CyberWire Daily - The military wants to move at cyber speed.
Episode Date: May 28, 2026Cyber Command’s new chief pushes modernization as lawmakers warn commercial location data is exposing U.S. troops. A third-party UK visa site leaks passports and selfies. Microsoft slams unpatched z...ero-day disclosures. Researchers uncover a new macOS malware campaign targeting crypto developers, while SEO poisoning and AI chatbots spread cryptojacking malware. Carnival confirms a massive breach tied to ShinyHunters. Plus, the alleged VenomRAT developer is extradited to France, and a Romanian hacker is sentenced for breaching Oregon state systems. Our guest is Courtney Guss, Crisis Management Director at Semperis, discussing crisis response planning. The surveillance on the bus goes round and round. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Industry Voices On our Industry Voices segment, guest Courtney Guss, Crisis Management Director at Semperis, discusses crisis response planning. Some resources related to today’s discussion: The State of Enterprise Cyber Crisis Readiness Rethinking Cyber Crisis Management: Why Plans Fail The Modern Model for Cyber Crisis Management The Missing Layer in Cyber Incident Response: Crisis Orchestration If you enjoyed this conversation and want to hear the full interview, tune in here. Selected Reading Rudd orders Cyber Command reviews as Pentagon presses reform agenda (The Record) Exclusive: Pentagon says US military personnel are reportedly being targeted using location data (Reuters) A Fake UK Visa Site Left 100,000 Passports Wide Open. Then Sent Lawyers Instead of a Fix. (Security Affairs) Microsoft Condemns "Uncoordinated" Zero Day Disclosures (Infosecurity Magazine) A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure (Microsoft) New Threat Actor Jinx-0164 Targets Crypto Developers on macOS (Infosecurity Magazine) GPU mining malware spreads via SEO poisoning, AI chatbots (Bleeping Computer) Carnival confirms ShinyHunters cruised off with 6M customer records after April breach (The Register) Malware seller hunted across three continents (eKathimerini.com) Romanian gets 5 years in prison for hacking Oregon govt network (Bleeping Computer) ‘BusPatrol’ Put AI Cameras in Tens of Thousands of School Buses. Now They Want to Give Cops Access (404 Media) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Do you know how the space and cybersecurity domains connect?
T-minus space cyber briefing is your guide through the space-based systems that expand the attack surface.
I'm Maria Varmazis, host here at N2K Cyberwire, and I'm excited to share that T-minus is back.
Now, as a weekly podcast, the T-minus Space Cyber Briefing.
We have a new dedicated focus on two great things that are even better together, space and cybersecurity.
Because whether we realize it or not, we all depend on space-based systems that are, by the way, increasingly internet-enabled.
We're talking cybersecurity technologies, policies, and organizations that are securing the critical space-based infrastructure that powers, protects, and connects our lives here on Earth.
So join me for T-minus space cyber reefing, new episodes every Sunday.
No, it's not your imagination.
Risk and regulation really are ramping up,
and these days customers expect proof of security before they'll even do business.
That's where Vanta comes in.
Vanta automates your compliance process and brings compliance, risk, and customer trust together
on one AI-powered platform.
So whether you're getting ready for a SOC2 or managing an enterprise,
governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving.
Companies like Ramp and Writers spend 82% less time on audits with Vanta.
That means less time chasing paperwork and more time focused on growth.
For me, it comes down to this.
Over 10,000 companies from startups to large enterprises trust Vanta to help prove their security.
Get started at Vanta.com slash cyber.
Cyber Command's new chief pushes modernization.
As lawmakers warn, commercial location data is exposing U.S. troops.
A third-party U.K. Visa site leaks passports and selfies.
Microsoft slams unpatched zero-day disclosures.
Researchers uncover a new MacOS malware campaign targeting crypto developers,
while SEO poisoning and AI chatbots spread crypto-jacking malware.
Carnival confirms a massive data breach tied to shiny hunters,
plus the alleged Venom Rat developer is extradited to France
and a Romanian hacker is sentenced for breaching Oregon State Systems.
Our guest is Courtney Gus,
crisis management director at Sempris,
discussing crisis response planning.
And the surveillance on the bus goes round and round.
It's Thursday, May 28, 26.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here once again today.
it is always great to have you with us.
