CyberWire Daily - The exploit that writes its own story.
Episode Date: May 6, 2026CISA warns CopyFail is under active exploitation. Attackers compromise installers for a widely used disk imaging utility. MuddyWater masks cyberespionage as ransomware. Attackers spread malware throug...h a fake OpenClaw plugin. Researchers ID a new Linux RAT. Vimeo blames a third party provider for a recent breach. Palo Alto’s Captive Portal is under attack. The FTC settles with a data broker over location sharing. A former Conti gang member gets jail time. Our guest is Dov Yoran, CEO of Command Zero, discussing how cybersecurity teams are fighting AI with AI. Geotargeting turns creepy. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Dov Yoran, CEO of Command Zero, discussing how cybersecurity teams are fighting AI with AI. Selected Reading Attackers are cashing in on fresh 'CopyFail' Linux flaw (The Register) Hackers compromise Daemon Tools in global supply-chain attack, researchers say (The Record) Iranian APT Intrusion Masquerades as Chaos Ransomware Attack (SecurityWeek) Malicious OpenClaw Skill Targets DeepSeek Agentic AI Workflows (Cyber Press) Sophisticated Quasar Linux RAT Targets Software Developers (SecurityWeek) ShinyHunters claims dump puts 119K Vimeo emails in the wild (The Register) Palo Alto Networks warns of firewall RCE zero-day exploited in attacks (Bleeping Computer) FTC bans data broker Kochava from selling sensitive location info (The Record) Conti, Akira Affiliate Sentenced to 102 Months in Prison for Ransomware and Extortion Operations Targeting over 50 Organizations (TechNadu) A college student is suing a dating app that allegedly used her TikTok videos to target men in her dormitory (CyberScoop) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
No, it's not your imagination.
Risk and regulation are ramping up,
and customers expect proof of security just to do business.
That's where Vanta comes in.
Vanta automates your compliance process
and brings compliance, risk, and customer trust together
on one AI-powered platform.
Whether you're preparing for a SOC 2
or managing an enterprise GRC program, Vanta helps keep you secure and your deals moving.
Companies like Ramp and Writer reports spending 82% less time on audits.
That's not just faster compliance, that's more time to focus on growth.
When I look around the industry, I see over 10,000 companies from startups to big enterprises
trusting Vanta.
Get started at vanta.com slash cyber.
Sisa warns copy fail is under active exploitation.
Attackers compromise installers for a widely used disk imaging utility.
Muddy water masks cyber espionage as ransomware.
Attackers spread malware through a fake open claw plug-in.
Researchers ID a new Linux rat.
Vimeo blames a third-party provider for a recent breach.
Palo Alto's captive portal is under attack.
The FTC settles with a data broker over locations sharing.
A former Conti gang member gets jail time.
Our guest is Dov Yoran, CEO of Command Zero, discussing how cybersecurity teams are fighting AI with AI.
And geo-targeting turns creepy.
It's Wednesday, May 6, 2026.
I'm Dave Bittner, and this is your Cyberwire Intel Briefing.
Thanks for joining us here today.
It's great as always to have you with us.
SISA is warning that a newly disclosed Linux kernel flaw called copyfail is already being exploited,
days after researchers released a working route-level exploit.
The bug allows low-privileged users to gain full route access on vulnerable Linux systems.
Cybersecurity Consultancy Fiore says its AI-powered testing platform, Exint,
discovered the flaw and reported it in March.
The company later released a proof-of-concept exploit that works against Ubuntu, Amazon Linux,
Red Hat Enterprise Linux, and Sousay systems.
Researchers warned most mainstream Linux kernels released since 2017 may be vulnerable.
The attack requires minimal access and no user interaction,
making it useful for attackers who already have an initial foothold.
Sisa has added the flaw to its known-exploited vulnerabilities catalog and ordered
federal agencies to patch by May 15th. Microsoft says it is already observing early exploitation
activity following the exploits release. Researchers at Kaspersky say attackers compromised installers for
demon tools, a widely used disk imaging utility, and distributed malware through the software's
official website in a global supply chain attack. The malicious installers affected multiple versions
and were first observed in early April.
Kasperski says thousands of infection attempts have been recorded across more than 100 countries.
Most victims received a basic information-stealing payload,
while a smaller number of targets in government, science, manufacturing, and retail sectors
received more advanced malware, including a back door linked to QuickRat.
Trusted software distribution channels remain a high-value target for attackers.
supply chain compromises can bypass traditional trust controls and quickly scale across organizations
using legitimate software updates.
