CyberWire Daily - Who you gonna call?

Episode Date: July 9, 2026

GhostApproval puts AI coding assistants under the microscope. Microsoft fixes the RoguePlanet zero-day. More than 70 cybersecurity firms back a new AI Charter. An Ohio county may have paid a $1 millio...n ransom. AssuranceAmerica discloses a breach affecting nearly seven million people. Australia bricks thousands of broadband routers. Israeli fintech Nayax reports a cyber incident. KDDI confirms a massive telecom data breach. A global anti-fraud operation leads to thousands of arrests. Ben Yelin from University of Maryland Center for Cyber Health and Hazard Strategies explains the EU Cloud and AI Development Act. Slopfix fights fire with fire.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Ben Yelin from University of Maryland Center for Cyber Health and Hazard Strategies discussing the EU Cloud and AI Development Act. Selected Reading GhostApproval Flaw Hits Six Major AI Coding Assistants (Infosecurity Magazine) Microsoft Patches RoguePlanet Defender Zero-Day That Grants SYSTEM Access (Daily CyberSecurity) New AI Security Charter Backed by Over 70 Cyber Firms  (Infosecurity Magazine) County Government Reportedly Paid $1 Million to Cyber Extortion Group (SecurityWeek) AssuranceAmerica data breach exposes records of 6.9 million drivers (Bleeping Computer) Aussie gov't tells volunteers to throw out thousands of functioning test routers (Ars Technica) Nayax shares slide after fintech company reveals cloud security breach (Ctech) 12 Million Impacted by Data Breach at Japanese Telco KDDI (SecurityWeek) Chinese-Funded Interpol Cybercrime Crackdown Leads to 5,800 Arrests (Infosecurity Magazine) 'Slopfix' software team charges $10,000 a week to delete AI-generated code bloat — ironically, the team uses AI agents to trim messy repositories by up to 65% (Tom's Hardware) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. If you are heading to Blackhead USA this year, make plans to visit the SpectorOps Kennel Club. As the creators of Bloodhound, the SpectorOps team will host talks, workshops, and hands-on sessions aimed at helping you understand AI accelerated attack paths, the latest identity tradecraft, and how to build your own OpenGraph collector. Visit specterops.io to pre-register and learn more. While you're at the SpectorOps Kennel Club, visit the N2K Cyberwire podcast studio, where we'll be capturing expert perspectives and conversations from across Black Hat. We'll see you there. What's the one thing in business that's spreading as fast as AI?
Starting point is 00:01:04 AI risk. Every new tool your team signs up for, every vendor that turns on AI features, every new integration, Each one is an opportunity for something to go wrong. And most security programs weren't built for AI's pace of growth. Enter Vanta. Vanta is the number one agentic trust platform, used by over 16,000 fast-moving companies like Ramp, Cursor, and Harvey to ensure they're always audit-ready.
Starting point is 00:01:33 And now Vanta is helping companies like yours watch for the risks that show up between audits, across your vendors, your AI tools, and your whole environment. How? The Vanta agent works like a 24-7 GRC engineer in the background, finding issues, drafting fixes, and cutting vendor assessment time by up to 50%. Whether you're a fast-growing startup or a global enterprise, Vanta is here to help you automate your security and compliance and earn and prove trust. Get started today at Vanta.com slash cyber. That's V-A-N-T-A-com slash cyber. Ghost approval puts AI coding assistance under the microscope. Microsoft fixes the rogue planet Zero Day. More than 70 cybersecurity firms back a new AI charter. An Ohio County may have paid a million dollar ransom. Assurance America discloses a breach affecting nearly 7 million people.
Starting point is 00:02:48 Australia bricks thousands of broadband routers. Israeli fintech NIACs reports a cyber incident. KDDI confirms. a massive telecom data breach. A global anti-fraud operation leads to thousands of arrests. Our guest is Ben Yellen from the University of Maryland Center for Cyber Health and Hazard Strategies, explaining the EU Cloud and AI Development Act. And SlopFix fights fire with fire.
