CyberWire Daily - Who you gonna call?
Episode Date: July 9, 2026GhostApproval puts AI coding assistants under the microscope. Microsoft fixes the RoguePlanet zero-day. More than 70 cybersecurity firms back a new AI Charter. An Ohio county may have paid a $1 millio...n ransom. AssuranceAmerica discloses a breach affecting nearly seven million people. Australia bricks thousands of broadband routers. Israeli fintech Nayax reports a cyber incident. KDDI confirms a massive telecom data breach. A global anti-fraud operation leads to thousands of arrests. Ben Yelin from University of Maryland Center for Cyber Health and Hazard Strategies explains the EU Cloud and AI Development Act. Slopfix fights fire with fire. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Ben Yelin from University of Maryland Center for Cyber Health and Hazard Strategies discussing the EU Cloud and AI Development Act. Selected Reading GhostApproval Flaw Hits Six Major AI Coding Assistants (Infosecurity Magazine) Microsoft Patches RoguePlanet Defender Zero-Day That Grants SYSTEM Access (Daily CyberSecurity) New AI Security Charter Backed by Over 70 Cyber Firms (Infosecurity Magazine) County Government Reportedly Paid $1 Million to Cyber Extortion Group (SecurityWeek) AssuranceAmerica data breach exposes records of 6.9 million drivers (Bleeping Computer) Aussie gov't tells volunteers to throw out thousands of functioning test routers (Ars Technica) Nayax shares slide after fintech company reveals cloud security breach (Ctech) 12 Million Impacted by Data Breach at Japanese Telco KDDI (SecurityWeek) Chinese-Funded Interpol Cybercrime Crackdown Leads to 5,800 Arrests (Infosecurity Magazine) 'Slopfix' software team charges $10,000 a week to delete AI-generated code bloat — ironically, the team uses AI agents to trim messy repositories by up to 65% (Tom's Hardware) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
If you are heading to Blackhead USA this year, make plans to visit the SpectorOps Kennel Club.
As the creators of Bloodhound, the SpectorOps team will host talks, workshops, and hands-on sessions aimed at helping you understand AI accelerated attack paths, the latest identity tradecraft, and how to build your own OpenGraph collector.
Visit specterops.io to pre-register and learn more.
While you're at the SpectorOps Kennel Club, visit the N2K Cyberwire podcast studio,
where we'll be capturing expert perspectives and conversations from across Black Hat.
We'll see you there.
What's the one thing in business that's spreading as fast as AI?
AI risk.
Every new tool your team signs up for, every vendor that turns on AI features, every new integration,
Each one is an opportunity for something to go wrong.
And most security programs weren't built for AI's pace of growth.
Enter Vanta.
Vanta is the number one agentic trust platform,
used by over 16,000 fast-moving companies like Ramp, Cursor, and Harvey
to ensure they're always audit-ready.
And now Vanta is helping companies like yours watch for the risks that show up between audits,
across your vendors, your AI tools, and your whole environment.
How? The Vanta agent works like a 24-7 GRC engineer in the background, finding issues, drafting fixes, and cutting vendor assessment time by up to 50%. Whether you're a fast-growing startup or a global enterprise, Vanta is here to help you automate your security and compliance and earn and prove trust. Get started today at Vanta.com slash cyber. That's V-A-N-T-A-com slash cyber.
Ghost approval puts AI coding assistance under the microscope.
Microsoft fixes the rogue planet Zero Day.
More than 70 cybersecurity firms back a new AI charter.
An Ohio County may have paid a million dollar ransom.
Assurance America discloses a breach affecting nearly 7 million people.
Australia bricks thousands of broadband routers.
Israeli fintech NIACs reports a cyber incident.
KDDI confirms.
a massive telecom data breach.
A global anti-fraud operation leads to thousands of arrests.
Our guest is Ben Yellen from the University of Maryland Center for Cyber Health and Hazard Strategies,
explaining the EU Cloud and AI Development Act.
And SlopFix fights fire with fire.
It's Thursday, July 9th, 2026.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great as always to have you with us.
Whiz research has disclosed a flaw dubbed ghost approval affecting six AI coding assistants,
Amazon Q developer, clawed code, augment, cursor, Google anti-gravity, and wind surf.
The issue exploits symbolic links or sim links to disguise rights to sensitive files as harmless project edits.
In Wiz's proof of concept, an AI agent following routine setup instructions overwrote a
developers' SSH keys after the approval prompt displayed only an innocent-looking file name,
potentially enabling passwordless remote access, and in the worst case, remote code execution.
Amazon, Google, and Cursor have released fixes with Cursor assigning a CVE.
