CyberWire Daily - The people's AI?
Episode Date: July 2, 2026OpenAI considers an equity plan to share AI wealth with the public. Cisco confirms active exploitation of its unified CM platform. Researchers discover autonomous ransomware. The Vect ransomware opera...tion partners with TeamPCP. The FortiBleed credential-harvesting campaign is linked to ransomware attacks. Veil#Drop stealthily deploys the PureLog Stealer. Scammers target small businesses with fake law enforcement emails. Apple’s Hide My Email feature…doesn’t. An alleged Scattered Spider member is extradited to the United States. Our guest is Ben Yelin, Dave's Caveat cohost, on the Supreme Court’s geofence warrants ruling. Microsoft’s quantum claims leave physicists in two states at once. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Ben Yelin from University of Maryland Center for Cyber Health and Hazard Strategies discussing the Supreme Court ruling on geofence warrants. If you enjoyed this conversation, you can check out Ben on Caveat. Selected Reading OpenAI in talks to give Trump administration a 5% stake in the company, FT reports (CNN Business) Cisco finally confirms attackers exploiting Unified CM flaw (Bleeping Computer) Sysdig Details JADEPUFFER, the First Documented Agentic Ransomware Operation (HackRead) Vect and TeamPCP partner for ransomware campaigns (Sophos) FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks (SecurityWeek) VEIL#DROP: Blogspot-Hosted PowerShell Loader (Secureonix) Fake Interpol investigation emails target small businesses with ransomware (Bitdefender) Apple ‘Hide My Email’ Vulnerability Reveals Peoples’ Real Email Addresses (404 Media) Alleged Member of Criminal Cyber Hacking Group “Scattered Spider” Arrested in Finland and Extradited to the United States (U.S. Department of Justice, Office of Public Affairs) Is there a new quantum processor or is Microsoft lying? (Mathew Ingram) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
If you are heading to Blackhead USA this year, make plans to visit the SpectorOps Kennel Club.
As the creators of Bloodhound, the SpectorOps team will host talks, workshops, and hands-on sessions aimed at helping you understand AI accelerated attack paths, the latest identity tradecraft, and how to build your own OpenGraph collector.
Visit specterops.io to pre-register and learn more.
While you're at the SpectorOps Kennel Club, visit the N2K Cyberwire podcast studio,
where we'll be capturing expert perspectives and conversations from across Black Hat.
We'll see you there.
This episode is supported by Black Hat USA.
If you follow the research, you know a lot of it breaks on Black Hat stages.
Hundreds of peer-reviewed briefings, more than 100 hands-on trainings,
and the largest business hall in Black Hat's history.
Six days to learn the skills you'll need tomorrow.
August 1st to the 6th.
Use code Cyberwire for $200 off your briefings pass at blackhat.com.
We'll see you in Vegas.
OpenAI considers an equity plan to share AI wealth with the public.
Cisco confirms active exploitation of its unified CM platform.
Researchers discover autonomous ransomware.
The Vect Ransomware operation partners with Team PCP.
The for-to-bleed credential harvesting campaign is linked to ransomware attacks.
Veil drop stealthily deploys the Pure Log Steeler.
Scammers target small businesses with fake law enforcement emails.
Apples hide my email feature.
Doesn't.
An alleged scattered spider member is extradited to the United States.
Our guest is Ben Yellen, my caveat co-host, on the Supreme Court's Geofense Warrants' ruling.
And Microsoft's quantum claims leave physicists in two states at once.
It's Thursday, July 2, 26.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great as always to have you with us.
OpenAI is reportedly considering a proposal that would give the Trump administration
a 5% stake in the company, according to the financial times.
The idea is part of Earth.
discussions that could see other leading U.S. artificial intelligence companies offer similar
stakes to the government. OpenAI CEO Sam Altman has argued that the arrangement would let the public
share in the financial gains from AI as the technology reshapes the economy. The talks come as the White
House increases oversight of advanced AI models and weighs closer partnerships with the industry.
Any agreement would likely require congressional approval.
The proposal also comes as OpenAI and rival Anthropic prepare for potential public stock offerings,
and as the administration continues to prioritize U.S. leadership in artificial intelligence.
Cisco has confirmed that attackers are actively exploiting a recently patched vulnerability
in its unified communications manager or unified CM platform that manages Cisco IP telephony systems.
The flaw is a server-side request forgery vulnerability that can be exploited remotely without authentication
by sending a crafted HTTP request. Cisco initially said it had seen proof-of-concept exploit code
but no evidence of attacks. That changed after security researchers documented active exploits.
and publish technical details.
