CyberWire Daily - The people's AI?

Episode Date: July 2, 2026

OpenAI considers an equity plan to share AI wealth with the public. Cisco confirms active exploitation of its unified CM platform. Researchers discover autonomous ransomware. The Vect ransomware opera...tion partners with TeamPCP. The FortiBleed credential-harvesting campaign is linked to ransomware attacks. Veil#Drop stealthily deploys the PureLog Stealer. Scammers target small businesses with fake law enforcement emails. Apple’s Hide My Email feature…doesn’t. An alleged Scattered Spider member is extradited to the United States. Our guest is Ben Yelin, Dave's Caveat cohost, on the Supreme Court’s geofence warrants ruling. Microsoft’s quantum claims leave physicists in two states at once. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Ben Yelin from University of Maryland Center for Cyber Health and Hazard Strategies discussing the Supreme Court ruling on geofence warrants. If you enjoyed this conversation, you can check out Ben on Caveat. Selected Reading OpenAI in talks to give Trump administration a 5% stake in the company, FT reports (CNN Business) Cisco finally confirms attackers exploiting Unified CM flaw (Bleeping Computer) Sysdig Details JADEPUFFER, the First Documented Agentic Ransomware Operation (HackRead) Vect and TeamPCP partner for ransomware campaigns (Sophos) FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks (SecurityWeek) VEIL#DROP: Blogspot-Hosted PowerShell Loader (Secureonix) Fake Interpol investigation emails target small businesses with ransomware (Bitdefender) Apple ‘Hide My Email’ Vulnerability Reveals Peoples’ Real Email Addresses (404 Media) Alleged Member of Criminal Cyber Hacking Group “Scattered Spider” Arrested in Finland and Extradited to the United States (U.S. Department of Justice, Office of Public Affairs) Is there a new quantum processor or is Microsoft lying? (Mathew Ingram) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. If you are heading to Blackhead USA this year, make plans to visit the SpectorOps Kennel Club. As the creators of Bloodhound, the SpectorOps team will host talks, workshops, and hands-on sessions aimed at helping you understand AI accelerated attack paths, the latest identity tradecraft, and how to build your own OpenGraph collector. Visit specterops.io to pre-register and learn more. While you're at the SpectorOps Kennel Club, visit the N2K Cyberwire podcast studio, where we'll be capturing expert perspectives and conversations from across Black Hat. We'll see you there. This episode is supported by Black Hat USA.
Starting point is 00:01:02 If you follow the research, you know a lot of it breaks on Black Hat stages. Hundreds of peer-reviewed briefings, more than 100 hands-on trainings, and the largest business hall in Black Hat's history. Six days to learn the skills you'll need tomorrow. August 1st to the 6th. Use code Cyberwire for $200 off your briefings pass at blackhat.com. We'll see you in Vegas. OpenAI considers an equity plan to share AI wealth with the public.
Starting point is 00:01:45 Cisco confirms active exploitation of its unified CM platform. Researchers discover autonomous ransomware. The Vect Ransomware operation partners with Team PCP. The for-to-bleed credential harvesting campaign is linked to ransomware attacks. Veil drop stealthily deploys the Pure Log Steeler. Scammers target small businesses with fake law enforcement emails. Apples hide my email feature. Doesn't.
Starting point is 00:02:12 An alleged scattered spider member is extradited to the United States. Our guest is Ben Yellen, my caveat co-host, on the Supreme Court's Geofense Warrants' ruling. And Microsoft's quantum claims leave physicists in two states at once. It's Thursday, July 2, 26. I'm Dave Bittner, and this is your Cyberwire Intel briefing. Thanks for joining us here today. It's great as always to have you with us. OpenAI is reportedly considering a proposal that would give the Trump administration
Starting point is 00:03:07 a 5% stake in the company, according to the financial times. The idea is part of Earth. discussions that could see other leading U.S. artificial intelligence companies offer similar stakes to the government. OpenAI CEO Sam Altman has argued that the arrangement would let the public share in the financial gains from AI as the technology reshapes the economy. The talks come as the White House increases oversight of advanced AI models and weighs closer partnerships with the industry. Any agreement would likely require congressional approval. The proposal also comes as OpenAI and rival Anthropic prepare for potential public stock offerings,
Starting point is 00:03:52 and as the administration continues to prioritize U.S. leadership in artificial intelligence. Cisco has confirmed that attackers are actively exploiting a recently patched vulnerability in its unified communications manager or unified CM platform that manages Cisco IP telephony systems. The flaw is a server-side request forgery vulnerability that can be exploited remotely without authentication by sending a crafted HTTP request. Cisco initially said it had seen proof-of-concept exploit code but no evidence of attacks. That changed after security researchers documented active exploits. and publish technical details. Cisco now urges customers to upgrade to fixed software releases immediately or disable the
Starting point is 00:04:44 vulnerable web dialer service until patches can be applied. More than 200 internet-facing unified CM systems remain exposed, according to Shadow's server, increasing the risk of compromise. Security researchers at SISDIG say they have documented what they believe is the first known ransomware attack carried out autonomously by an AI agent. The operation dubbed Jade Puffer, exposed a critical vulnerability in an exposed Langflow server to gain initial access, harvest credentials, and move laterally to a production database. Researchers say the AI agent adapted to a failed attempt to create an administrator account, corrected its own mistake within 31 seconds,