Augment and WindSurf acknowledged the reports, but have not yet issued fixes,
while Anthropic disputed the issue as a vulnerability.
WIS recommends resolving sim links before approval prompts and warning users about rights outside the project.
Microsoft has patched a Microsoft Defender Zero Day called Rogue Planet,
a race condition that allows a local attacker to gain system privileges on fully patched Windows 10 and 11 systems,
even with real-time protection disabled.
The flaw exploits a timing gap in Defender's file scanning process,
allowing an attacker to swap a scanned file with a malicious payload that executes with elevated privileges.
A public proof of concept has been released, though Microsoft says it has not seen the vulnerability exploited in the wild.
The flaw affects multiple versions of the malware protection engine and is fixed in the latest version, which updates automatically.
Administrators should verify engine versions, restrict local administrative privileges,
and monitor for suspicious file activity to reduce potential impact.
More than 70 cybersecurity organizations have signed Crest's AI charter,
committing to nine principles for the responsible use of artificial intelligence in cybersecurity.
The framework emphasizes accountability, transparency, documentation, human oversight,
data sovereignty, security, secure AI development, supply chain risk management,
and business continuity. Signatories pledge to disclose when AI is used, maintain audit trails,
protect client data, and ensure qualified personnel retain final oversight of AI-driven decisions.
The Charter also calls for securing AI tools throughout their lifecycle, managing third-party
AI risks, and planning for AI-related disruptions. Crest said the principles were developed with
industry input and reflect the growing role of AI, with nearly 70% of cybersecurity providers now
using AI daily. The organization hopes the charter will establish common industry standards and reduce
the need for formal regulation while improving trust and interoperability.
Ransom ISEC reports that a U.S. government entity, believed to be Union County, Ohio, paid the
kairos cyber extortion group $1 million after attackers stole roughly two terabytes of data in a May
2025 breach. Negotiation records show the attackers reduce their demand from $3 million before payment
was made in Bitcoin. The incident involved data theft and extortion, not file encryption. Ransom
ISAC cautioned there is no reliable way to verify the attackers actually deleted the stolen data,
despite providing proof of deletion artifacts.
Assurance America has disclosed a data breach
affecting nearly 7 million individuals
after attackers gained unauthorized access
to its network in March of this year.
The insurer said the intrusion began on March 16th
by targeting an employee,
allowing attackers to access parts of its IT environment
and copy customer data.
Exposed information may include names
contact details, insurance policy and claims information, driver and vehicle records,
and driver's license numbers. After detecting the breach on March 17th, the company disabled
compromised accounts, terminated unauthorized sessions, isolated affected systems,
notified law enforcement, and strengthened security with password resets, enhanced monitoring,
and employee training. Assurance America completed its review of impacted files in June,
and is notifying affected individuals,
advising them to monitor financial accounts
and report suspicious activity.
Thousands of Sam-Kno's branded routers
used in the Australian Competition and Consumer Commission's
measuring broadband Australia program
were remotely disabled after the initiative ended on June 30th,
prompting criticism over unnecessary electronic waste.
The routers distributed to volunteers, beginning in 20,
to measure broadband performance, remained functional hardware, but were intentionally
bricked as part of the program shutdown.
Volunteers were instructed to recycle the devices, although some users have successfully
reflashed them with the open-source open WRT operating system to restore full router functionality.
Critics argue Sam knows, or its parent company, Cisco, could have released a final firmware
update instead of disabling the devices. Neither Samnose, Cisco, nor the ACCCC provided a clear explanation
for the decision, despite concerns about avoidable e-waste.
Israeli fintech company NIACs has disclosed a cybersecurity incident after detecting suspicious
activity in a cloud account belonging to one of its subsidiaries. The company said the affected
account was immediately secured and emphasized that its production environment, payment processing
systems, and business operations were not impacted. The incident follows online extortion claims
threatening to publish allegedly stolen data on July 21st, though NIACS cautioned that cybercriminals
often exaggerate such claims to pressure victims. The company is working with cybersecurity experts
and law enforcement in Israel and the United States,
while investigating the scope of any exposed data.
NIAC said it does not currently believe material information was compromised,
but will provide updates of significant findings emerge.
The disclosure was also reported to the U.S. Securities and Exchange Commission.
Japanese telecom giant KDDI confirmed that a June cyber attack
exposed the data of 12.2 million people after attackers exploited a zero-day vulnerability in software
supporting the email infrastructure of five Internet service providers. Stolen data included email addresses
and 7.6 million passwords, though KDDI's owned mobile and fixed-line email services were unaffected.
