thank you.
And of course, Maria Vermazas is host of the T-minus space cyber podcast.
You can find that right here on our network or wherever you get your favorite shows.
This episode is brought to you by FedEx.
These days, the power move isn't having a big metallic credit card to drop on the check at a corporate launch.
The real power move is leveling up your business with FedEx intelligence and accessing one of the biggest data networks powered by one of the biggest delivery networks.
Level up your business with FedEx, the new power move.
And finally, according to the register,
Nicole Beckwith of Cribble
recalls investigating a breach at a U.S. city
where attackers first treated the network like tourists
on a casual sightseeing trip.
They played with conference room projectors,
wandered through city systems,
and eventually discovered controls tied to the municipal water utility.
That is where the story stopped being funny.
The attackers gained access through an account
belonging to Greg from auditing,
a former employee who had not worked for the city in years.
Somehow, Greg's account still held domain admin privileges,
SCADA operator access, and help desk permissions,
which is an impressive resume for someone no longer on the payroll.
Beckwith suspects attackers found Greg's credentials in a previous data leak
and simply tried reused passwords until something worked.
The incident highlights an old but persistent security,
problem. Dormant accounts, excessive privileges, and the dangerous assumption that someone else surely
handled off-boarding. As Beckwith put it, every forgotten account is just one bad day away from the
evening news. And that's the Cyberwire. For links to all of today's stories, check out our daily
briefing at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we
deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our contributing host is Maria Vermazis.
Our executive producer is Jennifer Iben.
Peter Kilpe is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Previously, attackers broke into systems.
Now they're chaining identities together to move through your environment unnoticed.
We recently spoke with Justin Kohler from SpectorOps about how attackers are exploiting common identity configurations across today's hybrid environments.
Attackers are compromising one account and moving on to the next until they reach the administrator access and
high-value targets thereafter.
And with AI, these attacks are becoming cheaper to execute and easier to scale, putting more
organizations at risk.
If you want to understand what identity attack path management looks like and why it matters
for defending modern environments, listen to our full conversation at explore.
TheCyberwire.com slash Spectreops.
That's explore.
dot thecyberwire.com slash specterops.