CyberWire Daily - War comes for the cloud.
Episode Date: April 3, 2026Cloud data centers come under fire in wartime. A massive dark web intelligence database is exposed. Chinese hackers exploit a video conferencing zero-day. The intelligence community rolls out cyber mo...dernization plans. React2Shell attacks spread at scale. Iowa sues UnitedHealth over the Change Healthcare breach. France moves to bar kids from social media. Researchers warn about hidden risks in power regulation. An insider extortion plot locks admins out of hundreds of servers. Our guest Brandon Karpf, friend of the show, with insights on the war in Iran. Espresso exploit exposes executive emails. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Brandon Karpf, friend of the show, discussing defending critical infrastructure against Iran. Selected Reading What Happens When Data Centers Become Military Targets? (GovInfo Security) Shared EnemShared Enemy: Inside a Chinese Dark Web Monitoring Database | UpGuardy: Inside a Chinese Dark Web Monitoring Database (UpGuard) TrueConf Zero-Day Exploited in Asian Government Attacks (SecurityWeek) ODNI tackles AI, threat hunting, app cybersecurity in year-one tech review (CyberScoop) React2Shell Exploited in Large-Scale Credential Harvesting Campaign (SecurityWeek) State AG Sues Change Healthcare in 2024 Ransomware Attack (GovInfo Security) French Senate passes bill that would ban children under 15 from social media (The Record) The silent dependency: DC power regulation in cyber‑physical security (NCC Group) Man admits to locking thousands of Windows devices in extortion plot (Bleeping Computer) The company's biggest security hole lived in the breakroom (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
And now a word from our sponsor, Arcova, formerly Morgan Franklin Cyber.
Arcova is a global cybersecurity and AI consulting firm built by practitioners who've been in the seat.
They work directly with enterprise teams to solve complex security challenges,
building Secure by Design programs that hold up as technology and threats evolve.
From focused engagements to long-term partnership,
Arcova delivers outcomes that endure
because no one should navigate complexity alone.
Learn why leading global enterprises trust Arcova at www.orgovna.com.
That's A-R-C-O-V-A.com.
Cloud data centers come under fire in wartime.
A massive dark-web intelligence database is exposed.
Chinese hackers exploit a video conferencing
Zero Day, the intelligence community rolls out cyber modernization plans, react to shell attacks
spread at scale, Iowa sues United Health over the change health care breach. France moves to bar kids
from social media. Researchers warn about hidden risks in power regulation. An insider extortion plot
locks admins out of hundreds of servers. Our guest is Brandon Karp with insights on the war in
Iran and an espresso exploit exposes executive emails.
It's Friday, April 3, 26. I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. It's great as always to have you with us. Happy Friday.
Recent Iranian strikes on telecom and cloud-linked facilities in Bahrain and acclaimed attack on an Oracle data center in the UAE signal a shift in modern
conflict. Commercial cloud infrastructure is becoming a wartime target. Earlier drone attacks in March
hit multiple AWS facilities across the region, disrupting banking, payments, and government
services, reinforcing what analysts describe as a clear pattern rather than isolated incidents.
Iranian sources frame the strikes as responses to alleged U.S. military and intelligence use
of these platforms, highlighting the growing dual-yields.
use nature of commercial data centers. This raises serious risks for enterprises that depend on
regional cloud availability. At the same time, threats to submarine cables and maritime choke points,
such as the Strait of Hormuz, increased the possibility of wider global connectivity disruptions.
For CIOs, the takeaway is clear. Geopolitical risk must now factor into infrastructure planning,
including multi-region redundancy, war scenario continuity testing, and closer scrutiny of cloud service contracts.
Researchers at UpGuard discovered a publicly accessible elastic database in March,
containing nearly a terabyte of dark web and telegram threat intelligence,
apparently tailored to Chinese state interests.
The data set tracked breach victims, data brokers, journalists, social media groups,
telegram channels and Tor marketplaces, with annotations such as China-related, U.S.-related,
and counter-revolutionary speech. It included roughly 1 billion breach records and monitoring
of thousands of underground sources. The exposure highlights how China, despite its advanced
offensive cyber campaigns such as Salt Typhoon and Volt Typhoon, relies on threat intelligence
methods similar to Western defenders. It also reflects a broader
shift toward pre-positioning in critical infrastructure and AI-assisted cyber operations.