The new head of U.S. Cyber Command has ordered two reviews aimed at modernizing the military's
cyber warfare operations and accelerating organizational reform. Army General Joshua Rudd,
who assumed leadership of both Cyber Command and the National Security Agency in March,
tasked MITR with conducting an outside assessment of the command structure and acquisition processes,
According to officials, familiar with the effort, the review could examine how Cyber Command
manages personnel and procurement under its existing congressional authorities.
Rudd also launched an internal study led by senior officials with special operations backgrounds
to identify rapid improvements.
The findings are expected to feed into his ongoing 90-day leadership review
and broader Cybercom 2.0 modernization efforts.
Cyber Command faces ongoing challenges retaining elite cyber talent and rapidly fielding new capabilities.
Officials say the reviews reflect pressure to move faster and align cyber operations with a more aggressive national security posture.
U.S. military personnel deployed in active conflict zones have reportedly been targeted using commercially available location data collected through the digital advertising ecosystem.
According to a letter from U.S. Central Command, shared by Senator Ron Wyden,
officials received multiple threat reports involving adversaries exploiting commercial location data
to surveil or target American forces in theater.
Lawmakers said the data could reveal troop movement, gathering points, and behavioral patterns
that could support missile, drone, or roadside bomb attacks.
The concerns center on the widespread trade and smartphone location.
data collected by apps and sold through advertising networks and data brokers.
Legislators criticize the Pentagon for not moving faster to restrict tracking features on military
issued devices. Commercially available data originally intended for advertising is increasingly
viewed as an operational security risk. The reports underscore how consumer surveillance
infrastructure can become battlefield intelligence for hostile actors.
A third-party website offering paid assistance with UK travel authorizations,
exposed passport scans, selfies, and location data on a publicly accessible Amazon Web Services server.
The site, UK Visa Portal, is not affiliated with the British government
and is reportedly operated by UAE-registered Active LeadGen LLC.
TechCrunch reported the exposed storage bucket contained at least 100,000,
documents. Although the bucket did not publicly list files, researchers said anyone with the
correct web address could access them. Some uploaded selfies also included embedded GPS metadata
that could reveal users' home addresses. TechCrunch said it verified the exposure by contacting
affected individuals directly. The company reportedly did not respond directly to repeated
security inquiries before the server was secured. Exposed identity.
documents combined with geolocation data create a high-value target for identity theft, fraud,
and surveillance. The incident also highlights ongoing risks tied to unofficial visa and travel
processing services, collecting sensitive personal information. Microsoft is condemning the
public release of several unpatched vulnerabilities, warning the disclosures exposed customers to
unnecessary risk before fixes were available.
The company said six flaws affecting Microsoft Defender, Windows Bitlocker, and the Windows Cloud
Filter driver were disclosed without prior coordination.
Microsoft argued the releases included proof-of-concept exploit code that could aid attackers
while its team rushed to develop mitigations and patches.
The company reiterated support for coordinated vulnerability disclosure practices,
where researchers privately report flaws before publication.
The dispute highlights growing tension between rapid vulnerability disclosure and defensive patch timelines,
especially as AI accelerates security research and exploit development.
Researchers at WIS have identified a new financially motivated threat actor,
tracked as Jinks 0164, targeting cryptocurrency developers through fake recruiter schemes and custom MacOS malware.
The campaign begins with LinkedIn outreach impersonating recruiters or business contacts, directing
victims to fake meeting sites mimicking Microsoft Teams.
Targets are tricked into installing a malware strain called Audio Fix, a Python-based
stealer and remote access tool disguised as an audio driver.
According to Wiz, the malware steals credentials, cryptocurrency wallet data, cloud keys, and messaging
sessions. The group then abuses stolen GitHub tokens to compromise development pipelines,
injecting malware into internal repositories and spreading infections through software builds.
Researchers also linked the actor to a trojanized NPM package containing a secondary
MacOS backdoor. The campaign blends social engineering, software supply chain compromise,
and credential theft into a targeted operation against cryptocurrency firm.
The activity also highlights growing threats to macOS environments and developer infrastructure.
Microsoft researchers say threat actors are spreading GPU mining malware
through poisoned search results and manipulated AI chatbot recommendations
targeting users with high-performance computers.
The campaign uses fake download pages for popular utility software,
including Crystal Disc Info and HW Monitor,
victims receive trojanized zip files containing legitimate software alongside malicious code that
installs the screen connect remote management tool and additional malware.
According to Microsoft, the attackers use persistence mechanisms, process hollowing,
and Microsoft signed binaries to evade detection before deploying cryptocurrency miners
optimized for graphics processing units.
