CyberWire Daily - The era of AI-powered attacks is here.
Episode Date: May 14, 2026Google says AI-powered cybercrime has gone industrial scale. Two new Windows zero-days emerge. Signal threatens to leave Canada over lawful access legislation. Pentagon-linked influence operations shi...ft to paid ads. Linux admins scramble to patch a new root-level flaw. FamousSparrow targets Azerbaijan’s energy sector. Cisco announces layoffs despite record revenue. An alleged Dream Market administrator faces cryptocurrency money laundering charges. Our guest is Cynthia Kaiser, SVP of Ransomware Research Center at Halcyon, discussing "Akira Ransomware Attacks in Under an Hour." The surveillance will continue until employee sentiment improves. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Cynthia Kaiser, SVP of Ransomware Research Center at Halcyon, is discussing "Akira Ransomware Attacks in Under an Hour." Selected Reading Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access (Google Cloud Blog) Mystery Microsoft bug leaker keeps the zero-days coming (The Register) Signal warns it would pull out of Canada if made to comply with lawful access bill (The Globe and Mail) Fewer Bots, More Ads: The Pentagon’s Evolving Online Influence Campaigns (Lawfare) New Fragnesia Linux flaw lets attackers gain root privileges (Bleeping Computer) FamousSparrow Targeted Oil and Gas Industry via MS Exchange Server Exploit (Hackread) KongTuke hackers now use Microsoft Teams for corporate breaches (Bleeping Computer) Our Path Forward (Cisco Blogs) German citizen charged with laundering funds linked to prominent darknet marketplace “Dream Market” (United States Department of Justice) The Rise of Emotional Surveillance (The Atlantic) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Maybe that's an urgent message from your CEO,
or maybe it's a deep fake trying to target your business.
Dopple is the AI-native social engineering defense platform
fighting back against impersonation and manipulation.
As attackers use AI to make their tactics more sophisticated,
Dopple uses it to fight back.
from automatically dismantling cross-channel attacks to building team resilience and more.
Dopple, outpacing what's next in social engineering.
Learn more at doppel.com.
That's do p-p-pel.com.
Google says AI-powered cybercrime has gone industrial scale.
Two new Windows Zero Days emerge.
Signal threatens to leave Canada over lawful access legislation.
A Pentagon-linked influence operation shifts to pay.
ads, Linux admin scrambled to patch a new root level flaw,
famous Sparrow targets Azerbaijan's energy sector,
Cisco announces layoffs despite record revenue.
An alleged dream market administrator faces cryptocurrency money laundering charges.
Our guest is Cynthia Kaiser,
SVP of the Ransomware Research Center at Halcyon,
with the latest on the Akira Ransomware Group.
And the surveillance will continue until employee sentiment improves.
It's Thursday, May 14th, 2026. I'm Dave Bittner, and this is your Cyberwire Intel Briefing.
Thanks for joining us here today. It's great as always to have you with us.
Google Threat Intelligence Group reports that AI-driven cyber threats have evolved from experimental use into industrial-scale operations.
According to G-TIG, threat actors are now using generative AI for vulnerability.
discovery, malware development, defense evasion, and large-scale information operations.
Researchers identified what they believe is the first AI developed zero-day exploit,
potentially intended for mass exploitation.
AI-enabled malware, such as Prompt Spy, demonstrates increasingly autonomous attack behavior,
while adversaries linked to China, North Korea, and Russia are integrating AI into offensive
workflows. Attackers are also targeting AI supply chains and using anonymized infrastructure
to abuse large language models at scale. G-TIG says AI remains a dual-use technology
serving both attackers and defenders. Google reports it's using AI tools like BigSleep and
codemender to identify vulnerabilities, automate fixes, and strengthen defenses against evolving
threats.
An anonymous researcher known as nightmare eclipse, also called chaotic eclipse, has disclosed
two additional Windows Zero Day vulnerabilities following Microsoft's latest Patch Tuesday update.
The flaws, dubbed Yellow Key and Green Plasma, reportedly enable BitLocker Bypass and Privilege
Escalation Attacks.
According to the register, Yellow Key requires physical access.
and especially prepared USB drive to gain shell access to Bitlocker-protected systems,
raising concerns about stolen devices and data exposure.
Security experts said organizations can partially mitigate the threat
using BitLocker pins and BIOS passwords.
Green plasma includes partial exploit code that could eventually enable system-level access,
although researchers noted it still triggers user account control prompts
in default configurations.