Disk Soft, the Latvia-based developer behind Demon Tools, says it is investigating.
Researchers at Rapid Seven say the Iran-linked threat group Muddy Water conducted an intrusion
that appeared to be ransomware but operated more like a cyber espionage campaign.
The attackers reportedly used Microsoft Teams social engineering to gain access through screen sharing sessions,
then harvested credentials, manipulated multi-factor authentication protections,
and deployed remote access tools, including any desk, and DW agent.
Rapid 7 says the group conducted reconnaissance moved laterally and exfiltrated data,
but never deployed file-encrypting ransomware.
Instead, the attackers used chaos ransomware branding and extortion emails
as apparent false flags while maintaining persistence in the victim environment.
The operation blurred the line between espionage and financially motivated cybercrime,
potentially delaying incident response and attribution efforts.
Rapid 7 linked the activity to muddy water with moderate confidence based on influence,
based on infrastructure, malware, and operational patterns associated with previous campaigns
tied to Iran's Ministry of Intelligence and Security.
Researchers at Z-scaler Threat Labs say attackers are abusing the OpenClaw AI Automation Framework
to distribute malware through a fake plugin called DeepSeek Claw.
The campaign targeted developers and autonomous AI agents by embedding malicious instructions into
plug-in files downloaded from public repositories. On Windows systems, the malware chain
deployed the Remcos Remote Access Trojan using DLL side-loading with a legitimate go-to-meeting
executable. On MacOS and Linux, attackers used obfuscated Node.js scripts and fake password prompts
to steal credentials, SSH keys, cryptocurrency wallets, and cloud API tokens. Z-scaler says the campaign
also delivered the ghostloader information stealer.
The operation highlights growing risks tied to high-privileged AI tools and third-party AI
plugins. Researchers warn that autonomous AI agents introduce new attack services with broad
system access, making supply chain vetting and behavioral monitoring increasingly important
for enterprise defenders.
Researchers at Trend Micro have identified a Linux remote access.
Trojan called QLNX that appears designed to steal developer credentials and compromise software
supply chains. The malware targets Amazon Web Services credentials, Kubernetes tokens, Docker Hub
logins, Git Access tokens, NPM authentication tokens, and Pi Pi API keys. Trend Micro says attackers
could use the stolen credentials to publish malicious software updates or pivot into cloud environments.
QLNX includes multiple stealth features, including memory-only execution, root-kit functionality,
log-clearing, and six separate persistence mechanisms.
The malware also deploys plug-able authentication module backdoors to harvest credentials
and supports dozens of commands for remote control, file manipulation, and data theft.
Researchers warn the malware's danger comes from how its capabilities work together
to establish long-term stealth and persistent access inside developer environments.
A successful compromise of a software maintainer could expose downstream users through poisoned packages
and altered build pipelines.
Vimeo says a breach affecting more than 119,000 users originated through third-party analytics
provider Anadot, not Vimeo's own systems.
According to Have I Been Poned, attackers accessed customer email addresses and some associated names.
Vimeo says the stolen data also included video titles and metadata, but not video content,
login credentials, or payment card information.
The company linked the incident to compromised Anadot integrations and says it has since disabled
the connection, revoked credentials, and launched an investigation with outside security support.
Researchers and breach analysts warn that exposed email lists tied to contextual account data can fuel targeted fishing campaigns for years after a breach.
Palo Alto Networks is warning customers that attackers are exploiting a critical zero-day flaw in the PanOS user ID authentication portal, also known as the captive portal.
The buffer overflow vulnerability allows unauthenticated attackers to execute arbitrary code with root privileges,
on exposed PA series and VM series firewalls.
Hallo Alto says limited exploitation has already been observed
against internet-facing systems.
The company has not yet released a patch
and is urging customers to restrict portal access
to trusted internal networks
or disable the feature entirely.
Shadow Server says more than 5,800 vulnerable VM series firewalls
remain exposed online.
The Federal Trade Commission and data broker Kachava have reached a proposed settlement that would bar the company from selling or sharing sensitive location data without explicit consumer consent.
The FTC accused Kachava in a 2023 complaint of collecting and selling detailed geolocation data, mobile device identifiers, app usage information, and income data.
Regulators said the company's data could reveal visits to.
places like health clinics and houses of worship without users' knowledge. Under the agreement,
Kocchava must implement programs to track sensitive locations, verify consent from data suppliers,
limit data retention, and allow consumers to withdraw consent or request information about data sales.