The campaign combines SEO poisoning, AI-assist,
deception and stealthy malware techniques to maximize cryptojacking profits from powerful consumer
and professional systems.
Carnival Corporation has confirmed that a fishing-related cyber attack exposed personal information
belonging to nearly 6 million customers following an April breach attributed by researchers
to the shiny hunters extortion group.
The cruise operator said the incident began with a social engineering attack targeting an
employee on April 14th. After a review of compromised data, Carnival confirmed that names, addresses,
email addresses, phone numbers, dates of birth, and state identification numbers were exposed.
Shiny hunters previously claimed responsibility for stealing terabytes of company data and suggested
negotiations over extortion demands had failed. Carnival has started notifying affected individuals
and is offering two years of credit monitoring services through TransUnion.
The breach highlights the continuing effectiveness of fishing and social engineering attacks against major enterprises,
handling large volumes of sensitive consumer data.
The incident also reflects the ongoing activity of financially motivated extortion groups,
targeting high-profile brands.
A 39-year-old Albanian National accused of developing and selling the Venom Rat Malware,
has been extradited from Greece to France following a multinational investigation.
Authorities say the suspect, known online as Venom, was arrested in Athens in November 2025
after investigators from Australia, Greece, France, and the FBI traced his digital activity
across several years. Court documents allege he sold the remote-access Trojan at least 36 times
between 2021 and 2025.
Investigators reportedly linked cryptocurrency transactions, phone records, and embassy correspondence
to confirm his identity.
The case highlights growing international coordination against malware developers operating
across borders and commercial cybercrime marketplaces.
A Romanian national has been sentenced to more than four and a half years in a U.S. federal
prison for hacking an Oregon state government network.
and selling access to other compromised systems.
Prosecutors said Catalan Dragomere breached the Oregon Department of Emergency Management in 2021
and sold stolen access alongside sensitive personal data taken from the network.
Authorities said he also sold access to nearly a dozen other U.S. victims,
causing at least $250,000 in losses.
Dragomir was arrested in Romania in 2024 and extradited to the United States.
States earlier this year. Access brokering remains a key part of the cybercrime ecosystem, enabling
follow-on attacks against government and private sector targets. Coming up after the break, my conversation
with Courtney Gus, crisis manager director at Sempros. We're discussing crisis response planning,
and the surveillance on the bus goes round and round. Stay with us. Most environments trust far more
than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave, and with Threat Locker
DAC, defense against configurations, you get real assurance that your environment is free
of misconfigurations and clear visibility into whether you meet compliance standards.
threat locker is the simplest way to enforce zero trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
Threat Locker make zero trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2S3.
Today.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application
security incident last year, and 92% of responders reported threat levels have increased in
the past two years.
Guard Square delivers the highest level of security for your mobile apps without compromising
performance, time to market, or user experience. Discover how Guard Square provides industry-leading
security for your Android and iOS apps at www.gardesquare.com. Courtney Gus is Crisis Management
Director at Sempris. And in today's sponsored industry voices segment, we discuss crisis response
planning. My role here is actually to lead up a product called Ready One. It's a tool meant to
support customers in managing cyber crisis related events. But I do a little bit, I wear a couple of hats
here. So I do a little bit of supporting our internal crisis management and business continuity
plans, as well as working with customers to solution programs of their own. Sometimes operationalizing
crisis management or understanding what that means for the organization can be a daunting task or
feel kind of like an overwhelming task. So really talking through what that looks like.
the steps needed, not over-engineering the process. So I did that both internally and externally
for customers. Well, help us understand how do most organizations go about their crisis planning?
And are there general shortcomings that you see in the work that you do?
Traditionally, we've been trained as an industry to build crisis response or business continuity
plans that align with compliance requirements or oftentimes audit requirements. So what are the boxes
we have to check or the items we should tick off? Things like, you know, calling our cyber insurance
provider or communicating with the regulator. And I think that those plans are important and those
milestones are critical. But I think we have to really challenge the way we look at these things
moving forward. Because our industries or our organizations today are so heavily dependent on technology,
a lot of our workforce doesn't know what it's like to operate on a day-to-day basis in a manual
function. What does it look like when our technology goes out? And so I'd really love to see us as
organizations, as industries challenge the way we plan and prepare and think about what kinds of
decisions we're really going to need to make if things go offline or the business has a disruption,
what kinds of tasks people will actually have to carry out.