Overall, the leak illustrates how large-scale surveillance-style threat intelligence systems
are now central to both national cyber defense and geopolitical competition.
Chinese hackers exploited a zero-day vulnerability in true conf video conferencing software
to target government entities in Asia, according to checkpoint.
The flaw stems from the client's failure to verify update integrity when retrieving packages from on-premises servers.
Attackers compromised a government-operated true confers, replaced legitimate updates with malicious ones,
and distributed them to dozens of agencies through the trusted update process.
This implanted malware enabled reconnaissance, persistence, lateral movement preparation,
and communication with infrastructure linked to the how.
havoc post-exploitation framework. Because TrueConf is widely used in isolated government and critical
infrastructure environments, the attack leveraged centralized trust rather than endpoint compromise.
True Conf hatched the issue, and SISA added the vulnerability to its known exploited vulnerabilities
catalog, requiring federal agencies to remediate it by April 16.
The Office of the Director of National Intelligence announced a new cybersecurity and technology modernization measures after a year-long effort across the U.S. intelligence community.
The initiatives include policy standards for applying artificial intelligence to cyber defenses, expanded automation of threat hunting across intelligence networks, and development of a zero-trust strategy focused on protecting data regardless of location.
ODNI also created a shared repository of cybersecurity reviewed applications to reduce duplication
of testing and speed deployment across agencies. The National Counterintelligence and Security Center
was directed to counter foreign intelligence cyber threats more proactively. The effort aligns
with broader national cyber strategy goals to strengthen federal network defenses and advance
defensive AI capabilities. The announcement marks the first
major cybersecurity update under the Director of National Intelligence Tulsi Gabbard during the second
Trump administration.
Cisco Talos researchers warned that threat actor UAT 10608 is exploiting a critical react vulnerability
known as React to Shell to compromise vulnerable NextJS applications at scale.
Using automated scanning, the attackers gained remote code execution and deployed script,
with the Nexus Listener Framework
to harvest credentials,
cloud tokens, SSH keys,
and environment secrets.
Talos observed at least 766
compromised systems
and over 10,000 stolen files
within 24 hours.
The campaign targets
publicly exposed deployments indiscriminately
and researchers advise organizations
to rotate all exposed credentials
immediately to reduce risks
of lateral movement,
supply chain companies,
compromise and further intrusion.
Iowa Attorney General Brenna Bird has sued United Health Group and its Optum and Change
Healthcare units over the 2024 ransomware attack that disrupted health care operations
and exposed data from nearly 193 million people nationwide, including 2.2 million Iowans.
The lawsuit alleges violations of Iowa Consumer Protection Laws, Breach Notification Requirements,
and HIPAA-related obligations,
and seeks civil penalties, damages,
and mandated security improvements.
Officials say attackers remained undetected for 10 days,
stealing social security numbers, medical records,
and insurance data while crippling claims processing
across the state.
The Black Cat Ransomware incident halted insurance transactions
and imposed significant costs on providers.
United Health disputes the claims.
Additional state lawsuits and a federal investigation by the Department of Health and Human Services remain possible.
France's Senate has approved legislation to ban social media access for children under age 15,
advancing a proposal that could make France the first European country to adopt restrictions similar to Australia's approach.
The bill would classify platforms by risk level, imposing outright bans on those deemed harmful to might.
minors, while allowing limited access to others with parental consent, education platforms would be
exempt. The measure reflects a broader European trend, as the European Union, Spain, the Netherlands,
and the United Kingdom consider similar age restrictions and verification requirements aimed at
strengthening online protections for children.
D.C. power regulation underpins modern digital infrastructure, but has evolved from a simple
voltage stabilization function into a critical cybersecurity dependency. As described in the NCC group
report, the silent dependency, DC power regulation in cyberphysical security, regulators now rely on
embedded firmware, digital control, and network connectivity, making them part of the cyberphysical
attack surface rather than passive electrical components. Compromise at this layer can manipulate voltage,
availability, corrupt data, or trigger cascading failures across data centers, industrial systems,
and telecommunications environments. Modern risks include insecure firmware updates, supply chain
exposure, lateral movement through management networks, and physical fault injection techniques
such as voltage glitching. The report recommends treating power regulation as a security
architecture component with secure boot, segmentation, telemetry monitoring, and supplier verification.