Cisco now urges customers to upgrade to fixed software releases immediately or disable the
vulnerable web dialer service until patches can be applied.
More than 200 internet-facing unified CM systems remain exposed, according to Shadow's server,
increasing the risk of compromise.
Security researchers at SISDIG say they have documented what they believe is the first
known ransomware attack carried out autonomously by an AI agent. The operation dubbed Jade Puffer,
exposed a critical vulnerability in an exposed Langflow server to gain initial access,
harvest credentials, and move laterally to a production database. Researchers say the AI agent adapted
to a failed attempt to create an administrator account, corrected its own mistake within 31 seconds,
and continued the attack without human intervention.
It then encrypted more than 1,300 NACOS configuration records,
deleted key database tables, and left a ransom demand.
Sistig says the case highlights how AI agents could dramatically accelerate attacks
by exploiting known vulnerabilities,
reinforcing the need for prompt patching, credential protection, and continuous monitoring.
Researchers at SOFOS's,
counter-threat unit have detailed a partnership between the Vect Ransomware as a service operation
and Team PCP, a threat group known for large-scale credential theft and software supply chain attacks.
Announced in March 26, the Alliance combines Team PCP's ability to compromise trusted software
and steal credentials with VEX ransomware deployment infrastructure.
Team PCP has been linked to attacks targeting widely used developer tools, including Trivi,
checkmarks, light LLM, and the Telnix Python SDK, allowing attackers to harvest credentials
and spread malware through legitimate software updates.
Researchers say the partnership creates a direct pipeline from supply chain compromise to
ransomware deployment, lowering barriers for affiliates.
They recommend organizations' inventory, open-sortization.
dependencies, verify software updates before deployment, and avoid assuming ransomware payments will
guarantee successful data recovery because of flaws in VEX encryption.
Researchers at SOC radar say the Fortebleed credential harvesting campaign is now directly linked
to ransomware attacks involving the Inc. Ransom and Links groups.
Since at least February, attackers have targeted hundreds of thousands.
of Forta Gate firewalls, stealing an estimated 110 million credentials.
Investigators observed attackers gaining administrative access to hundreds of organizations,
compromising VPNs and domain controllers before deploying ransomware in at least 12 confirmed cases.
Sok Radar says evidence from the attacker's own infrastructure indicates the same operators behind
Fortebleed are also involved in ransomware operations, demonstrating how stolen,
and credentials are being rapidly monetized through extortion.
Researchers at Securonics have identified VeilDrop, a sophisticated multi-stage malware delivery
framework designed to deploy the pure log stealer while leaving minimal forensic evidence.
The campaign begins with a JavaScript file disguised as a document, which launches PowerShell
to retrieve additional payloads from attacker-controlled blog spot pages,
leveraging Google's trusted infrastructure to evade detection.
The framework uses multiple layers of obfuscation, in-memory execution,
reflective dot-net loading, and trusted Microsoft utilities,
known as Living Off the Land Bineries,
to avoid writing malware to disk and bypass security controls.
Once deployed, pure log stealer harvest browser credentials,
cookies, auto-fill data, cryptocurrency wallet information,
and system details.
Researchers say the campaign's combination of fileless execution,
cloud-hosted infrastructure, and trusted tools
makes it particularly difficult for traditional security products to detect.
Researchers at Bit Defender have identified a fishing campaign
targeting small businesses with fake law enforcement emails designed to deliver malware.
The messages which impersonate Interpol claim to contain
evidence of suspicious company activity and direct recipients to a password-protected archive
hosted on proton drive. The supposed evidence is actually a ransomware payload disguised as a
video file. Researchers say the malware is relatively simple and does not appear to be linked to a major
ransomware as a service operation, instead relying on convincing social engineering to trick victims
into infecting themselves. Organizations across Europe, Asia, the Middle East, and the United States
have been targeted. The campaign highlights that even unsophisticated ransomware can be highly
effective when combined with fear, urgency, and trusted branding.
A security researcher says a flaw in Apple's hide-my-email feature can reveal users' real email
addresses, undermining a privacy tool designed to keep them anonymous.
Tyler Murphy, co-founder of Easy Opt-outs, reported the issue to Apple more than a year ago
and says it remains exploitable despite repeated assurances that a fix was in progress.
Tests by 404 media confirmed the vulnerability could expose the email address tied to an Apple
account. Murphy warns the flaw could put users at risk because exposed email addresses
can often be linked to personal information through public records.
Apple has acknowledged the issue and says it plans to address it in a future security update,
but has not publicly explained the delay.
An alleged member of the Scattered Spider's Cybercrime Group
has been extradited from Finland to the United States
to face federal charges related to hacking, fraud, and computer intrusion.