Starting point is 00:03:14 It's Thursday, July 9th, 2026. I'm Dave Bittner, and this is your Cyberwire Intel briefing. Thanks for joining us here today. It's great as always to have you with us. Whiz research has disclosed a flaw dubbed ghost approval affecting six AI coding assistants, Amazon Q developer, clawed code, augment, cursor, Google anti-gravity, and wind surf. The issue exploits symbolic links or sim links to disguise rights to sensitive files as harmless project edits. In Wiz's proof of concept, an AI agent following routine setup instructions overwrote a
Starting point is 00:04:20 developers' SSH keys after the approval prompt displayed only an innocent-looking file name, potentially enabling passwordless remote access, and in the worst case, remote code execution. Amazon, Google, and Cursor have released fixes with Cursor assigning a CVE. Augment and WindSurf acknowledged the reports, but have not yet issued fixes, while Anthropic disputed the issue as a vulnerability. WIS recommends resolving sim links before approval prompts and warning users about rights outside the project. Microsoft has patched a Microsoft Defender Zero Day called Rogue Planet, a race condition that allows a local attacker to gain system privileges on fully patched Windows 10 and 11 systems,
Starting point is 00:05:10 even with real-time protection disabled. The flaw exploits a timing gap in Defender's file scanning process, allowing an attacker to swap a scanned file with a malicious payload that executes with elevated privileges. A public proof of concept has been released, though Microsoft says it has not seen the vulnerability exploited in the wild. The flaw affects multiple versions of the malware protection engine and is fixed in the latest version, which updates automatically. Administrators should verify engine versions, restrict local administrative privileges, and monitor for suspicious file activity to reduce potential impact. More than 70 cybersecurity organizations have signed Crest's AI charter,
Starting point is 00:05:59 committing to nine principles for the responsible use of artificial intelligence in cybersecurity. The framework emphasizes accountability, transparency, documentation, human oversight, data sovereignty, security, secure AI development, supply chain risk management, and business continuity. Signatories pledge to disclose when AI is used, maintain audit trails, protect client data, and ensure qualified personnel retain final oversight of AI-driven decisions. The Charter also calls for securing AI tools throughout their lifecycle, managing third-party AI risks, and planning for AI-related disruptions. Crest said the principles were developed with industry input and reflect the growing role of AI, with nearly 70% of cybersecurity providers now
Starting point is 00:06:52 using AI daily. The organization hopes the charter will establish common industry standards and reduce the need for formal regulation while improving trust and interoperability. Ransom ISEC reports that a U.S. government entity, believed to be Union County, Ohio, paid the kairos cyber extortion group $1 million after attackers stole roughly two terabytes of data in a May 2025 breach. Negotiation records show the attackers reduce their demand from $3 million before payment was made in Bitcoin. The incident involved data theft and extortion, not file encryption. Ransom ISAC cautioned there is no reliable way to verify the attackers actually deleted the stolen data, despite providing proof of deletion artifacts.
Starting point is 00:07:47 Assurance America has disclosed a data breach affecting nearly 7 million individuals after attackers gained unauthorized access to its network in March of this year. The insurer said the intrusion began on March 16th by targeting an employee, allowing attackers to access parts of its IT environment and copy customer data.
Starting point is 00:08:09 Exposed information may include names contact details, insurance policy and claims information, driver and vehicle records, and driver's license numbers. After detecting the breach on March 17th, the company disabled compromised accounts, terminated unauthorized sessions, isolated affected systems, notified law enforcement, and strengthened security with password resets, enhanced monitoring, and employee training. Assurance America completed its review of impacted files in June, and is notifying affected individuals, advising them to monitor financial accounts
Starting point is 00:08:47 and report suspicious activity. Thousands of Sam-Kno's branded routers used in the Australian Competition and Consumer Commission's measuring broadband Australia program were remotely disabled after the initiative ended on June 30th, prompting criticism over unnecessary electronic waste. The routers distributed to volunteers, beginning in 20, to measure broadband performance, remained functional hardware, but were intentionally
Starting point is 00:09:18 bricked as part of the program shutdown. Volunteers were instructed to recycle the devices, although some users have successfully reflashed them with the open-source open WRT operating system to restore full router functionality. Critics argue Sam knows, or its parent company, Cisco, could have released a final firmware update instead of disabling the devices. Neither Samnose, Cisco, nor the ACCCC provided a clear explanation for the decision, despite concerns about avoidable e-waste. Israeli fintech company NIACs has disclosed a cybersecurity incident after detecting suspicious activity in a cloud account belonging to one of its subsidiaries. The company said the affected
Starting point is 00:10:08 account was immediately secured and emphasized that its production environment, payment processing systems, and business operations were not impacted. The incident follows online extortion claims threatening to publish allegedly stolen data on July 21st, though NIACS cautioned that cybercriminals often exaggerate such claims to pressure victims. The company is working with cybersecurity experts and law enforcement in Israel and the United States, while investigating the scope of any exposed data. NIAC said it does not currently believe material information was compromised, but will provide updates of significant findings emerge.