As AI-assisted power management and IT-OT convergence increased complexity, securing power infrastructure
becomes essential to maintaining system resilience and trust.
A former infrastructure engineer has pleaded guilty to sabotaging his employer's network
in an attempted extortion scheme that locked administrators out of hundreds of systems.
Prosecutors say Daniel Rine used unauthorized access to a Windows domain controller in November
2023 to delete admin accounts, reset passwords across more than 300 user accounts,
and target credentials affecting 254 servers, and over 3,000 workstations.
He also scheduled server shutdowns and sent ransom emails,
claiming backups were deleted, demanding 20 Bitcoin to halt further disruption.
Investigators later found he researched methods for clearing logs and modifying administrator
credentials before the attack. The incident highlights the risks posed by insider threats with
privileged access. Rine faces hacking and extortion charges, carrying a maximum sentence of 15 years
in prison. Coming up after the break, my conversation with Brandon Khrin.
who has insights on the war in Iran, and an espresso exploit exposes executive emails.
Stick around.
Maybe that's an urgent message from your CEO, or maybe it's a deep fake trying to target your business.
Dopple is the AI-native social engineering defense platform fighting back against impersonation and
manipulation.
As attackers use AI to make their tactics more sophisticated, Dopple uses it to fight
back from automatically dismantling cross-channel attacks to building team resilience and more.
Dopple.
Outpacing what's next in social engineering.
Learn more at doppel.com.
That's do p-p-eel.com.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack, zero-trust network.
networks, including hardware, firmware, and software, all designed to work seamlessly together.
The result? Fast, reliable, and secure connectivity without the constant patching, vendor juggling,
or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security, and
VPN, every layer is integrated and continuously protected in one unified platform. And since it's
delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters,
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R-com slash cyberwire.
It is always my pleasure to welcome back to the show, Brandon Karp.
He is the leader of international public-private partnerships at NTT,
also a former member of the intelligence community and a U.S. Naval Academy grad.
Brandon, welcome back.
We're doing the full CV today, Dave.
Well, I think it's good context for the conversation we're going to have today.
So you and I are just freshly returning from the RSAC conference in San Francisco.
and you have some thoughts with what you did and did not see
when it comes to conversations about the current conflict in Iran.
Yeah, it's, you know, we're all still recovering from the week in San Francisco for sure.
And, you know, we're at this place now where we find ourselves about day 30 of the war with Iran.
And the statements and the confluence of events around cybersecurity and cyber operations,
You know, Iranian hacker alliances across their multiple threat actor groups, cyber avengers and Handala,
potentially holding at risk our domestic U.S. water infrastructure.
They came out with some statements just in the last few days, specifically holding at threat some of our water treatment implants in the U.S.
and none in particular.
But, you know, there's some early indications and previous events that seem like those threats are potentially legitimate.
and then combined with the ongoing lapse of funding with DHS,
which obviously funds organizations like SISA and FEMA and other early response organizations.
And all that kind of framed with what we experienced last week at RSA and potentially didn't experience.
And some of the concerns, but also the call to actions that I have,
and I think other people have, to our security community.
Do we consider it a credible threat that Iran,
would be coming after our water treatment plants?
Is that a legit soft target?
Yeah, I think so.
You know, it's without obviously having access to threat indicators from water treatment
from water treatment.
There was an incident in Aliquipa, Pennsylvania a few years ago, where Cyber Avengers,
which is one of the Iranian APTs, did infiltrate and attack that OTIS system for the water
authority in that township. Others, you know, Handala, with a recent striker manufacturing
breach and compromise. So Iran has shown themselves certainly capable of having cyber effects
on core infrastructure. The striker incident recently has caused a huge issue in terms of
medical device supplies in the U.S. But then more specifically to those water treatment plants,
Water treatment plants historically in the U.S. are under-resourced on security infrastructure and security technologies.
And the fact that they have done it before to a U.S. water treatment plant brings up concerns that water utilities are definitely at risk.
And we might not necessarily have the authorities and the national coordination in place to respond or deter that type of an attack.