The company says it removed the attackers, is coordinating password resets with affected providers,
and is working on a patch and broader security improvements.
Operation First Light, 26, a global anti-fraud initiative
coordinated by Interpol, led to the arrest of over 5,800 suspects,
the identification of more than 15,000 suspects and 142,000 victims,
and the seizure of $293 million in illicit assets,
conducted between January and April across 97 countries and territories,
the operation targeted social engineering scams,
including romance fraud, business email compromise, and related money laundering.
Authorities froze more than 31,000 bank accounts and numerous cryptocurrency wallets,
while dismantling criminal networks in multiple countries.
One notable raid in Eswatini uncovered an elaborate impersonation scheme
involving a fake Brazilian police station.
Interpol said the operation also helped solve nearly 24,000 fraud cases
and highlighted the value of international collaboration
against cyber-enabled financial crime.
Coming up after the break, Ben Yellen from the University of Maryland
Center for Cyber Health and Hazard Strategies,
explains the EU Cloud and AI Development Act,
and SlopFix fights fire with fire.
Stay with us.
AI is making fishing attacks faster, more convincing, and harder for people to spot,
and traditional security awareness and fishing training weren't designed for this level of attack.
Hoxhunt helped security teams prepare employees for the attacks they face every day
with personalized fishing training that adapts to each employee and reduces risky behavior over time.
For IT and security leaders looking to strengthen their human layer of defense,
without adding more manual work, visit hoxhunt.com slash cyberwire to learn more.
That's h-o-x-h-U-N-T dot com slash cyberwire.
This episode is supported by Black Hat USA.
If you follow the research, you know a lot of it breaks on Black Hat stages.
Hundreds of peer-reviewed briefings, more than 100 hands-on trainings,
and the largest business hall in Black Hat's history.
Six days to learn the skills.
you'll need tomorrow. August 1st to the 6th. Use code Cyberwire for $200 off your briefings pass at
blackhat.com. We'll see you in Vegas. It is always my pleasure to welcome back to the show, Ben Yellen.
He is from the University of Maryland Center for Cyber Health and Hazard Strategies and also my co-host on
the caveat podcast. Hey there, Ben. Hey, Dave. Good to be with you. So on our recent episode of
caveat, we were discussing the EU's efforts toward technological
sovereignty, and I thought that would be a worthy conversation for our Cyberwire listeners as well.
Can you just start off with a summary? What's the EU after here?
Sure. So the European Union has proposed and is in the process of enacting something called
the Cloud and AI Development Act. I read about this first in a story on the Lawfare block,
which I'm sure we'll link to. Part of a new strategy on the part of the European Union through the European
Commission to achieve technological sovereignty.
It is designed to reduce Europe's dependence on foreign and particularly U.S. cloud
providers and strengthen European technology autonomy within their own jurisdictions.
And I think you have to think broader than just technology here.
We've seen this in other contexts where leaders of other Western democracies have talked
very openly about the inability to rely on the United States as a provider of,
X, Y, and Z. One of the speeches that I think was the major catalyst for this type of thinking was one that
Canadian Prime Minister Mark Carney gave in front of the Davos conference in Switzerland, where he
talked about how, given what's happened with the Trump presidency and the fact that he was elected
two separate times, countries need to prepare for the fact that they can't rely on the United States
to be the provider of military technology or collective defense, that countries are going to have to
assume sovereignty over these domains where they've been overly reliant on the United States.
And one of those spheres is technology. And I think that's really the context that we need to
understand why they're doing this. So basically they're worried about a couple of different risks here.
The first is that we have our own Cloud Act, the U.S. Cloud Act, which allows U.S. authorities
to access data held by American companies even when stored in the EU. So obviously that kind of
violates their sovereignty if our government can snoop in on data stored in the EU.
And then this concern about a so-called kill switch where we issue sanctions or other government
actions that prevent our companies from providing cloud services to European users,
which would be a disaster.
Like if the EU lost our cloud computing services, that makes up 70% of their cloud computing market.
And so, yeah, it's going to be really difficult.
Imagine if your cloud computing service preferred service of choice failed or was shut down and how much important data you'd lose.
So they've come up with a framework where there are four sovereignty assurance levels going up from level one, which is lower risk.
For level one, data must be hosted in the EU and protected from foreign reporting requirements all the way up to the strictest standard, which is level four.
requiring full independence from foreign controlled companies
and high cybersecurity certifications.
So this could have a big impact on the market in the United States for cloud computing,
the ability for our big cloud computing companies to continue to do business in the European Union,
and for just general diplomatic relations with the EU
as they tried to establish these new spheres of sovereignty,
this one being technological sovereignty.