Prosecutors allege that 19-year-old Peter Stub,
Stokes, a dual U.S. and Estonian citizen, was part of a group behind more than 100 network
intrusions that generated over $100 million in ransom payments and caused millions more in
damages. According to the criminal complaint, Stokes helped target a luxury jewelry retailer
in 2025, stealing data and demanding roughly $8 million in cryptocurrency, although no ransom was paid.
U.S. officials say the case demonstrates ongoing international cooperation to identify, arrest,
and prosecute cybercriminals operating across national borders.
Coming up after the break, my conversation with my caveat co-host Ben Yellen on the Supreme Court's Geofense Warrant's ruling,
and Microsoft's quantum claims leave physicists in two states at once.
Stay with us.
It is always my pleasure to welcome back to the show.
Ben Yellen. He is from the University of Maryland Center for Cyber Health and Hazard Strategies,
but more importantly than that, he is my co-host on the caveat podcast. Hey, Ben, welcome back.
Good to be with you again, Dave. We got a big one, Ben. Oh, this is a huge one.
The Supreme Court ruling privacy, geofence warrants, unpack it for us. What's going on here?
This is a major groundbreaking case, Chattree versus the United States. It's a geofence warrant case.
Just a brief background. Chatree was accused of robbing a bank.
Virginia, the government went to Google and tried to get data about who was in the area when this
crime was committed.
It was a three-step process.
They obtained this warrant from a magistrate judge, first to get all of the anonymized devices
that were in the area as a second step to take a subset of those and figure out where those
devices were than an hour or two of the robbery taking place, and then the third step was
de-anonymizing the data. Chatri was identified as the suspect. He was prosecuted and convicted,
and he appeals saying that this was an unconstitutional Fourth Amendment search. The appeals court
at the Fourth Circuit Court of Appeals had a really hard time settling on a decision in this case. They all
agreed basically that Chattree himself was screwed. He wasn't getting out of prison because no matter
what we think about geoffence warrants,
law enforcement was acting with good faith
when they made this application
to the magistrate judge
to get this data from Google.
Okay.
But there was a disagreement
about whether these geofence warrants
are an unconstitutional search
under the Fourth Amendment to the United States
and on whether, if it was a search,
the warrant passed constitutional muster.
So the Supreme Court weighed in
on one of those questions
in a groundbreaking decision yesterday,
they said that this is a Fourth Amendment search,
and therefore a warrant based on probable cause
and a particularized warrant is required in these types of cases.
It was a decision authored by Justice Kagan.
She was joined with the two other liberals on the court,
Justice Jackson and Justice Sotomayor,
as well as the Chief Justice and Justice Kavanaugh.
The crux of the opinion is that a person has a reasonable expectation
of privacy in their location data that they share with Google.
Every time we use a Google application for the first time,
we get that little pop-up saying,
do you affirmatively agree to use location services?
It's really going to improve your in-app experience, et cetera.
We agree to that.
But despite that kind of voluntary action that we take,
Justice Kagan's opinion says that we should still have an expectation
that that information should be private.
The reason is because that information,
just like historical cell site location information,
which was at issue in Carpenter,
is revealing, it's broad, it's deep,
and it's part of the modern technological landscape
that we all rely on
to conduct the normal affairs of our lives.
That we need, just to enjoy the basic functionality of smartphones,
we need to enable these location services.
We'd be leaving ourselves out of a lot of important interaction in our daily lives
if we had to forfeit the ability to use these services.
Therefore, people should have an expectation that when, for the limited purpose of
improving the scope and functionality of their applications, we give our location to Google,
that when we do that, we have an expectation that information is going to remain private.
And because the Supreme Court's test for whether there has or has not been a Fourth Amendment search bears on this question of a person's expectation of privacy, the Supreme Court here has decided that, yes, this is a Fourth Amendment search.
They did not weigh in on a separate question about whether the warrant here was proper. A couple of the liberal justices, justices Jackson and Sotomayor in a concurring opinion opined that they thought that this warrant was defective because,
it was not properly particularized, nor was it properly based on probable cause.
But that wasn't controlling here.
The majority did not weigh in on that question.
So what happens now?
We have this decision.
How does this affect everyday folks as well as the technology companies and law enforcement as well?
I think this is going to have a huge impact.
