CyberWire Daily - The WhatsApp impostor.
Episode Date: April 2, 2026A fake WhatsApp spreads spyware. The State Department pushes embassies to counter influence ops. Cisco patches critical bugs. CrystalRAT hits Telegram. A Texas hospital breach affects 250,000. HHS res...huffles IT oversight. China-linked spies target Europe. EvilTokens hijacks Microsoft accounts. Ransomware hits a North Dakota water plant. Sumedh Thakar, President and CEO of Qualys, discusses how cybersecurity is shifting toward managing real business risk. Tales of a tortoise's termination have been greatly exaggerated. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We will be sharing a series of interviews we held at RSAC 2026 over the next few weeks. Sumedh Thakar, President and CEO of Qualys, discusses how cybersecurity is shifting toward managing real business risk amid rapid technological change. If you enjoyed this interview, check out the full conversation here. Selected Reading WhatsApp notifies hundreds of users who installed a fake app made by government spyware maker (TechCrunch) Trump Officials Try to Fight Foreign Disinformation They Once Dismissed (The New York Times) Cisco Patches Critical and High-Severity Vulnerabilities (SecurityWeek) New CrystalRAT malware adds RAT, stealer and prankware features (Bleeping Computer) 250,000 Affected by Data Breach at Nacogdoches Memorial Hospital (SecurityWeek) HHS Shuffles Internal Cyber, AI Oversight Back to CIO Office (GovInfo Security) European-Chinese geopolitical issues drive renewed cyberespionage campaign (CyberScoop) New EvilTokens service fuels Microsoft device code phishing attacks (Bleeping Computer) North Dakota water treatment plant reports March ransomware attack (The Record) World’s oldest tortoise caught in viral crypto death scam | St Helena (The Guardian) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
And now a word from our sponsor, Arcova, formerly Morgan Franklin Cyber.
Arcova is a global cybersecurity and AI consulting firm built by practitioners who've been in the seat.
They work directly with enterprise teams to solve complex security challenges,
building secure-by-design programs that pulled up as technology and threats evolve.
From focused engagements to long-term partnership,
Arcova delivers outcomes that endure
because no one should navigate complexity alone.
Learn why leading global enterprises trust Arcova at www.orgovna.com.
That's A-R-C-O-V-A.com.
A fake WhatsApp spreads spyware.
The State Department pushes embassies to counter-influence ops.
Cisco patches critical bugs.
Crystal Rat hits telegram, a Texas hospital breach affects a quarter million,
HHS reshuffles IT oversight, China Link spies target Europe, evil tokens hijack Microsoft accounts,
ransomware hits a North Dakota water plant.
Our guest is Sumed Thacker, president and CEO of Qualis,
discussing how cybersecurity is shifting toward managing real business risk.
And tales of a tortoise's termination have been greatly exaggerated.
It's Thursday, April 2, 26.
I'm Dave Bittner, and this is your Cyberwire Intel Briefing.
Thanks for joining us here today.
It's great as always to have you with us.
WhatsApp says roughly 200 users, mostly in Italy,
were targeted with spyware through a fake iPhone version of its messaging app.
According to a statement shared with TechCrunch,
the company linked the malicious unofficial client to Italian spyware maker SIO
and logged affected users out after detection.
WhatsApp urged users to delete the app and reinstall the official version.
Spokesperson Margarita Franklin said user roles remain unclear.
Fake mobile clients remain an effective delivery method for government surveillance spyware
and signal continued targeting activity in Italy.
WhatsApp also said it plans legal action to halt the alleged campaign
and protect affected users in the region.
The State Department has ordered U.S. embassies worldwide to counter foreign influence campaigns,
as officials warn anti-American narratives are gaining ground internationally.
According to current and former officials cited by the New York Times,
the directive followed concerns about messaging from adversaries,
including Russia, China, and Iran, especially after U.S. military actions involving Venezuela,
and Iran. The administration is also restoring limited broadcasts from Voice of America,
Radio Free Asia, and Radio Free Europe Radio Liberty, after earlier shutdowns tied to legal and
political disputes over alleged censorship claims. Weakened counter-disfirmation infrastructure
can create openings for adversaries to shape global perceptions of U.S. policy and alliances.
Officials say diplomats are now being encouraged to call.
coordinate with Pentagon information operations and challenge false claims online as part of
renewed messaging efforts.