Starting point is 00:05:31 and continued the attack without human intervention. It then encrypted more than 1,300 NACOS configuration records, deleted key database tables, and left a ransom demand. Sistig says the case highlights how AI agents could dramatically accelerate attacks by exploiting known vulnerabilities, reinforcing the need for prompt patching, credential protection, and continuous monitoring. Researchers at SOFOS's, counter-threat unit have detailed a partnership between the Vect Ransomware as a service operation
Starting point is 00:06:07 and Team PCP, a threat group known for large-scale credential theft and software supply chain attacks. Announced in March 26, the Alliance combines Team PCP's ability to compromise trusted software and steal credentials with VEX ransomware deployment infrastructure. Team PCP has been linked to attacks targeting widely used developer tools, including Trivi, checkmarks, light LLM, and the Telnix Python SDK, allowing attackers to harvest credentials and spread malware through legitimate software updates. Researchers say the partnership creates a direct pipeline from supply chain compromise to ransomware deployment, lowering barriers for affiliates.
Starting point is 00:06:53 They recommend organizations' inventory, open-sortization. dependencies, verify software updates before deployment, and avoid assuming ransomware payments will guarantee successful data recovery because of flaws in VEX encryption. Researchers at SOC radar say the Fortebleed credential harvesting campaign is now directly linked to ransomware attacks involving the Inc. Ransom and Links groups. Since at least February, attackers have targeted hundreds of thousands. of Forta Gate firewalls, stealing an estimated 110 million credentials. Investigators observed attackers gaining administrative access to hundreds of organizations,
Starting point is 00:07:38 compromising VPNs and domain controllers before deploying ransomware in at least 12 confirmed cases. Sok Radar says evidence from the attacker's own infrastructure indicates the same operators behind Fortebleed are also involved in ransomware operations, demonstrating how stolen, and credentials are being rapidly monetized through extortion. Researchers at Securonics have identified VeilDrop, a sophisticated multi-stage malware delivery framework designed to deploy the pure log stealer while leaving minimal forensic evidence. The campaign begins with a JavaScript file disguised as a document, which launches PowerShell to retrieve additional payloads from attacker-controlled blog spot pages,
Starting point is 00:08:27 leveraging Google's trusted infrastructure to evade detection. The framework uses multiple layers of obfuscation, in-memory execution, reflective dot-net loading, and trusted Microsoft utilities, known as Living Off the Land Bineries, to avoid writing malware to disk and bypass security controls. Once deployed, pure log stealer harvest browser credentials, cookies, auto-fill data, cryptocurrency wallet information, and system details.
Starting point is 00:08:58 Researchers say the campaign's combination of fileless execution, cloud-hosted infrastructure, and trusted tools makes it particularly difficult for traditional security products to detect. Researchers at Bit Defender have identified a fishing campaign targeting small businesses with fake law enforcement emails designed to deliver malware. The messages which impersonate Interpol claim to contain evidence of suspicious company activity and direct recipients to a password-protected archive hosted on proton drive. The supposed evidence is actually a ransomware payload disguised as a
Starting point is 00:09:38 video file. Researchers say the malware is relatively simple and does not appear to be linked to a major ransomware as a service operation, instead relying on convincing social engineering to trick victims into infecting themselves. Organizations across Europe, Asia, the Middle East, and the United States have been targeted. The campaign highlights that even unsophisticated ransomware can be highly effective when combined with fear, urgency, and trusted branding. A security researcher says a flaw in Apple's hide-my-email feature can reveal users' real email addresses, undermining a privacy tool designed to keep them anonymous. Tyler Murphy, co-founder of Easy Opt-outs, reported the issue to Apple more than a year ago
Starting point is 00:10:29 and says it remains exploitable despite repeated assurances that a fix was in progress. Tests by 404 media confirmed the vulnerability could expose the email address tied to an Apple account. Murphy warns the flaw could put users at risk because exposed email addresses can often be linked to personal information through public records. Apple has acknowledged the issue and says it plans to address it in a future security update, but has not publicly explained the delay. An alleged member of the Scattered Spider's Cybercrime Group has been extradited from Finland to the United States
Starting point is 00:11:08 to face federal charges related to hacking, fraud, and computer intrusion. Prosecutors allege that 19-year-old Peter Stub, Stokes, a dual U.S. and Estonian citizen, was part of a group behind more than 100 network intrusions that generated over $100 million in ransom payments and caused millions more in damages. According to the criminal complaint, Stokes helped target a luxury jewelry retailer in 2025, stealing data and demanding roughly $8 million in cryptocurrency, although no ransom was paid. U.S. officials say the case demonstrates ongoing international cooperation to identify, arrest, and prosecute cybercriminals operating across national borders.