The case highlights growing regulatory pressure on the location data industry and the risks tied
to large-scale collection of precise consumer movement data.
data. Kachava says the settlement reflects its commitment to privacy and responsible data practices.
A Latvian national accused of working with former members of the Conti Ransomware Group
has been sentenced to 102 months in prison for conspiracy involving wire fraud and money laundering.
U.S. authorities say Dennis Zola Tarjoff participated in ransomware operations between 2021 and
2003 that targeted more than 54 organizations using malware families, including Conti, Akira,
Royal, and Karakert. Investigators say the attacks caused hundreds of millions of dollars in losses
and involved the theft of sensitive personal and health information. Zola Tarjov was arrested in Georgia in
2003, extradited to the U.S. in 2024, and pleaded guilty last year. The case underscores continued
international cooperation against ransomware operators and highlights how former Conti
affiliates continue to appear across multiple ransomware as a service operations years after
the group's original disruption.
Coming up after the break, my conversation with Dov Yaron, CEO of Command Zero, discussing
how cybersecurity teams are fighting AI with AI.
And geo-targeting turns creepy.
Stay with us.
And now a word from our sponsor, the Center for Cyber Health and Hazard Strategies, also known as CHS.
Looking for a graduate degree that will give you an edge on your professional career?
Earn a Master of Science in Law at University of Maryland Carey School of Law.
This part-time two-year online graduate degree program is designed for experienced professionals to understand laws and policies that impact your industry.
Learn from CHS faculty.
who are experts in their field.
No GRE required.
Learn how you can master the law without a JD at law.
U.Maraland.edu.
Dov Yoran is CEO of Command Zero.
I recently got together with him
to learn how cybersecurity teams
are fighting AI with AI.
So today we're talking about AI
and how folks are kind of
fighting fire with fire when it comes to AI.
Can we start?
Start off with some high-level stuff.
Can you give us a little bit of the history and background
of what led us to this particular place
where we find ourselves when it comes to AI
and how people are using it in their socks?
Yeah, it's been a gradual process.
You know, always refining and helping this,
you know, sock analysts move forward
and continue to increase their productivity
given, you know, technology gains, cloud, SaaS and other things.
And AI is really the next revolution in that series.
So that's something that's been a gradual step-up, if you will.
And now with the advent of AI, it's been an incredible catapult moving forward
to really level the playing game amongst analysts of different experiences.
levels and different size of organizations and so on and so forth.
So where do we stand right now when it comes to the threat actors adopting these AI tools?
Attackers move pretty fast and they're unencumbered by, you know, procurements and the legal
process, right? So the clearest examples are an automation and skill, right? You know,
AI lets adversaries chain tools together autonomously, reconnaissance, you know, lateral movement,
ex-filtration, right, with the speed and precision that wasn't really possible before.
So they're effectively leveraging and operating with, you know, LLM speed.
So while we're also seeing AIUs to craft, you know, more convincing, you know, fishing and social engineering attacks, you know, like volume at a at scale, you know, so we used to require skilled human now takes, yeah, just a few moments of generating.
to generate and personalize at scale.
That's obviously a big concern, right?
You know, AI is lowering that barrier of attack, you know, that sophistication, right?
You don't need nation state teams and technologies and resources to run advanced, you know,
operations anymore, right?
That's asymmetrical, right?
Defenders are still largely doing manual parts.
and try to increase their SOC efficiencies.
But that's a pretty core problem that we're trying to solve right now in the industry.
And so on the defender's side, what sorts of tools are available to them
to help ward off these AI threats?
Yeah, the most immediate impact is investigation speed, what we hope.
But, you know, platforms such as Command Zero, right, you know, being able to, you know,
to have a thorough alert investigation
that used to consume an analyst's entire day,
right, with AI agents,
that same investigation can be completed in minutes.
So you're pulling context from various platforms in the environment,
from your endpoints, from your identity,
from your email, from your cloud,
threat intel, so on and so forth, right?
And you're delivering really a more comprehensive report
with a verdicts.
And speed is certainly a high mark, but that's really only part of it.
The deeper value is the consistency and thoroughness, right?
Not human analysts have good days and bad days.
But AI agents don't, right?
And so every investigation follows similar methodologies, asks the same levels of questions,
the same standard, the same consistencies, you know, that manual processes can really have a tough time delivering at scale.
So at Command Zero, we're seeing AI compress that skills gap,
but I mentioned earlier, between your junior or your lesser experience folks
and your more experienced teams.