It is interesting to me that the conversations that I had at RSAC, Iran really didn't come up very much.
Yeah, same with me, which I'm a little confused as to why that is.
We've spent the last few years responding to the typhoons, right, Volt and Salt Typhoon, pre-positioning in U.S. critical infrastructure,
and my industry telecommunications saying that we still have a problem.
I mean, it's two years later.
We still have problems here.
And the focus from whether it's the state and local governments or the federal government and then other resource providers, technology companies, security vendors, just they don't really seem to have the amount of serious focus that I would say is necessary for these threats right now.
And then certainly being 30 days into a legitimate war with Iran who has, you know, not necessarily the best of class cyber capabilities, but certainly they are a real.
threat actor, maybe, you know, maybe not tier one, but tier two, but have shown their willingness,
capability, and intent on actually having cyber effects on U.S. critical infrastructure.
To me, I mean, we've talked about Shields Up in the past when Jen Easterly was running SISA.
I mean, this right now is a Shields Up situation where, you know, the community needs to take
this more seriously and start leveraging assets and putting resources towards these facilities,
especially when, I mean, as a nation, we are at war.
And underfunded or not funded at the moment with the budget not passing.
And even before that, all of the cuts that we've seen at places like SISA.
Yeah, Sisa has certainly had a staffing collapse over the last 12 months.
I mean, they are down at least 30% in terms of total staff,
but then 60% of their staff right now is suspended or furloughed.
So, and they have another thousand job vacancies.
So SISA is on critical functions only.
And so, you know, we have that issue.
But then kind of broadly speaking, you know, bringing it back to RSA last week,
I see a lot in terms of exquisite capabilities and new technologies and flashy marketing,
which is all important.
I mean, I think that stuff is valuable for the community.
It's a little noisy, but there's value in there.
What I'm not seeing is the basic blocking and tackling.
How do we take the under-resourced belly of our national economy,
which is all this critical infrastructure?
And how do we leverage the power of the community,
leverage the power of coordination,
intelligence sharing, incident response preparation,
or even kind of getting ahead of the incident
and imposing costs on adversaries
and making our targets hard to hit?
I'm not seeing a lot of conversations that's drive,
towards that direction.
And there are things out there that are doing this.
And I'll call out a few, you know, the CLTC, the Center for Long-Term Cybersecurity,
building these cyber clinics, which are basically kind of public benefit, you know,
similar model as the local health clinics, but for cybersecurity.
And those resources are certainly helping the most under-resourced regions of our country.
But that's just one organization.
We need a lot more of that.
And that's kind of my call to action to this whole community is.
the things we're talking about are scary and real threats.
It's not fear, uncertainty, and doubt.
I'm not trying to just say everything is bad and everything is scary,
but we're in a serious situation as a nation,
and we need to respond as a community
to start leveraging the knowledge we have,
the skills we have, the wisdom we have,
to minimize the effect that the soft underbelly of our national economy
really is exposed to.
Do you think we're lulled into a sense
of safety partly by our geographic isolation,
that we have oceans on other side,
or have we been at this cyber game long enough
that that's in the rearview mirror?
I think that's certainly part of it.
America's always benefited from having that standoff
from not really having adversaries on our shores.
But, I mean, the difference with cyber is
the cyber domain crosses geographic boundaries,
and it makes it much easier to attack across those boundaries.
I think the other area that has made,
made us kind of lulled into a sense of, I don't want to say complacency, because a lot of folks
in this community are working very hard to solve these things, but maybe a lack of urgency
is the fact that for years now, this community has, you know, just almost like what I've just
been doing in the last 10 minutes, talking about the potential for serious effects, the potential
for serious attacks, the, you know, the analogies folks have used is the Cyber 9-11 or the Cyber
Pearl Harbor. And that kind of, again, yeah, it's a few.
your uncertainty and doubt can only be used so much, right? The boy who cried wolf can only be
espoused so many times before people start losing interest. And we've been doing it for a very
long time. And there hasn't been huge incidents except for the fact that there really has. And
we forget about it. So colonial pipeline is an example, right? The Alquipa water shipment plant
that I just mentioned, the striker attack from just a few weeks ago, right? These solar
wins, et cetera, et cetera, heartbleed, right? These things have cost trillions of dollars to the global
economy. Think about want to cry. Think about non-petia. These cyber events are very real and have
cost us a lot of money. It's been a few years since we've had a massive one in this country,
but they do keep happening. And for some reason, we kind of write it off as a one-off, even though
every couple of years we're getting a massive attack that costs the economy tens of billions,
of hundreds of billions of dollars.
