CyberWire Daily - The nominee in limbo.
Episode Date: June 17, 2026President Trump halts a key intelligence nomination. The FBI warns of a new Microsoft 365 phishing threat. France cuts ties with Palantir. A new Android banking trojan emerges. Fortinet firewalls come... under attack. CISA orders emergency Joomla patching. Plus, Madison Square Garden data leaks and malware hidden in Steam wallpapers. Our guest is Christy Wyatt, CEO from Absolute Security, discussing their new ebook. The DOJ claims pollution is mission-critical. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s Industry Voices we are joined by Christy Wyatt, CEO from Absolute Security, discussing their ebook. If you enjoyed this conversation, check out the full interview here. Selected Reading President Trump calls to delay nomination of intel pick Jay Clayton (NPR) Warner warns of CISA cuts, staffing gaps in letter to acting chief (The Record) French spies drop AI giant Palantir over US overreliance fears (The Local) Rokarolla : Android Banker with Complete Device Takeover Capabilities (Zimperium) FortiBleed: 75,000 Fortinet Firewalls Compromised: Global Enterprises Exposed – Claim Your Ethical Disclosure (InfoStealers) CISA orders feds to patch max severity Joomla plugin flaw by Friday (Bleeping Computer) Hackers Publish Knicks and Madison Square Garden Data Online (404 Media) Gamers beware: malicious wallpapers on Steam found stealing accounts (Securelist) DHS S&T Highlights New SPARTA Resources for Defending Spacecraft Against Cyberattacks (ExecutiveGov) DOJ Lawyers Argue xAI Is ‘Vital’ for National Security in NAACP Lawsuit (WIRED) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Looking to understand the cybersecurity risks emerging beyond Earth's atmosphere?
In the weekly Signals in Space newsletter, T-minus host Maria Vermazas and producer Ethan Cook connect the dots between terrestrial infrastructure and the growing attack surface in space.
Each week, you'll get the latest space cyber headlines, direct access to the week's T-minus podcast conversation, plus everything.
expert insights and resources to help security professionals better understand this rapidly evolving domain.
Space systems are becoming critical infrastructure.
Signals in space helps you stay ahead of the threats shaping the next frontier.
Subscribe now to the Signals and Space newsletter.
President Trump halts a key intelligence nomination.
The FBI warns of a new Microsoft 365 fishing threat.
France cuts ties with Pallantier, a new Android.
banking Trojan emerges. Fortinette firewalls come under attack. Sissa orders emergency
jumla patching, plus Madison Square Garden data leaks and malware hidden in steam wallpapers.
Our guest is Christy Wyatt, CEO at Absolute Security, discussing their newest e-book.
And the DOJ claims pollution is mission critical.
It's Wednesday, June 17, 26. I'm Dave Bittner, and this is your Cyberwire in
Intel Briefing.
Thanks for joining us here today.
It's great to have you with us.
President Trump has abruptly delayed the Senate confirmation process for Jay Clayton
as Director for National Intelligence, using the nomination to pressure lawmakers on two
separate priorities, the confirmation of another nominee, Jamie McDonald for U.S.
attorney, and the passage of a voting restrictions bill.
In an early morning truth social post, Trump,
Trump announced the cancellation of Clayton's scheduled Senate hearing and said acting intelligence
chief Bill Pulte would remain in the role until his demands are met. The move surprised lawmakers
because Clayton, currently the U.S. attorney for the Southern District of New York and former
Securities and Exchange Commission chair, appeared headed for a relatively smooth confirmation.
Senators had hoped to install him quickly to limit the tenure of Pulte, whose appointment has
drawn criticism due to his lack of intelligence experience and his history of publicly targeting
Trump's political opponents. Trump also wants reauthorization of FISA Section 702, a key U.S.
surveillance authority tied to the voting legislation. The dispute threatens both leadership
stability at the Office of the Director of National Intelligence and the future of an
important intelligence-gathering tool, while highlighting ongoing political battles over national
security and election-related issues.
Senator Mark Warner is raising concerns about the future of SISA, warning that staffing cuts,
leadership vacancies, and the loss of a key information sharing program could weaken the nation's
cyber defenses in a letter to acting SISA director Nick Anderson, DHS leadership, and all 50 governors,
Warner argued that the agency has lost roughly one-third of its workforce,
including many senior officials,
while facing a proposed budget reduction of more than $700 million.