Cisco has released patches for two critical and six high-severity vulnerabilities,
affecting enterprise networking and management products.
The most serious issues include a vulnerability in smart software manager on-prem, which
allows root-level command execution through an exposed internal device, and another vulnerability
which enables attackers to change administrator passwords via crafted requests.
Additional flaws affect evolved programmable network manager
and integrated management controller deployments across multiple server platforms.
Successful exploitation could allow attackers to gain administrative control
or access sensitive data across widely deployed infrastructure.
Cisco says it has no evidence of active exploitation.
Researchers report a new malware-as-a-service platform called Crystal Rat,
which is being promoted on telegram with tools for remote access, data theft, and device surveillance.
According to Kaspersky, the malware appeared in January with tiered subscriptions and marketing on telegram and YouTube.
Crystal Rat shares similarities with WebRat, including Go-based code and panel design.
Its features include command execution, file transfer,
browser data theft, key logging, microphone, and video capture, and clipboard hijacking of
cryptocurrency wallet addresses. The platform also supports anti-analysis protections and encrypted
communications with command and control infrastructure. Subscription-based malware lowers barriers
for entry-level threat actors and expands access to surveillance-grade tooling. Researchers say
prank-style disruption features may also distract victims,
while data theft occurs.
Nacadochet's Memorial Hospital says a January network breach exposed personal and health information
belonging to more than a quarter million individuals.
The Texas Hospital reported that attackers accessed internal systems on January 31st
and may have obtained sensitive data, including social security numbers, medical record numbers,
and contact information.
Officials say there's no evidence of misuse.
far. The organization secured its network and notified law enforcement but did not identify a
responsible threat actor. Healthcare breaches expose high value identity and medical data that can enable
fraud and long-term identity risks for victims. The Department of Health and Human Services is
restructuring its technology leadership, shifting cybersecurity and enterprise IT authority back to
its office of the chief information officer. HHS reversed a 2024 change that expanded the office
of the National Coordinator for Health Information Technology, or ONC, into a department-wide technology
policy role under the name Assistant Secretary for Technology Policy, ONC. The agency restored
ONC's narrower focus on health IT standards and interoperability while returning cybersecurity,
AI, cloud, and data operations oversight to the CIO office.
Officials said the move reinforces statutory enterprise IT responsibilities across the department.
Centralized oversight could strengthen internal cybersecurity coordination and governance across HHS systems,
though experts say the change is unlikely to immediately affect broader healthcare sector cybersecurity risks.
Researchers report a China-linked
cyber espionage group has resumed targeting European diplomatic and government organizations after
shifting focus elsewhere in recent years. According to Proofpoint, the group known as TA416,
also tracked as Twill Typhoon and Mustang Panda, began renewed activity in mid-2020, targeting individuals
and mailboxes tied to NATO and European Union delegations. The campaign coincided with rising EU
China tensions over trade, rare earth exports, and the Russia-Ukraine war.
Researchers also observe new targeting of Middle Eastern diplomatic entities following the start
of the Iran conflict. Shifting geographic targeting by state-aligned actors, signals evolving
intelligence priorities, and continued credential harvesting and malware delivery risks for
diplomatic networks. Researchers observed repeated use of plug-X backdoor delivery delivery
techniques. Researchers at Sequoia report a fishing as a service kit called Evil Tokens,
which is enabling attackers to hijack Microsoft accounts using device code fishing techniques.
The toolkit is sold via telegram and targets employees with lures disguised as financial documents,
meeting requests, or shared files from services like DocuSign or SharePoint.
Victims are redirected to legitimate Microsoft device login pages after entering attacker-supplied verification codes,
allowing threat actors to obtain access and refresh tokens.
These tokens enable persistent access to email, files, teams data, and single sign-on across Microsoft services.
Device code phishing bypasses traditional credential theft defenses and supports automated business email compromise activity at scale,
across multiple countries, including the United States and France.
Officials in Minot, North Dakota, say a ransomware attack struck a city water treatment plant
but did not disrupt water safety or system operations.
According to city officials, the intrusion was discovered March 14th and affected a server
that was quickly disconnected.
Staff operated systems manually for about 16 hours while monitoring pressure
and safety conditions.
Officials said attackers left only a message on a screen
with no ransom demand or direct contact reported.