These disclosures follow earlier leaks from nightmare eclipse, including Blue Hammer,
Red Sun, and Undefend.
Some previously linked exploits were reportedly adopted quickly in real-world attacks,
raising concerns about additional future disclosures.
Secure Messaging Platform Signal says it could withdraw from Canada
if Bill C-22 forces changes that weaken U.S.
user privacy or encryption protections.
Signal's vice president said the company has serious concerns about Ottawa's proposed
lawful access regime, which would require telecom and electronic service providers
to support surveillance capabilities for law enforcement and the Canadian Security
Intelligence Service.
Signal warned that mandated system changes could introduce exploitable vulnerabilities
and make encrypted platforms attractive targets for foreign adversaries and
cybercriminals. The bill could also require certain providers to retain metadata for up to a year.
Privacy advocates and technology companies argue the legislation could fundamentally weaken end-to-end
encryption and require permanent structural changes to secure communication systems.
Canadian officials maintain the bill is encryption neutral.
A new analysis suggests Pentagon-linked online influence operations
have shifted away from fake social media personas
and toward paid promotion of quasi-news websites
targeting audiences across the Middle East, Latin America, Russia, and Asia.
The report identifies a network of multilingual sites
tied through shared infrastructure,
advertising activity, and code patterns.
Unlike earlier covert campaigns
that relied on coordinated inauthentic behavior,
the newer network appears to,
amplify mostly factual, selectively framed content through advertising on X, meta, and Google
platforms. Researchers linked the sites to contractor General Dynamics Information Technology,
which reportedly ran ads promoting the outlets. The operation reflects an evolution in state-backed
influence tactics. Instead of fabricated engagement or bot farms, the newer model appears
designed to shape narratives through targeted distribution, selective framing, and reduce transparency
around sponsorship.
Linux distributions are deploying patches for a newly disclosed high-severity privilege
escalation vulnerability that allows local attackers to gain route access on vulnerable systems.
Nicknamed Fragnesia, the flaw affects Linux kernels released before May 13, 2026.
researcher William Bowling of Zellick said the bug stems from a logic error in a Linux sub-system.
According to bowling, attackers can exploit the flaw to write arbitrary bytes into the kernel page cache of read-only files,
enabling modification of protected binaries to obtain root shells.
A proof-of-concept exploit has already been released publicly.
Fragnasia belongs to the broader Dirty Fragg class of Linux privilege,
escalation vulnerabilities, which security researchers say can undermine core system protections.
Administrators are being urged to patch immediately or disable affected kernel modules where possible.
Researchers at Bit Defender Labs say the China-aligned threat group Famous Sparrow targeted an Azerbaijani
Oil and Gas Company in a multi-wave intrusion campaign spanning late 2025 through early 2026,
According to the report, the attackers exploited the proxy-not-shell vulnerability to compromise
a Microsoft Exchange server and employ the Snappy B or Deed Rat back door through DLL side-loading.
In later stages, the group introduced turn-door malware and a root-kit-enabled driver to gain
deeper system control, steal administrator credentials, and move laterally across the network
using remote desktop protocol and impacket tools.
Researchers said the attackers repeatedly regained access
through the same unpatched exchange vulnerabilities
despite remediation efforts.
The campaign highlights how advanced threat actors
maintain persistence by repeatedly exploiting unresolved entry points
while adapting malware and evasion techniques over time.
Cisco says it will cut fewer than 4,000 jobs,
as part of a broader restructuring tied to its push into AI, networking, and other strategic
growth areas. In a memo titled Our Path Forward, CEO Chuck Robbins praised employees for delivering
record quarterly revenue of $15.8 billion and double-digit growth, even amid supply chain
pressures and intensifying competition. The company said the restructuring is intended to realign
resources around AI infrastructure and future investments. Cisco also said effective employees
will receive severance support and one year of access to Cisco training and certification programs.
For workers impacted by the cuts, the announcement lands amid strong financial performance,
underscoring the uncertainty many technology employees face as companies redirect spending toward
AI-focused priorities and operational restructuring.
U.S. prosecutors have indicted O. Martin Andresen, a German national accused of serving as the
primary administrator of the now-defunct Dream Market, Darkplace Marketplace, and laundering millions
in criminal proceeds. According to the indictment, Anderson allegedly controlled cryptocurrency
wallets tied to Dream Market after the platform shut down in 2019.
under law enforcement pressure. Investigators say he moved funds from dormant marketplace wallets
into consolidated accounts beginning in 2022, then used cryptocurrency to purchase gold bars shipped
to Germany. Authorities allege he laundered more than $2 million between 2023 and 2025.