And this goes beyond the Trump administration, right?
I mean, this is kind of a recalibration of the global trading order.
Is it fair to say since World War II?
Yeah.
I mean, I think we've been on a glide path, especially starting the past 45 years or so,
to increase globalization, a common global market in the last 30 years,
a free and relatively resistance-free Internet,
where people in the United States can view things that are hosted on European servers.
And I think because of, you know, Trump might be the initial catalyst
as somebody who has expressed these America-first ideals,
somebody who is more protectionist when it comes to trade.
But, yeah, it does go beyond them.
I think European countries are recognizing that even if Trump leaves office,
there's still this latent desire among a significant portion of the U.S. population
to be more protectionist,
to focus on U.S. companies,
to issue things like tariffs and sanctions,
to protect U.S. companies at the expense of European companies.
And that can include things like banning these companies
from serving the European Union or being in the European Union market.
So I think the fact that that movement exists in this country
is inspiring the European Union to take action
and to prepare for a world in which they can be self-sufficient
without reliance on our technological resources.
Surely, if I'm one of the big U.S. cloud providers,
I am letting the White House know that I'm not at all pleased about this.
Do you think this administration has an open ear to those sorts of complaints?
I think they definitely have an open ear.
I mean, there have been a lot of concerns about this.
Companies have expressed the concern,
seeing this new EU initiative that they could be shut out from
the European government's cloud market, even though there are some exceptions and derogations
that can allow U.S. providers to step in when there aren't adequate alternatives.
But, yeah, I think they might have the ear of the White House.
But as we've seen in things like the imposition of tariffs, sometimes the Trump administration
is willing to go against big business interests, including cloud computing titans, I would guess.
Even if some of these people have been his political supporters, and even if it would have an impact
on U.S. markets.
And even when Trump has been forced to back down,
there could be a future president
who is not as keen to get cold feet
when the stock market crashes, for example,
and who might be more ideologically predisposed
to maintaining these levels of separation.
So, yeah, I mean, I can understand
why there's a concern among these companies
and why these companies would,
if and when this law gets enacted,
face significant challenges,
meeting some of these higher assurance levels.
Ben Yellen is from the University of Maryland Center for Cyber Health and Hazard Strategies
and my co-host on the caveat podcast.
Ben, thanks so much for taking the time for us.
Thank you.
As organizations grow, so does complexity.
New applications are deployed, vendors are granted temporary access,
and remote support tools are installed.
Many of them never go away.
In my recent conversation at RASC, 2026 with Rob Allen, chief product officer at Threat Locker,
he explains how these forgotten tools create hidden pathways into enterprise environments
and why attackers increasingly exploit what's already inside the network instead of trying to break through the perimeter.
Learn how to reduce lingering access, shrink your attack surface,
and implement zero trust more effectively by listening to the full conversation at explore.
The Cyberwire.com slash threat locker.
This spring, denim gets a softer, lighter update.
Introducing Old Navy's drapey denim wide leg, a new fit that moves with you.
It's everything you want denim to feel like for summer.
Easy, breathable, and effortlessly cool.
With a fit that creates natural movement and a wide leg that feels modern, not overwhelming.
Plus, that signature, wait, for this price?
Moment.
Old Navy's drapey denim wide leg.
Hey y'all, it's Kelly Clarkson with Wayfair. Ever order furniture online and wonder what if? Like, what if it doesn't hold up?
That sofa was four days old. You should have ordered from Wayfair. With Wayfair, there's no what if. Just style you love and quality you can trust. Visit Wayfair.Care. Every style, every home.
And finally, in what may be the most delightful circular startup idea of the year, a company called Slop Fix has built a business around cleaning up AI generated code.
using AI coding agents to do the cleaning.
For a starting fee of $10,000 a week,
its engineers promise to shrink bloated code bases
while preserving functionality.
They get paid based on how much code they delete.
Before touching a project,
SlopFix documents every screen and endpoint
as a regression checklist,
then delivers a leaner code base,
guardrails to prevent future bloat,
and a two-week warranty.
The timing is no accident. Get Clear reports. Duplicated code has surged 81% since 2023,
while refactoring has nearly disappeared, as AI-generated vibe coding increasingly produces sprawling, repetitive software.
Slop Fix's premise is simple. Use AI to clean up AI's mess.
And that's The Cyberwire. For links to all of today's stories, check out our daily briefing at the Cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at N2K.com.
N2K's lead producers Liz Stokes were mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our contributing host is Maria Vermazis.
Our executive producer is Jennifer Ibn.
Peter Kilpsey is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