The FBI is reviewing the message as part of an investigation.
Water utilities remain frequent cyber attack targets
with recent campaigns linked to criminal groups and nation-state actors,
highlighting ongoing risks to critical infrastructure resilience.
Coming up after the break, my conversation with Sumed Thacker from Qualif,
We're discussing how cybersecurity is shifting toward managing real business risk.
And tales of a tortoise's termination have been greatly exaggerated.
Stay with us.
Maybe that's an urgent message from your CEO, or maybe it's a deep fake trying to target your business.
Doppel is the AI-native social engineering defense platform fighting back against impersonation and manipulation.
As attackers use AI to make their tactics more sophisticated,
Doppel uses it to fight back, from automatically dismantling cross-channel attacks to building team resilience and more.
Doppel, outpacing what's next in social engineering.
Learn more at Doppel.com.
That's D-O-P-P-E-L.com.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack zero-trust networks, including hardware, firmware, and software, all designed to work seamlessly together.
The result? Fast, reliable, and secure connectivity without the constant patching, vendor-juggling, or hidden costs.
From wired and wireless to routing, switching, firewalls, DNS security, and VPN, every layer is integrated and continuously protected in one unified platform.
and since it's delivered as one predictable monthly service, you skip the heavy capital costs and
endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters,
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire. That's M-E-T-E-R-com.com
Cyberwire.
Sumed Thacker is president and CEO of Qualis.
I caught up with him at the RSAC-2020s conference
for this sponsored industry voices conversation
about how cybersecurity is shifting
toward managing real business risk.
Even within the last few months,
the conversation has shifted from,
oh my God, I'm concerned my users,
my employees are using AI.
I want to find out who's using these AI tools.
In six months now, you are saying,
I'm concerned the employees that are not using AI.
So it's like, can I get a report of everybody who's not using AI now, right?
And so I think that's very valid.
Those are valid questions.
And just like with any technology, the security aspect, the cyber aspect, the privacy aspect,
need to be looked at.
And I think the developers of these technologies and the vendors have to put those guardrails,
answer the questions.
And they do have to make sure that they put that level of comfort with the customers.
Well, welcome. We are here at RSAC 2026, and it is my pleasure to welcome Sumed Tucker, who is President C.O. Qualis. Welcome.
Thank you for having me. I want to start off just sort of getting a level-setting reality check from you. We're seeing a lot of change in the industry. I don't have to tell you what the hot topic is this year. Everybody knows what it is.
But how as an organization do you adjust to those changes with the products that you're presenting, how they evolve,
and how you make sure that you're responding to what customers are asking for?
Yeah, that's a great question, and not to age myself, but I've been at Qualis for 23 years,
and I started 23 years ago working on vulnerability management, and so all we have seen in the last many years is just a continuous change in the industry.
and I think the rate of change has just accelerated in the last few years.
But, you know, having done this for a long time when I take a step back,
I feel like there's always going to be some new hot thing that people are going to run after.
But if you take a step back and you look at what is cybersecurity.
Cyber security is essentially a risk management exercise for a company
to not have financial loss from a cyber attack.
And I think what happens is that many times we don't articulate what is at
risk. And the point is that if you don't know how much loss you could have, how could you figure
out how much you should spend on reducing that loss. So technology will change. New technology will come.
You know, virtualization was pretty hot 10 years ago. Then five years of cloud became a hot thing.
And now AI security is going to be hot. And two years from now, quantum will be hot. But the question
to ask is, how does this new technology bring additional risks to my business?
and how much loss could I have and how much should I spend on that is really the key point.
And that's where we have seen the evolution.
It's less about the individual hot technology coming out and is more about creating a framework and a platform that is allowing our customers to do overall risk management and operationalizing that risk with the concept of a risk operation center, a rock.
Just that we have done for a SOC, which is a post-breach, how do we proactively create, help our customers create a risk-eastern?
Operation Center that actually gets things fixed.
The most important dollar you can spend in cyber is actually getting things fixed.
Otherwise, you're just doing dashboard tourism by building more dashboards and we're not getting
anything fixed.
Right, right.
Well, I mean, it strikes me that that's really part of the relationship aspect that you, as a trusted
partner to help your customers, your clients understand.
what their risk exposure is.
Is that a fair way to describe it?