Warner said state and local officials, educators, law enforcement, and industry leaders
have reported reduced support and slower responsiveness from SISA.
He also criticized the shutdown of federal funding for the multi-state information sharing and analysis center,
which helps protect state and local governments.
While Anderson has announced plans to hire more than 300 employees,
Warner is seeking detailed information about staffing levels, vacancies, service delivery,
and the agency's ability to support critical infrastructure nationwide.
France is cutting ties between its domestic intelligence agency and Palantir,
citing concerns about growing dependence on American technology.
Prime Minister Sebastian Le Corneux announced that the DGSI will end its contract with the U.S. data analytics company as part of a broader push for digital sovereignty and a $655 million euro investment in French artificial intelligence.
The move follows the U.S. decision to restrict access to Anthropics' Fable AI model for non-American users.
a development French officials say highlights the risks of relying on foreign providers that can suddenly limit access.
Le Corneux argued that France cannot afford strategic digital dependencies controlled by outside governments or companies.
The decision reflects a wider European trend toward reducing reliance on U.S. technology.
France is also replacing some Microsoft products with European alternatives, while officials in the U.K.
have raised similar concerns about Palantir contracts, warning that dependence on a small number
of American tech firms could create strategic vulnerabilities.
Researchers at Zimperium have identified a new Android banking trojan dubbed Rocka Rola,
a highly sophisticated malware strain designed to steal credentials from 217 banking and
cryptocurrency applications, distributed through malicious websites masquerading as legitimate ads,
such as TikTok or Google Chrome,
the malware uses a dropper to install a second-stage payload
while impersonating Google Play Protect.
Once installed, Rockarola abuses Android accessibility services
and extensive permissions to gain deep control over infected devices.
The malware can steal lock screen pins and passwords,
harvest SMS messages and contacts,
log keystrokes, intercept calls,
manipulate clipboard contents, and capture screenshots for remote surveillance.
It also deploys convincing overlays that mimic banking apps and Android lock screens
to trick users into surrendering credentials.
Researchers identified 137 commands that allow attackers to manage infected devices,
disable Google Play Protect, suppress alerts, and maintain persistence.
The malware communicates with resilient command and control infrastructure.
structure that can dynamically switch domains, making detection and disruption more difficult
while enabling long-term financial fraud.
Researchers are warning about a massive campaign targeting Fortinette firewalls and VPN
gateways, with attackers reportedly compromising nearly 74,000 firewall URLs across 194
countries. Analysis by Hudson Rock and researcher Volodymyr Dechenko suggests the operation
relied on credential stuffing at enormous scale, testing leaked usernames and passwords against
exposed fortigate devices. The attackers allegedly conducted more than a billion
login attempts and in some cases intercepted and cracked VPN authentication hashes
before moving deeper into corporate networks. The data set includes
more than 21,000 affected domains, and reportedly contains credentials linked to major enterprises,
government organizations, and critical infrastructure providers.
The findings underscore a familiar cybersecurity lesson.
Strong passwords provide little protection once credentials have been stolen or leaked.
Researchers recommend immediate password rotation, universal multi-factor authentication,
log reviews for suspicious access and monitoring for exposed credentials.
The campaign highlights how exposed gateways combined with recycled or compromised credentials
remain a highly effective path into enterprise networks.
Sessa has ordered federal agencies to patch a critical vulnerability in the Jumla Content Editor plugin
by Friday after confirming active exploitation in the wild.
The flaw allows unauthenticated attackers to upload and execute malicious php code through improperly secured editor profiles.
The issue was fixed in a recent version, but developers warn that updating alone will not remove malware from already compromised systems.
Sisa added the bug to its known exploited vulnerabilities catalog and warned that public exploit code and automated attacks make unpatched jumla sites.
especially vulnerable.
Hackers associated with shiny hunters have published nearly 45 gigabytes of data,
allegedly stolen from Madison Square Garden,
after the organization reportedly refused to pay a ransom.
A sample reviewed by 404 media includes customer communications,
contact details, and files referencing Knicks players, coaches, celebrities,
and other sports personalities.
The leak comes just days after the Nick's.
NBA Finals victory, increasing public attention on the incident.
Shiny Hunters claims the breach occurred on June 5th and warned that organizations that do not
pay ransoms risk having their data exposed. Madison Square Garden has not publicly commented
on the latest data release. Kasperski researchers have uncovered dozens of malicious wallpapers
distributed through Steam Workshop by abusing a feature in wallpaper engine.
that allows users to run executable applications as desktop backgrounds.