During coordinated searches in Germany, investigators reportedly seized roughly $1.7 million in gold bars
and identified additional bank accounts and cryptocurrency holdings.
The case highlights how law enforcement agencies continue tracing cryptocurrency transactions
years after darknet marketplaces disappear,
targeting the financial infrastructure that supports transnational cybercrime and narcotics trafficking.
Coming up after the break, my conversation with Cynthia Kaiser from Halcyon.
She brings us the latest from Akira Ransomware.
And the surveillance will continue until employee sentiment improves.
Stay with us.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security incident last year,
and 92% of responders reported threat levels have increased in the past two years.
Guard Square delivers the highest level of security for your mobile apps,
without compromising performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps
at www.gardesquare.com.
No, it's not your imagination.
Risk and regulation are ramping up,
and customers expect proof of security just to do business.
That's where Vanta comes in.
Vanta automates your compliance process and brings compliance, risk,
and customer trust together on one AI-powered platform.
Whether you're preparing for a SOC 2 or managing an enterprise GRC program, Vanta helps keep you
secure and your deals moving.
Companies like Ramp and Ryder reports spending 82% less time on audits.
That's not just faster compliance, that's more time to focus on growth.
When I look around the industry, I see over 10,000 companies from startups to big enterprises
trusting Vanta.
Get started at vanta.com slash cyber.
Cynthia Kaiser is Senior Vice President
of Ransomware Research at Halcyon.
I recently caught up with her
to discuss their recent report
Akira ransomware attacks in under an hour.
Akira's one of the most significant threats
were tracking.
FBI, actually last week,
put out their internet crime report
for 20, 25, and listed it as the number one group.
But what I would say about it is it's really one of the most kind of professional business optimized
groups we follow.
They're volume-driven.
They're trying to make a lot of decisions so that it incentivizes victims to pay.
And not all of those are really dastardly.
Some of them are just more efficient.
But one of the things your research highlights here is the speed at which Akira can do.
the things that they're up to.
Can you take us through that?
I mean, some of these can happen in under an hour.
That's crazy, right?
Like, think of that a few years ago.
We used to believe, right?
Yeah, we used to believe, hey, an actor gets on the network,
and they're going to kind of look around, move laterally, find what's useful.
And defenders assumed they had weeks of dwell time to really identify these front actors.
but Akira has taken kind of their experience,
their ability to rapidly operationalize certain vulnerabilities
and then move incredibly quickly using a playbook across a network
to be able to go from initial access to full encryption.
And sometimes under an hour,
but I would even say most often, about four hours.
That's so fast.
I mean, that's dinner with your family and that it's done.
I don't know how any human really can keep up with that.
Well, you talk about the full attack life cycle.
What happens during that window between initial access to encryption?
So Akira typically is able to get onto networks through the exploitation of certain vulnerabilities.
one of those really is the sonic wall vulnerabilities that we've been able that I've seen
several actors start to use but they're getting on there they're establishing that initial
foothold starting to develop and identify credentials and then they rapidly cascade into a
full domain compromise so they'll commonly use tools when they go across your network
that are often found already there.
They're using in packet, like data staging tools.
They are developing persistence through things like Anydesk.
And then using just other items, which we've seen across other attack cycles,
but what makes it really fast and what makes a lot of the groups nowadays much faster
is as they're going through and looking across the network,
they're really targeting hypervisors.
And that's the hearts of a network that allow for the virtualization across it all, right?
We're all connected more.
We all have more connected devices than we did in the past.
If a group like Akir is able to stage there, they can try to encrypt over 100 servers at once.
And that can be just really impactful very quickly.
So talking about the speed here, is this mostly the result?
of automation?
Is it, are they pre-positioning themselves before encryption?
How do they achieve this?
So in a few ways.
One is the hypervisors that I talked about.
Those have really just rapidly increased the speed across most ransomware groups because
it allows speed across your own network.
It allows speed for when the ransom reactors are trying to do a lot of things at once.
But Akira has taken this, I think, to a different level.
as they're encrypting files,
they're actually not encrypting
100% of the file.
In certain large files,
they're only encrypting 1%
of that file because they know
that still makes it inaccessible to you.