I think oftentimes when we exercise, we exercise decision points,
but we don't necessarily exercise the execution of those decisions,
the actions I have to carry.
So I think traditionally the way we plan and prepare doesn't actually align with the way we operate today,
and that's what I see most often.
Yeah, that's interesting because I know a lot of organizations,
they will do their planning and they'll have a shelf full of binders with all the plans, right?
And they'll kind of pat themselves on the back and they'll say, you know, we're good.
Look, we even printed everything out.
So if the computers go down, we're in good shape.
But that often isn't enough.
Right.
No, that's a really interesting point.
And we even have customers now saying that's exactly what I'll do.
I'll just take it all offline and print it out.
Obviously, some concerns there.
to be in the office to get it. You have to assume everyone else is in the office to read it.
It also becomes a challenge to keep it up to date and relevant. But then along those lines,
you've built all these plans. We tend to practice in, I think, ideal state or a bit of in a vacuum,
meaning when we run tabletop exercises or we run preparedness exercises, we assume that those plans
operate as expected. We go from step one to step two to step three. But in reality,
you might go from step one to step seven to step three,
step four fails, you have to come up with a new one.
And so I think we need to start practicing to fail,
and we need to move away from static plans and playbooks
to something that gives me enough information
to make a dynamic decision that makes sense
without getting too far off course.
And then also assuming I can access those plans
and share them and all that other good logistical stuff.
Do you understand, do you have,
empathy for that impulse for so much of this planning to be around audits that, you know,
that's an incentive?
Absolutely.
I mean, I come from the audit and compliance side of the house.
My first foot into the cybersecurity space was managing a large-scale SOX audit here in the U.S.
And so I understand the importance from a business perspective to align with those requirements
and make sure you're meeting those needs, not just from a stakeholder.
finance perspective, but obviously from an industry perspective. But I think we have an opportunity
to continue to hit on those requirements and markers, but make better business decisions. So how do we
take all of those compliant and audit requirements, pull out the stuff that matters during a severe
incident or crisis or a disruption, and really make sure we're hitting on those while not
compromising or shifting the way we need to respond and recover? I think it all comes back to
defensibility. If I feel like I'm making a decision that aligns with our company goals,
with our resiliency play, with what matters to the business, then I feel like I can defend that
decision after the incident when all that audit and compliance comes back around for review.
What are your recommendations for an organization setting their priorities? How should they go about
that? Interesting. I just had this conversation yesterday with another organization. I think
really understanding what matters to the business requires a lot of stakeholder discussion and
involvement. It's not just what keeps the lights on and the doors open, but it's really what
matters to us. And so if you're a healthcare organization, it might be patient care,
our community impact. If you're more of a retail or logistics organization, it could be
maintaining stakeholder or consumer trust or availability. But I feel like if we have a good idea
of what that North Star is,
then you can almost reverse engineer
the supporting requirements around that.
So I think having very candid and frank conversations
at the level of your organization
that owns authority, the authority to make those decisions,
and deciding what that North Star is in aligning
allows everyone else to kind of follow that guidance
when they have to improvise or can make an ad hoc decision.
I do think there's a couple of key pieces
to identifying or prioritizing,
or prioritizing. And like I said, a minute ago, the big one is who has the authority to make those
decisions, who are the required stakeholders that should be in that conversation or in the room,
and then really leaving with a shared alignment in terms of what matters. Because I pulled five,
you know, leaders across an organization into a room and I said, what matters to us? What are our
biggest risks? What's our North Star? I would most likely get five different answers. And so making
sure we leave the room with one answer or at least one and a half answers gets us closer to the
goal. Well, what happens when an organization finds themselves in this situation? You know,
the pressure is on. It's not just a tabletop exercise. This is real. How do we ensure that everyone
can execute when they're under this immense pressure? That's a tough one. And you won't always know
how people handle these intense situations until it happens. You'll see some people step forward and
some people kind of pull back, just natural human reaction. But if you don't have a plan and you don't
have predefined decisions or authority points for critical milestones, then you're most likely
improvising. And I think the statistics show about 60% of organizations improvise during a cyber crisis
response. And that could cost the business not only tying, but a significant financial investment as well.
So and oftentimes what you see when you don't have that predefined decision or authority is one person is on the hook for making some really critical decisions.
It could be the CISO. It could be the CEO. And depending on how those decisions fall, it could also mean somebody's job.