Just like Carpenter changed the landscape in terms of digital privacy law,
I think this is taking the Carpenter decision.
doubling down on it and extending it in some important aspects. I think from the user's perspective,
they have an expectation of privacy and a lot of information that they turn over to third-party technology
companies because of the nature of that data. Because it is so personal, because it could reveal
private information, private details about a person's life, and because it's not really in any
proper parlance voluntary, just because it's turned over to a third party doesn't mean we're
forfeiting our expectation of privacy. So people should feel a greater degree of privacy and
constitutional protection in that type of revealing information. And that really changes the balance
between law enforcement's interest in going to these companies and demanding this data
versus our concept of privacy.
And so I think people enjoy a degree of privacy in this data.
We'll see what the full implications are
as we get more cases related to Chattray
and that are decided under the rubric of Chattree.
But just from a broader sense,
I think we enjoy a greater degree of protection
in a certain kind of revealing data
than we did yesterday
prior to this decision being handed down.
From the tech company,
perspective, Google had already discontinued
complying with geofence warrants. They previously
held the data needed to comply with those warrants in the cloud.
That data is now held on the device.
So from Google's perspective, at least at this point, it's kind of a moot
question. They've already changed their practices.
But I think for other companies, they have to recognize
that there's been a cultural shift here, that they're not
going to instinctively respond
to law enforcement inquiries by handing over batches of information.
I think they're going to express more concern that the information they retain is so revealing
that it might require a judicial process, a warrant based on probable cause that's particularized,
and that might inspire these companies to be more exacting about which data they choose to
hand over to law enforcement.
So I think those are the biggest immediate potential impacts.
Like I said, a lot of it is going to depend on how lower.
courts interpret this decision, starting with the Fourth Circuit who's been tasked with trying to
figure out in the Chattree case itself, was this warrant defective? Was it properly particularized
to Chattray? Was it vague and overbroad? And did they actually have probable cause to issue the
warrant in the first place? So those are unanswered questions. We'll have to get those questions
answered first, but certainly I think this signals the sea change from the Supreme Court. I think it
means they take digital privacy very seriously. It builds on Carpenter, which is significant,
not just because Carpenter itself is a groundbreaking decision, but because one of the five justices,
who is part of the majority on Carpenter, is no longer on the court. That's Ruth Bader Ginsburg.
So it was unclear whether the reasoning in Carpenter was held by a current majority on the Supreme
Court, and now we know that it is. Well, there's much more to this. And,
Ben and I dig into many of the details over on the caveat podcast.
So please do check that out.
You can find that on our website or wherever you get your podcasts.
Ben Yellen from the University of Maryland Center for Cyber Health and Hazard Strategies.
Thanks so much for being with us.
Thank you, Dave.
And finally, Microsoft's latest quantum computing announcement has sparked as much skepticism as excitement.
The company claims its new Majorana-based quantum process,
is a thousand times more reliable than its predecessor,
despite the fact that the elusive Mejorana particle remains theoretical
and has never been conclusively observed.
Microsoft argues its topological approach could produce more stable qubits,
a long-standing challenge in quantum computing.
Critics, however, say the company's evidence falls well short.
Several physicists have questioned the underlying research,
pointing to a retracted 2018 paper, disputing testing methods, and a lack of publicly available data.
Some have gone so far as to accuse Microsoft of overstating or even misrepresenting its progress.
For now, the debate resembles Schrodinger's breakthrough,
either a revolutionary advance in quantum computing,
or an extraordinarily expensive exercise in wishful thinking,
with independent verification still pending.
And that's the Cyberwire.
For links to all of today's stories, check at our daily briefing at thecyberwire.com.
Our team will be observing the Independence Day holiday and the 250th anniversary of the United States on Friday and Saturday.
In place of our regular programming on Friday, we're sharing the next installment on our 10th anniversary conversations.
Maria Vermazas and I talk about the vulnerabilities, zero days, and hardware flaws over the past decade.
On Saturday, in place of our usual research Saturday,
we're sharing an episode of a newer show on our network,
AI Security Brief, by our partners at Trend AI,
with hosts Dustin Childs and Johnny Hand.
We hope you enjoy the programming
and have a happy and safe holiday weekend
and happy birthday, USA.
And of course, don't forget to check out
the T-minus Space Cyber Podcast.
Host Maria Vermazas has this preview.
And hi, Maria Vermazes here.
On Sunday's T-minus space cyber briefing, it's my interview with OREA space CEO, Damian DePippa,
where we discussed the evolution of space programs from exquisite one-off missions to an increasingly
commercialized and fragmented ecosystem, needing interoperability and cyber resilience.
That's Sunday on T-minus. Don't miss it.
You can find the T-minus Space Cyber Podcast wherever you get your favorite podcasts.
Check it out.
We'd love to know what do you think of this podcast.
Your feedback ensures we...
deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound designed by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.