I think ultimately if you say that cybersecurity is a risk management exercise,
then the real metric is not how many findings you had
and how many findings you fixed is how much risk of loss
did you reduce by spending that money in cyber.
And so as we have been talking to customers
who are hearing more and more of that is like
there is a detection fatigue where too many detections are coming out,
not enough remediation,
and the report we put out about the best,
broken physics of remediation is you have the detection fatigue, not enough things are being fixed,
not enough things are being fast enough, and the attackers are leveraging newer technologies to just
attack you faster. And so you kind of are under this pile. And so when we start to look at it,
which means by definition you don't have enough budget to fix everything that is detected,
which means prioritization is not an option. And now when you start to talk about prioritization
really comes down to what is the most important thing that you should look at. Well, the most
important thing is what causes the most risk of loss. So really listening to our customers is all
about, I don't have enough resources, tell me what is the thing I should fix that is going to
reduce the maximum loss. When you're talking to your customers and your partners, when you're
walking the show floor here at the RSA conference, what are you hearing in terms of the pain
points from the CSOs out there, the decision makers? What are they telling you?
It's interesting because if you, and you know, in the industry, there's a lot of like, well,
all these studies come out in what are the CISO priorities,
but then the CISO priorities are not necessarily the CISO pain point.
So that's interesting because the priority will be,
I need to look at AI security, I need to look at cloud security,
I need to look at it.
But they're always looking for something new that they have to look at
because some new IT technology has come around.
But if you ask a CISO, what is your personal pain point in your job?
they say, okay, I have to pick a cloud technology.
I'm going to have my team look at three vendors.
They're going to do an analysis and they'll pick something and then we'll negotiate the price.
That's not necessarily a pain point.
That's a priority.
That's not a pain point.
The pain point is going to my CFO and asking for more budget.
And the CFO asks, well, so what do I get in return?
Because the AI team is asking for that money.
Should I give it to the AI team who's saying that we will increase the top line by 3%?
or should I give it to you?
And you're saying, you cannot even tell me
if you're going to reduce the risk by five times,
one time, three times.
So their challenge is how do I report to the board?
They go to the board.
They cannot explain the value of what they're doing.
They're talking about alerts and how many detections.
That doesn't mean anything to the board.
Even if you tell the board that we've applied 75,000 patches,
what does that mean to the business?
Right.
Once again this year, we spent all this money
and good news, nothing happened.
Right.
But that's not necessarily the way to look at it, right?
Right.
So that's their pain point when you talk about the CSO's job is, you know, one part is, like, I want to make sure that I'm putting the right solutions for the company.
But the teams are taking care of that.
That's your priority.
But then they're personally, they're really just trying to figure out how do I balance this detection fatigue with not enough remediation and articulating the value and really becoming a business partner.
Otherwise, the CISO ends up becoming the person that's always saying no
and not giving good explanation why it's a no, right?
So how do they evolve from that to be a business-friendly C-SISO?
How can you go and say, look, we're going to operationalize or risk management?
With that, we are reducing the number of things we are fixing.
And by that, I'm giving four hours back to the IT team every week,
which amounts to $10 million being given back by not fixing things that don't matter, right?
Those are the conversations that really what they would like to have.
They get personally excited about that.
Of course, picking a new technology, they are going to pass that off to their team.
Well, we're here at RSC 2026, and of course, the hot topic is Agentic AI.
Yeah.
What are your insights?
Where do you think we are and where do you think we're headed?
I think it's very exciting the opportunities that Agentic AI is bringing, because if you look
at every report in the history of cybersecurity last 10 years, has always talked about a lack of talent
or lack of trained resources in cybersecurity.
And so, you know, we are already coming in where we had a big gap of the number of people
that were available in cyber that were trained to actually achieve the goals that the businesses
were looking for.
And so, Agentic AI has brought out the ability to leverage this new technology and simplify
and significantly reduce the number of resources that were required to achieve those goals.
A lot of time and this alert fatigue and detection fatigue has been there because it's not that the volume was the problem.
It's the amount of stuff that was wasted in that volume makes people fatigue.
It's like I spent three days triaging all this and I found nothing.
That's more fatiguing than, hey, we were actually able to do a lot of this stuff.