And so I think really understanding kind of what those key steps are in a crisis, it could be if we have a ransomware attack, who makes the final decision on whether or not we pay and how much?
is that a joint decision, is that an individual decision?
If it's a cyber crisis event, does the Csill have the authority to shut off the network?
You know, having some of those predefined decisions and assigned authority gives the person the
empowerment that they need to make critical decisions knowing it's not going to cost them
their job or their role afterwards, but also reduces additional downtime or the additional
time lag to move forward in the response and recovery.
I want to touch again on the compliance element of this because is it fair to say that compliance is still in the mix here.
I mean, compliance still matters, but as you say, is it a matter of prioritization?
Absolutely, yeah. Compliance and regulatory frameworks are definitely not going anywhere.
And they do provide value. They protect consumers and stakeholders across the world.
And it's important. It does provide us some alignment as well.
a lot of organizations probably wouldn't know where to start without some of those requirements.
I actually had a customer asking one time, you know, who's good at this stuff?
And I said, the organizations that have to be because they spend the money on it because they don't have a choice.
And so it does definitely provide drive and alignment.
I think a couple of areas where it gets really confusing and complex are where you're either, you know,
a multinational organization, global organization, or even an organization here in the U.S.
that works across multiple states,
because now you're managing multiple regulatory compliance frameworks,
and that's where it can be very complex.
And I think that's where prioritization becomes super critical.
Not every single one of those compliance metrics are a requirement.
Not every single one has clear guidelines.
Oftentimes it's very gray as to how you manage those.
So I think understanding what you're required to follow,
what's mission critical and prioritizing those,
and then understanding that hitting on these other ones are super important, but maybe not as critical, allows you to really focus on what matters when it starts to get really complex and heavy in those response times.
So what is the ultimate end goal here? How does an organization know that they're properly prepared?
I think for me, if I were to say what the end goal should be or could be, it's maintaining business operations.
in the event of a severe disruption, the definition of resiliency, right?
So for my organization, resiliency would be maintaining customer support, consumer stakeholder support,
health and human safety of our employees, despite a severe disruption or incident, maybe potentially a crisis.
For every organization, the definition of resiliency will vary.
And so understanding what it means for us to maintain minimum viable operations in the event of one of these events is super important.
And then from there, aligning to what kind of requirements we might have to fall to,
depending on where the incident is and who's impacted is going to determine which regulatory
and compliance requirements I have to hit on.
And so I think aligning on kind of what resiliency means for us, because that's what's going to be
what matters.
And then really focusing on what those key prioritized items are during that time does
take quite a bit of planning and conversation.
So I was looking at a response and recovery playbook development.
for something like that. I might say for an outage, these are the critical operations. I want to be
focused on restoring. These are the people that are impacted by those critical operations.
And these are the kind of reporting or regulatory requirements I have in a situation like this.
Try not to overcomplicate it more than that because you're going to have to make a lot of improvised
decisions. We don't have to over-engineer these playbooks and scenario preparation plans.
But at the same time, just give me what's most important. So I make sure I don't.
don't miss those and we'll figure out the rest. That's Courtney Gus, crisis management director
at Sempros. For more links related to today's discussion, please check out our show notes.
And finally, Bus Patrol, the company behind AI powered cameras on more than 40,000 U.S. school buses,
is reportedly preparing to expand those systems into full-time automated license plate readers. In other
the big yellow bus may soon be doing more than carrying kids and stopping traffic. It may also
be cataloging where everyone else was driving that afternoon. According to leaked documents reviewed
by 404 media, the upgraded system would photograph passing vehicles, log license plates, and
GPS locations, and make that data searchable by law enforcement, potentially through integrations
with Axon. Critics warn the plan transforms a child safety tool into a mobile surveillance network,
raising concerns about warrantless tracking, ice access, and mission creep. Bus patrol internally
acknowledged the controversy, but reportedly believes the child protection angle will help sell
the expansion. Mobile license plate systems dramatically widened surveillance coverage compared to fixed cameras.
privacy advocates say the technology risks normalizing mass tracking under the banner of public safety,
a familiar pattern in the post-9-11 surveillance era.
The surveillance on the bus goes round and round.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity. If you like our show, please share a rating and review in your
favorite podcast app. Please also fill out the survey in the show notes or send an email to
Cyberwire at N2K.com. N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original
music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazas. Our executive
producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for
listening. We'll see you back here tomorrow.