Starting point is 00:11:57 Coming up after the break, my conversation with my caveat co-host Ben Yellen on the Supreme Court's Geofense Warrant's ruling, and Microsoft's quantum claims leave physicists in two states at once. Stay with us. It is always my pleasure to welcome back to the show. Ben Yellen. He is from the University of Maryland Center for Cyber Health and Hazard Strategies, but more importantly than that, he is my co-host on the caveat podcast. Hey, Ben, welcome back. Good to be with you again, Dave. We got a big one, Ben. Oh, this is a huge one. The Supreme Court ruling privacy, geofence warrants, unpack it for us. What's going on here?
Starting point is 00:12:56 This is a major groundbreaking case, Chattree versus the United States. It's a geofence warrant case. Just a brief background. Chatree was accused of robbing a bank. Virginia, the government went to Google and tried to get data about who was in the area when this crime was committed. It was a three-step process. They obtained this warrant from a magistrate judge, first to get all of the anonymized devices that were in the area as a second step to take a subset of those and figure out where those devices were than an hour or two of the robbery taking place, and then the third step was
Starting point is 00:13:34 de-anonymizing the data. Chatri was identified as the suspect. He was prosecuted and convicted, and he appeals saying that this was an unconstitutional Fourth Amendment search. The appeals court at the Fourth Circuit Court of Appeals had a really hard time settling on a decision in this case. They all agreed basically that Chattree himself was screwed. He wasn't getting out of prison because no matter what we think about geoffence warrants, law enforcement was acting with good faith when they made this application to the magistrate judge
Starting point is 00:14:10 to get this data from Google. Okay. But there was a disagreement about whether these geofence warrants are an unconstitutional search under the Fourth Amendment to the United States and on whether, if it was a search, the warrant passed constitutional muster.
Starting point is 00:14:27 So the Supreme Court weighed in on one of those questions in a groundbreaking decision yesterday, they said that this is a Fourth Amendment search, and therefore a warrant based on probable cause and a particularized warrant is required in these types of cases. It was a decision authored by Justice Kagan. She was joined with the two other liberals on the court,
Starting point is 00:14:50 Justice Jackson and Justice Sotomayor, as well as the Chief Justice and Justice Kavanaugh. The crux of the opinion is that a person has a reasonable expectation of privacy in their location data that they share with Google. Every time we use a Google application for the first time, we get that little pop-up saying, do you affirmatively agree to use location services? It's really going to improve your in-app experience, et cetera.
Starting point is 00:15:19 We agree to that. But despite that kind of voluntary action that we take, Justice Kagan's opinion says that we should still have an expectation that that information should be private. The reason is because that information, just like historical cell site location information, which was at issue in Carpenter, is revealing, it's broad, it's deep,
Starting point is 00:15:41 and it's part of the modern technological landscape that we all rely on to conduct the normal affairs of our lives. That we need, just to enjoy the basic functionality of smartphones, we need to enable these location services. We'd be leaving ourselves out of a lot of important interaction in our daily lives if we had to forfeit the ability to use these services. Therefore, people should have an expectation that when, for the limited purpose of
Starting point is 00:16:16 improving the scope and functionality of their applications, we give our location to Google, that when we do that, we have an expectation that information is going to remain private. And because the Supreme Court's test for whether there has or has not been a Fourth Amendment search bears on this question of a person's expectation of privacy, the Supreme Court here has decided that, yes, this is a Fourth Amendment search. They did not weigh in on a separate question about whether the warrant here was proper. A couple of the liberal justices, justices Jackson and Sotomayor in a concurring opinion opined that they thought that this warrant was defective because, it was not properly particularized, nor was it properly based on probable cause. But that wasn't controlling here. The majority did not weigh in on that question. So what happens now?