And so I think the ability to have agentic AI and this is something that we have done a little bit differently where we talk about kind of having.
agentic AI named cyber risk agent on the platform where like there are six agents
available each agent has a name and a persona and they have a skill set in cyber so
today talk to any CSO patch Tuesday is still there people have to take care of
Pat Tuesdays. We have Agent Sarah who is a Pat Tuesday agent so the way the CISOs
look at that is I have a team of 10 and now I'm augmenting them with six AI agents
so that my team now is spending less of their time doing these kind of tasks
and they are leveraging Agent Serra to do a lot of the tasks that needed to be done.
And so in that sense, it's actually we're able to get better outcomes quicker with Agentic AI.
And so I think that this is going to be a real game changer for us to stay ahead of the attackers.
Now, attackers are not sitting back.
They're also using AI and they're also automating and using Agentic AI for the attack.
So it's almost like we don't really have a choice at this point,
but to also leverage agentic AI to be able to work with the attackers
and empower the defenders.
The reality, though, is that it's easy to say
how many CSOs are getting the budget
to build out their own AI team, right?
And even if they get the budget,
are the resources available in AI?
And I think that is where the vendor community here
is very important that the vendors are partnering with the CSOs
to provide them this agentic capability as part of the platform.
So that the adoption of Agentic AI does not need these Csos, all of them, to start to build out their own teams.
They can actually leverage the capabilities that are out there to achieve those goals quicker and faster.
Are you sympathetic to the folks who are expressing concerns that, you know, how are we going to put proper guardrails on this?
How do we make sure it doesn't spin out of control and take the company with it?
Yeah.
I think those are fair questions to ask, right?
Like with any technology, I mean, if you look at how much resistance we had for the cloud,
right?
The big people were like, oh, no, never.
I'm never going to put my data out and somebody else's a data center.
What are the guardrails?
What if this happens?
What if that happens?
And then a few years later, once those questions were answered and people started to feel
comfortable, now cloud has become fashion statement, right?
It's not an optional thing anymore.
Everybody has to be in the cloud.
And so I think like with any technology, any new technology, I think the concerns are valid,
the questions are valid and getting insights into where is the data coming from, where is my data
going, how is it training, how accurate are the answers, putting guardrails, making sure that
there is no jailbreak, there's no exploitation of that. I think those are all important questions,
but I don't think that any of those questions are going to really stop the progress of AI.
I think there will be regulations, there will be some guidelines, etc. But even within the last few months,
the conversation has shifted from,
oh my God, I'm concerned my users,
my employees are using AI.
I want to find out who's using these AI tools.
In six months now,
you are saying, well, I'm concerned
the employees that are not using AI.
Right, right.
So it's like, can I get a report
of everybody who's not using AI now?
And so I think that's very valid.
Those are valid questions.
And just like with any technology,
the security aspect, the cyber aspect,
the privacy aspect need to be looked at.
And I think the developers of these technologies and the vendors have to put those guardrails answer the questions.
And they do have to make sure that they put that level of comfort with the customers.
So Med Thacker is president and CEO of Qualis.
Thank you so much for joining us.
It's a real pleasure.
Thank you very much.
Great conversation.
I appreciate that.
There's a lot more to this conversation than we have time to share here.
So please check out the full unedited interview.
You can find a link to that in our show notes.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave.
And with Threat Locker DAC, defense against configurations, you get real assurance that your environment is free of misconfigurations,
and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CSO's real visibility, real control, and real peace of mind.
Threat Locker make zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security incident last year,
and 92% of responders reported threat levels have increased in the past two years.
Guard Square delivers the highest level of security for your mobile application.
without compromising performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps at
www.gardsquare.com.
And finally, yesterday, for a brief and sorrowful moment, I believed Jonathan, the giant
tortoise, aged 194 and still fond of bananas, had passed away.
Multiple outlets reported his death after an X account, posing as his longtime veterinarian,
claimed the world's oldest known land animal had died.
According to reporting, later confirmed by the Guardian,
the real veterinarian does not use X, and the impersonator was soliciting,
wait for it, cryptocurrency donations.
Officials on the island of St. Helena verified Jonathan was in fact asleep under a tree,
and very much alive.
The governor reports Jonathan is still grazing, still fond of bananas,
and still ignoring global drama with admirable discipline.
If there's a lesson here, it may be to verify sources,
and then take a nap.
And that's The Cyberwire, or links to all of today's stories.
Check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ivan.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.