And so those tasks that once required just senior analysts
because they needed that experience,
that knowledge of different applications across different platforms
can now be done in a much simpler way
and in a much more consistent way across that entire team.
That, we think, is that big sea change and structurally changing how SOX operate today, you know, leveraging AI as part of that solution.
Can you share with us what the onboarding process is like?
As people adjust to the new reality of these tools, is there a period of time where they're kind of gaining trust with them?
They're getting used to them, you know, seeing how the changes.
are going to be implemented in their world?
Our experience is incredibly short, right?
It's a matter of days, sometimes a week or two.
It's understanding the environment is deploying.
It's a cloud-only solution set.
So having access to some of the data elements,
enabling that takes minutes and auto-generated content,
usually within a few hours.
And the team honestly can rock and roll
They're looking at the events.
They're being guided through and shown investigations.
They're looking at conclusions and all the very underlying data that comprises of those conclusions
and even subordinate conclusions that weren't finalized.
All those things are really make for a rich experience.
And it really up-levels all those analysts in our client base, right?
The more experienced tier three folks, you know, have the ability to leverage
and replicate their investigations
and to more junior folks
and, you know, showing that ability,
not only ability, but that comprehensive outlook
on what was discovered and what remediation
and conclusions are driven from that
as opposed to, or in addition to the more junior team members
now being able to ask questions
and follow an auto-prompt
and auto-generate investigations
on data sources that they wouldn't normally be able
to master without more experience.
How are we ensuring that appropriate guardrails are put on these systems to make sure that
they don't stray beyond what we want them to do?
Yeah, that's a great point.
And that's, I think, a major concern enterprises should be mindful of.
What we get to keep taps on that is we have very specific and very limited use of,
agents and how they're being deployed, the types of things that they have access to, the types of
questions that they have in their arsenal and the types of information that they're collecting.
From our standpoint, all of that is completely transparent, right? So you can see a full
rap sheet on what was asked, how it was asked, the types of information that was drawn back.
in my opinion that trust in AI is built on this transparency and the auditability and the reproducibility and the reproducibility of these investigations.
So having these agents as part of a human investigation collaborating deeply with the human, right?
All these things are reproducible and more deterministic.
I think all of those are helpful in the checks and balances of keeping a problem.
proper governance model on your agents as opposed to, you know,
letting them just run wild in the environment.
What is your sense for where we're headed with these things?
I mean, I think it's, it seems like certainly AI is our future here,
but do you have any sense for where this might grow into?
What are some of the things that people can look forward to?
Yeah, I mean, listen, it is great.
And even the short term, even now, right, the mundane tasks and the TDs tasks that are, you know, even prone to error and user error because they're so repetitive, a lot of those things can be automatically pulled out and addressed by agents.
So it is really up-leveling that human talent and trying, you know, enabling more creativity and more superhuman capabilities of leveraging better automation and agentic.
workflows into their environment.
Honestly, I see it expanding to
beyond just the pure
security operation center into
other adjacencies,
into cyber and into other
domains of the, you know,
CISO's charter
and domain
of control, span of control.
Similarly, how that reflects
AI in general. How we're seeing that
transform and broadments
reach in and across society
at large. So it
It's super exciting.
That's Dov, you're on from Command Zero.
One day, you're negotiating with suppliers.
The next, you're installing a shelf in the back room.
Running a business means moving in many directions all the time.
TD's new small business banking accounts are built for how your business moves.
It's how we're making banking more human.
And finally, a 19-year-old University of Tennessee student
is suing the makers of the dating app Meet, that's M-E-E-T-E.
Alleging the company turned a harmless TikTok graduation video
into an ad suggesting she was looking for friends with benefits.
Then, Gio-targeted the promotion to people near her dorm.
College introductions can be awkward enough to begin with,
but according to the lawsuit, she discovered it by people introducing themselves,
saying, hey, I keep seeing your dating app ad on Snapchat.
The complaint alleges Meat edited her video, added graphics, and a voiceover, and used location-based
targeting to serve the ads to nearby men without her consent.
Her attorney says the campaign damaged her reputation and created real safety concerns by falsely
implying she endorsed the app and was soliciting hookups.
The case highlights how simple editing tools and ad-tartagnation.
targeting systems can weaponize someone's likeness without sophisticated AI.
Snap says it's investigating, while Meets listed publisher, which advertises safety and respect first,
has not publicly responded.
And that's The Cyberwire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead.
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey
in the show notes or send an email
to Cyberwire at N2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester
with original music and sound design
by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ibin.
Peter Kilty is our publisher
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.