And for some reason, we're still not understanding
that we need to leverage a lot more public resources
into that soft underbelly first
before we move on to the exquisite,
top of the line, best-of-class technologies.
It's really the basics
in hardening those soft targets
that are the national critical infrastructure.
So what's the call to action then?
For the professionals and those of us
who are on the sidelines,
Is this double your efforts?
Is this a call your representative situation?
What can people actually do?
I would say first there has to be political will.
So yeah, call your representatives.
I mean, start sending in regular messages to your local representatives,
even your state representatives, right?
The states have a lot of control here.
New York State just implemented some new cybersecurity controls
for their water treatment plants,
which just were enacted a few weeks ago.
now those were mandatory reporting laws so again that is after breach but again there is showing some
willingness to start taking action there but i do think driving political will and how important it is
for the federal government to fund cissa to drive those resources toward those coordinating authorities
that cissa has but needs the human resources and the capital to actually deliver on i i think that
would go a long way on top of that supporting local
organizations. I mean, again, I mentioned CLTC is one, the Center for Long-Term Cybersecurity and their
cyber clinics programs. A lot of the funding for that did come from, I think, larger federal
grants, some of them from large organizations like Google and others, but, and Craig Newmark as well,
in his philanthropic work, has funded some of their activities. But they need more support.
They need personnel who are willing to donate some of their time, just like how lawyers
donate some of their time pro bono, cybersecurity operators.
practitioners should be looking for opportunities to donate your time to those types of cyber clinics.
And I think they're operating in at least a dozen states now, if not more, but growing that type
of resource. And then if you do run a managed services or MSSP organization, thinking about
how that organization can support local, local critical infrastructure, whether that's water
treatment, energy infrastructure, you know, electrical grids, et cetera. And not all of those
engagements are going to be paid, and I know I'm asking you to donate your time, but I think we need
just a little more community give back in the cybersecurity industry to try to resolve this critical
center of gravity that our adversaries are actively targeting and telling us that they're going
to target. And quite frankly, when an adversary tells me that they're going to target something,
I'm going to believe them. I'm going to say that that's probably true. So let's do something to
to mitigate that.
Brandon Carf is leader of international public-private partnerships at NTT.
Brandon, thanks so much for taking the time.
Thanks, Dave.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave.
and with Threat Locker DAC, Defense Against Configurations,
you get real assurance that your environment is free of misconfigurations
and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
Threat Locker makes zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security incident last year.
and 92% of responders reported threat levels have increased in the past two years.
Guard Square delivers the highest level of security for your mobile apps
without compromising performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps
at www.gardsquare.com.
And finally, in a cautionary tale for Defenders Everywhere,
A digital forensics investigator discovered that a company's mysterious data breach was not the work of elite hackers, but of a chatty office coffee machine.
According to the register, executives initially suspected corporate espionage.
Investigators instead found an internet-connected espresso maker, quietly exfiltating sensitive data abroad every time someone brewed a cup.
The device sat comfortably inside the secure network, protected.
by a default password, an outdated operating system, and apparently unlimited trust.
The awkward briefing that followed informed leadership their security posture had been undone
by Cappuccino. Experts noted such incidents are not rare. Connected devices often lack monitoring
and basic safeguards, making them convenient entry points. The lesson is simple, change default
passwords, segment networks, and remember that in modern environments, even the break room may be part of
your attack surface. And that's the Cyberwire. For links to all of today's stories, check out our
daily briefing at the Cyberwire.com. Be sure to check out this weekend's research Saturday and my
conversation with Santiago Pontiroly, threat intelligence research lead from Akronis. We're discussing
their work, New Year, New Sector, Transparent Tribe, targets in
India's startup ecosystem.
That's Research Saturday.
Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at
N2K.com.
N2K's lead producers Liz Stokes were mixed by Trey Hester with original music and sound
designed by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.