Since late 2025, attackers have embedded malware, including Dark Comet, Luma, Vidaar,
crypto miners, and ransomware loaders inside seemingly harmless wallpapers that have been downloaded
thousands of times. When activated, some wallpapers secretly install malware that steals
Steam credentials, hijacks active sessions, and communicates with attacker-controlled servers.
Researchers found attackers using both bundled malware files and password-protected archives
to evade detection. The campaign primarily targets gamers in China, which accounted for
89% of observed malicious downloads, though users in Russia and several other countries were
also affected. Steam has removed the identified wallpapers, but researchers warn that new malicious
uploads continue to appear, making antivirus scanning and caution essential when downloading
community-created content. Maria Vermazzes is host of the T-minus space cyber podcast. She joins us with
news on an update to the SPARTA framework from the DHS-SNT Directorate.
Thank you, Dave.
The Department of Homeland Security's Science and Technology Directorate is backing new efforts to strengthen cybersecurity across the space sector,
as satellites become increasingly critical to communications, navigation, and other infrastructure.
The DHS is working with the Aerospace Corporation to expand the Space Attack Research and Tactic Analysis, or Sparta Framework,
which is the open source catalog of tactics, techniques, and procedures, specifically targeting spacecraft.
The two DHS updates to Sparta include a new set of behavioral indicators designed to help operators
detect attacks through unusual system activity rather than through traditional malware signatures.
The second update to Sparta includes methods for prioritizing cybersecurity countermeasures
with the unique challenges of the space threat landscape in mind,
as they are based on effectiveness, mission deployment constraints, and mission lifecycle cost.
The DHS says that its contributions to Sparta were partially motivated,
by the 2022 cyber attack on the Viasat commercial satellite network
at the start of Russia's invasion of Ukraine,
and that the new resources aim to make advanced space cybersecurity practices
more accessible and to help operators build resilience against emerging threats.
An open source reference implementation of threat detection tools
is expected later this year.
For the CyberWire Daily, I'm Maria Vermonzes from T-Minis Space Cyber Briefing.
Back to you, Dave.
Be sure to check out the T-minus Space Cyber Briefing,
cyber podcast wherever you get your favorite shows.
Coming up after the break, my conversation with Christy Wyatt, CEO from Absolute Security,
we're discussing their latest e-book.
And the DOJ claims pollution is mission critical.
Stay with us.
What's the one thing in business that's spreading as fast as AI?
AI risk.
Every new tool your team signs up for.
Every vendor that turns on AI features, every new integrated.
each one creates another opportunity for something to go wrong.
And most security programs just weren't built for AI's pace of growth.
Enter Vanta.
Vanta is the number one agenetic trust platform,
used by more than 16,000 fast-moving companies like RAMP, Cursor, and Harvey
to help ensure they're always audit-ready.
And now, Vanta is helping companies watch for the risks that show up between audits,
across vendors, AI tools, and their entire environment.
The Vanta agent works like a 24-7 GRC engineer in the background,
finding issues, drafting fixes, and cutting vendor assessment time by up to 50%.
Whether you're a fast-growing startup or a global enterprise,
Vanta is here to help you automate your security and compliance
and earn and prove trust.
Get started today at Vanta.com slash cyber.
That's V-A-N-T-A-com slash cyber.
Christy Wyatt is CEO at Absolute Security,
and in today's sponsored industry voices segment,
we discuss their latest e-book.
The big news that we've seen over the past 12 months
is clearly the introduction of AI.
We came from a world where, you know,
we continue to see escalating breaches
and new kinds of risk and novel attacks,
and ransomware was a very big conversation.
for a long period of time.
Introducing AI into the conversation is just adding fuel to the fire.
The discussion today is, you know, are we resilient enough?
Have we invested enough?
Are we fast enough?
You know, do we understand enough?
And I think that's a big one, by the way.
Do we understand enough about how things have changed both for the positive and the negative
as a result of AI?
And all of this kind of comes back to and what is our overall resilience in the face of risk?
If something bad happened, would we be okay?
I mean, at the end of the day, that's what we're trying to answer for these boardrooms, right?
We're trying to demonstrate some investment and some knowledge and awareness and understanding
in response to the risk landscape that we're all living within today.