But it also speeds up their operations
significantly in going through
and being able to encrypt
files rapidly.
Now, I think it's really tempting
to say, oh, it must be AI, right?
That's why these actors
have been able to go so fast.
And I mean, yeah, I'm sure groups like Akira
have been able to incorporate same ways
we all do business efficiency on our end.
But it really is a lot more just about repetition,
having a playbook, being more deliberate
and executing your operations via that playbook,
and then using some of these tools like hypervisors
like encryption of only a small percentage of the file
to speed it up even further.
Yeah, one of the things
that really surprised me in your research was how much Akira invests in making sure that victims
can actually recover their files after paying. Why is it important for them to prioritize that?
Well, it's interesting, right? Because most ransomware groups we see, they put a lot more effort
into breaking things than they do fixing things. But because Akira is, it sees itself as a business
and it believes its operational success is predicated on creating efficiencies, being able to do volume,
making sure people pay.
They've spent a much more significant time developing decryptors that actually work.
I actually talked to an incident responder who told me once, like, I almost want to tell people
that got encrypted by Akira, like, congratulations, you're probably going to get your files back a lot more.
And that's not an advertisement for them, right?
It just shows that they really are trying to influence,
not just the victims who may or may not know that aspect,
but the incident responders and negotiators,
everybody who's involved in an incident response,
when they have the knowledge that,
well, this decryptor works more than this decryptor
or, hey, if you pay,
maybe you're going to be able to get more of your files back.
I mean, that matters.
And it shows how Akira really,
is thinking about the broad spectrum
of how a victim experiences
a ransomware attack to try to maximize
their financial gains.
Yeah, it really,
I guess, reflects
the level of professionalism
that we have with a high-level group
like Akira.
Well, it makes it scary to talk about
professionalism among ransomware actors
because it means they've been allowed
to operate with such impunity
that they've been able to develop
that repetition.
They've been able to develop those playbooks
and develop that professionalization.
It makes me kind of mad.
So what are your recommendations here,
based on all the information that you put together in this research?
How should defenders best position themselves to protect themselves here?
Overall, organizations that have not yet addressed,
exposed VPN appliances,
legacy credentials,
and gaps in multi-factor authentication enforcement,
really are the most at risk to Akira attacks.
So ensuring that you are hatching the vulnerabilities
that are exploited specifically by Akira,
monitoring and restricting remote services,
the misuse of valid accounts,
ensuring that you can reduce your exposure
from trust of relationships,
third-party pathways.
A lot of that is going to sound very familiar
to everyone. But here's what I'd emphasize. If Akira can go from initial access to full
encryption in one hour, humans can't necessarily intervene in that amount of time. You really have to
focus in on automated tools that detect, contain, and kick off threat actors before even some of
our teams can get to answer their phones because if we're doing that process, it's too late.
So really getting into that automation, assuming you could be breached.
So what happens? How do I quickly address it?
What tools can I put in place to quickly address it?
That's the most important thing when you're looking at such a speedy type of tap.
That's Cynthia Kaiser, senior vice president of the ransomware research center at Halcyon.
Most environments trust far more than they should.
should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave,
and with Threat Locker DAC, defense against configurations,
you get real assurance that your environment is free of misconfigurations
and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-true.
principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace
of mind.
Threat Locker makes zero trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
And finally, a growing industry known as emotion AI promises employers something managers have apparently dreamed of for centuries, not just productive workers, but cheerful, agreeable ones too.
In a sweeping look at workforce surveillance, the Atlantic's Ellen Cushing described software that analyzes faces, voices, emails, and chat messages to measure emotions like attentiveness, positive.
and frustration. Some systems monitor call center tone, truck driver fatigue, or employee
friendliness, while others score job candidates during interviews. One fast food headset assistant
is even named Patty, because nothing says human connection quite like being emotionally evaluated
by a branded chatbot during the lunch rush. Researchers and privacy advocates warn the technology
often rests on shaky science and can misread context,
culture, disability, or simple concentration as negativity.
Still, companies continue adopting these tools
as workplace analytics expand from measuring what employees do
to measuring how pleasantly they appear to do it.
And that's The Cyberwire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think.
of this podcast, your feedback ensures we deliver the insights that keep you a step ahead in the
rapidly changing world of cybersecurity. If you like our show, please share a rating and review
in your favorite podcast app. Please also fill out the survey in the show notes or send an email to
Cyberwire at N2K.com. N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original
music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazas. Our executive
producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.