Starting point is 00:17:08 We have this decision. How does this affect everyday folks as well as the technology companies and law enforcement as well? I think this is going to have a huge impact. Just like Carpenter changed the landscape in terms of digital privacy law, I think this is taking the Carpenter decision. doubling down on it and extending it in some important aspects. I think from the user's perspective, they have an expectation of privacy and a lot of information that they turn over to third-party technology companies because of the nature of that data. Because it is so personal, because it could reveal
Starting point is 00:17:46 private information, private details about a person's life, and because it's not really in any proper parlance voluntary, just because it's turned over to a third party doesn't mean we're forfeiting our expectation of privacy. So people should feel a greater degree of privacy and constitutional protection in that type of revealing information. And that really changes the balance between law enforcement's interest in going to these companies and demanding this data versus our concept of privacy. And so I think people enjoy a degree of privacy in this data. We'll see what the full implications are
Starting point is 00:18:31 as we get more cases related to Chattray and that are decided under the rubric of Chattree. But just from a broader sense, I think we enjoy a greater degree of protection in a certain kind of revealing data than we did yesterday prior to this decision being handed down. From the tech company,
Starting point is 00:18:50 perspective, Google had already discontinued complying with geofence warrants. They previously held the data needed to comply with those warrants in the cloud. That data is now held on the device. So from Google's perspective, at least at this point, it's kind of a moot question. They've already changed their practices. But I think for other companies, they have to recognize that there's been a cultural shift here, that they're not
Starting point is 00:19:16 going to instinctively respond to law enforcement inquiries by handing over batches of information. I think they're going to express more concern that the information they retain is so revealing that it might require a judicial process, a warrant based on probable cause that's particularized, and that might inspire these companies to be more exacting about which data they choose to hand over to law enforcement. So I think those are the biggest immediate potential impacts. Like I said, a lot of it is going to depend on how lower.
Starting point is 00:19:50 courts interpret this decision, starting with the Fourth Circuit who's been tasked with trying to figure out in the Chattree case itself, was this warrant defective? Was it properly particularized to Chattray? Was it vague and overbroad? And did they actually have probable cause to issue the warrant in the first place? So those are unanswered questions. We'll have to get those questions answered first, but certainly I think this signals the sea change from the Supreme Court. I think it means they take digital privacy very seriously. It builds on Carpenter, which is significant, not just because Carpenter itself is a groundbreaking decision, but because one of the five justices, who is part of the majority on Carpenter, is no longer on the court. That's Ruth Bader Ginsburg.
Starting point is 00:20:38 So it was unclear whether the reasoning in Carpenter was held by a current majority on the Supreme Court, and now we know that it is. Well, there's much more to this. And, Ben and I dig into many of the details over on the caveat podcast. So please do check that out. You can find that on our website or wherever you get your podcasts. Ben Yellen from the University of Maryland Center for Cyber Health and Hazard Strategies. Thanks so much for being with us. Thank you, Dave.
Starting point is 00:21:24 And finally, Microsoft's latest quantum computing announcement has sparked as much skepticism as excitement. The company claims its new Majorana-based quantum process, is a thousand times more reliable than its predecessor, despite the fact that the elusive Mejorana particle remains theoretical and has never been conclusively observed. Microsoft argues its topological approach could produce more stable qubits, a long-standing challenge in quantum computing. Critics, however, say the company's evidence falls well short.
Starting point is 00:22:02 Several physicists have questioned the underlying research, pointing to a retracted 2018 paper, disputing testing methods, and a lack of publicly available data. Some have gone so far as to accuse Microsoft of overstating or even misrepresenting its progress. For now, the debate resembles Schrodinger's breakthrough, either a revolutionary advance in quantum computing, or an extraordinarily expensive exercise in wishful thinking, with independent verification still pending. And that's the Cyberwire.
Starting point is 00:22:45 For links to all of today's stories, check at our daily briefing at thecyberwire.com. Our team will be observing the Independence Day holiday and the 250th anniversary of the United States on Friday and Saturday. In place of our regular programming on Friday, we're sharing the next installment on our 10th anniversary conversations. Maria Vermazas and I talk about the vulnerabilities, zero days, and hardware flaws over the past decade. On Saturday, in place of our usual research Saturday, we're sharing an episode of a newer show on our network, AI Security Brief, by our partners at Trend AI, with hosts Dustin Childs and Johnny Hand.
Starting point is 00:23:25 We hope you enjoy the programming and have a happy and safe holiday weekend and happy birthday, USA. And of course, don't forget to check out the T-minus Space Cyber Podcast. Host Maria Vermazas has this preview. And hi, Maria Vermazes here. On Sunday's T-minus space cyber briefing, it's my interview with OREA space CEO, Damian DePippa,
Starting point is 00:23:46 where we discussed the evolution of space programs from exquisite one-off missions to an increasingly commercialized and fragmented ecosystem, needing interoperability and cyber resilience. That's Sunday on T-minus. Don't miss it. You can find the T-minus Space Cyber Podcast wherever you get your favorite podcasts. Check it out. We'd love to know what do you think of this podcast. Your feedback ensures we... deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
Starting point is 00:24:16 If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com. N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound designed by Elliot Peltzman. Our contributing host is Maria Vermazas. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.