I think for years, security was kind of sold as a threat conversation.
We've got this bad thing.
We're trying to fight.
Here are some tools that maybe help us stop it.
I know you've argued that the boardroom has moved past that.
what are the boards asking of their security leaders now?
For a long time, and part of, by the way,
the board room response is a result of what we've been presenting.
As an industry, we've been talking about.
Here is the long list of bad things that could happen.
And here are the investments we're making to prevent those bad things from happening.
And so we've very much focused as an industry in our conversations with one another,
as well as what we present to the board.
You know, have we invested enough?
And it's a little bit of thinking of it as, you know,
fraud prevention or financial risk, right? What is what is what is what is the acceptable
threshold of risk and are we investing enough to to make sure that we're being responsible and
responding to that risk? I think that the conversation has shifted because we know that you
could spend infinitely on prevention and detection. I heard a very well regarded voice in cybersecurity
say the best way to become more resilient is to invest more in prevention and detection.
And the fact is that you know, you could spend an infinite.
amount on prevention and detection and visibility, it just takes one thing to get through. And so if you're
not equally invested in resilience, if you're not also talking about what should the response be when
the inevitable actually happens, something will come through, large or small. And have we rehearsed,
have we invested? Do we have the same level of visibility and what that response to that event would
be, not just and did we see it coming and, you know, should we pay the ransom or not?
I know you've been talking about this notion of the economics of downtime, that it's the downtime
and not necessarily the breach itself that is the real thing that we should be focused on here.
Can you unpack that for us?
Yeah, I started writing about this last year, and it's my belief that is an industry,
both as a practitioner as well as an active director, and I work with it.
with a number of different companies, that our conversation,
you know, lots of us are technical.
And so we talk about KPIs that don't necessarily resonate
in the boardroom, right?
We want to talk about meantime to recover
and how many severity XYZs and have we remediated.
I mean, it's a very technical conversation.
And I believe that that actually focuses
the discussion on the wrong set of things.
Ultimately, at the end of the day,
this is a business conversation.
This is an economic conversation.
what we want to understand as a group of business owners is, you know, what is the risk,
you know, what is the cost to remediate that risk, you know, what is the service delivery
or the continuity of the business? How can we continue to take orders and pay people and continue
to operate, right? And what is the financial impact of all of those things? And so I think we do
ourselves a disservice if we make this a technical discussion, right? And we say the cyber guys,
want to talk about their cyber metrics.
What we're having is a business conversation.
If the house burned down, how would you continue to operate?
And so if instead of the house burning down, what we're talking about is, you know,
somebody clicked on the wrong thing or there's some novel new approach that AI happened
to be the vehicle for that does not make this an AI conversation, we're still having a business
conversation.
Well, let's go through these things one at a time.
I know you've made the point that there are four main things that boards care about.
there's risk, revenue, cost, and service delivery.
Can we start with risk?
How should a security leader talk about risk so that that resonates with the board?
You need to be able to talk about these in terms of the business impact, the dollar impact, right?
What is the revenue that would be impacted if this bad thing happened?
So I think if we redirect the discussion away from the number of vulnerabilities or
the number of systems and we focus on, you know, what is the actual cost and impact of us going down for an
hour or a day or a month? And what is the cause of that risk and how would we prevent that from
happening? So it's really about the metric and putting that metric back in business terms.
Can we talk about revenue? I think is it fair to say that that's an area that many security teams
probably don't really consider.
It's not top of mind for them.
It's top of mind for them
when they go to ask for funding
for their next program.
And then they're having a conversation
with the CFO.
And the CFO says,
haven't we spent enough?
Oh my gosh.
Look at how much more
we're spending this year
than we're spending last year.
And I do think there's an argument
for consolidation
and spending intelligently.
But I talk a lot about
this return on resilience concept
that says,
when you're making an investment like any other part of your business,
you should be asking yourself, what am I expecting in return?
And that should be a quantifiable financial value.
So if the cost of an hour of downtime or a day of not being able to conduct business
cost my business a million dollars, I'm just making it simple,
you know, the number of things that could impact that, you know,
and you can quantify, what is the probability and the size of the impact
that that kind of risk would have on your business,
then the investment to offset that is either logical or illogical, right?
It is a, you know, we can turn this into a math equation
or at least a little bit more of a business proposal
as opposed to the number of, the kinds of metrics we typically want to track
in those conversations in the more traditional cyber sense
are how many security applications do we have
and how many vulnerabilities and how many patches have we deployed.
I mean, these are not metrics that are going to land for the CFO or for the board director
who really doesn't need to become a cybersecurity expert.
What they want to understand is what is the risk in house that going to impact my bottom line
and am I doing enough to respond to them?
Can we talk about AI here?
What is the application for agentic AI?
Is there such a thing about agentic cyber resilience?
AI is an amplifier to every part of this problem.
So it's absolutely going to be an amplifier of the risk
because you're seeing people use these tools
to create novel new ways to approach your system.
We collectively as an industry are increasingly using these tools
to further defend, whether it is remediate those attacks
or look for the vulnerabilities ourselves before the bad actors find them.
So AI is an amplifier of all of it.
But I think the critical risk that a lot of boards may not understand is that the real impact of that is in speed and in scale.
You know, patching vulnerabilities and having bad actors look for vulnerabilities or things that are broken in your environment is not new.
And it's been one of the most pervasive problems in our industry for well over a decade, several decades.
The new part is how quickly we can discover not just new vulnerabilities, but vulnerabilities that have been there for a very very,
very long time using things like mythos or some of these new frontier models, how quickly
people can chain these things together and come up with novel attacks. So you're not
addressing individual vulnerabilities. You're in an infinite number of combinations of how you string
these things together to compromise a system that you're trying to approach. So what that means is
that your, you know, Patch Tuesday is dead. You don't get to wait and sort of bundle up everything that
you that you've heard from all of your vendors and then tested and stay two versions behind
and figure all of the things we thought about how we maintain compliance kind of break.
And so that just means the speed and the velocity at which these new vulnerabilities
and these new approaches are coming at organizations is just unheard of.
And now they also have an equally powerful set of tools to be able to respond to that.
But the entire landscape has dramatically changed as a result of AI.
And so even if as a board you felt really comfortable with how you stacked up on compliance with NIST and how you stacked up on your response and you did your tabletop exercises, even if you feel like you get a gold star as an organization in being responsible and appropriate in how you think about risk, you kind of have to put it all back out at the table and say, now, does that scale and does that match the current velocity of what we're seeing in the industry?
What's your advice for that SISO who's walking into the board meeting on a Monday morning, ready to have that, you know, this year's conversation or this quarter's conversation. What sort of things should they be focused on?
A number one thing I would say walking into a boardroom is translated into business impact. I think if you come in with really beautiful, well-defined charts and metrics around your cyber KPI's,
I think you run the risk of people not understanding the impact and being able to have the right
conversation. I think business leaders need to be having a robust conversation about what would
happen if the three critical systems we rely on stopped working tomorrow for whatever reason,
then what happens? And it's really about that resilience conversation. And so the way you can
help land that within that audience is really by translating into these business metrics that I
talked about. Talk about the risk. Talk about the cost against that risk and use, you know,
use metrics that are going to be meaningful. You know, the true impact on the business is downtime and the
impact it has to revenue. That's Christy Wyatt, CEO at Absolute Security. And finally, what began as a
dispute over air permits in Mississippi has evolved into a remarkably modern question. How many gas
turbines does it take to power national security?
The Department of Justice has entered the NAACP's lawsuit against Elon Musk's XAI, urging a court
to dismiss claims that the company is operating dozens of unpermitted national gas turbines
at its Colossus 2 data center in South Avon. The NDACP argues the turbines violate the Clean
Air Act and increase pollution risks in communities that already.
face significant health burdens.
The DOJ sees the matter differently.
According to court filings,
XAI's GROC model is one of only a handful of AI systems
supporting operations on classified government networks.
A Defense Department official said the technology supports
critical national security missions,
including recent military strikes against Iran,
and warned that shutting down the turbines
could disrupt those efforts.
Meanwhile, the numbers continue to grow.
The lawsuit originally cited 27 turbines.
Environmental advocates say records now show 57 operating at the site.
So the court is left weighing two competing concerns, local air quality, and the proposition that somewhere in Mississippi, a fleet of generators, has become part of America's national security infrastructure.
That's not a sentence many people accept.
expected to read just a few years ago.
And that's the Cyberwire.
For links to all of today's stories,
check at our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to Cyberwire at n2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester
with original music and sound design by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ibn.
Peter Kilpe is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.