Starting point is 00:10:49 The disclosure was also reported to the U.S. Securities and Exchange Commission. Japanese telecom giant KDDI confirmed that a June cyber attack exposed the data of 12.2 million people after attackers exploited a zero-day vulnerability in software supporting the email infrastructure of five Internet service providers. Stolen data included email addresses and 7.6 million passwords, though KDDI's owned mobile and fixed-line email services were unaffected. The company says it removed the attackers, is coordinating password resets with affected providers, and is working on a patch and broader security improvements. Operation First Light, 26, a global anti-fraud initiative
Starting point is 00:11:41 coordinated by Interpol, led to the arrest of over 5,800 suspects, the identification of more than 15,000 suspects and 142,000 victims, and the seizure of $293 million in illicit assets, conducted between January and April across 97 countries and territories, the operation targeted social engineering scams, including romance fraud, business email compromise, and related money laundering. Authorities froze more than 31,000 bank accounts and numerous cryptocurrency wallets, while dismantling criminal networks in multiple countries.
Starting point is 00:12:22 One notable raid in Eswatini uncovered an elaborate impersonation scheme involving a fake Brazilian police station. Interpol said the operation also helped solve nearly 24,000 fraud cases and highlighted the value of international collaboration against cyber-enabled financial crime. Coming up after the break, Ben Yellen from the University of Maryland Center for Cyber Health and Hazard Strategies, explains the EU Cloud and AI Development Act,
Starting point is 00:13:01 and SlopFix fights fire with fire. Stay with us. AI is making fishing attacks faster, more convincing, and harder for people to spot, and traditional security awareness and fishing training weren't designed for this level of attack. Hoxhunt helped security teams prepare employees for the attacks they face every day with personalized fishing training that adapts to each employee and reduces risky behavior over time. For IT and security leaders looking to strengthen their human layer of defense, without adding more manual work, visit hoxhunt.com slash cyberwire to learn more.
Starting point is 00:13:52 That's h-o-x-h-U-N-T dot com slash cyberwire. This episode is supported by Black Hat USA. If you follow the research, you know a lot of it breaks on Black Hat stages. Hundreds of peer-reviewed briefings, more than 100 hands-on trainings, and the largest business hall in Black Hat's history. Six days to learn the skills. you'll need tomorrow. August 1st to the 6th. Use code Cyberwire for $200 off your briefings pass at blackhat.com. We'll see you in Vegas. It is always my pleasure to welcome back to the show, Ben Yellen.
Starting point is 00:14:47 He is from the University of Maryland Center for Cyber Health and Hazard Strategies and also my co-host on the caveat podcast. Hey there, Ben. Hey, Dave. Good to be with you. So on our recent episode of caveat, we were discussing the EU's efforts toward technological sovereignty, and I thought that would be a worthy conversation for our Cyberwire listeners as well. Can you just start off with a summary? What's the EU after here? Sure. So the European Union has proposed and is in the process of enacting something called the Cloud and AI Development Act. I read about this first in a story on the Lawfare block, which I'm sure we'll link to. Part of a new strategy on the part of the European Union through the European
Starting point is 00:15:29 Commission to achieve technological sovereignty. It is designed to reduce Europe's dependence on foreign and particularly U.S. cloud providers and strengthen European technology autonomy within their own jurisdictions. And I think you have to think broader than just technology here. We've seen this in other contexts where leaders of other Western democracies have talked very openly about the inability to rely on the United States as a provider of, X, Y, and Z. One of the speeches that I think was the major catalyst for this type of thinking was one that Canadian Prime Minister Mark Carney gave in front of the Davos conference in Switzerland, where he
Starting point is 00:16:11 talked about how, given what's happened with the Trump presidency and the fact that he was elected two separate times, countries need to prepare for the fact that they can't rely on the United States to be the provider of military technology or collective defense, that countries are going to have to assume sovereignty over these domains where they've been overly reliant on the United States. And one of those spheres is technology. And I think that's really the context that we need to understand why they're doing this. So basically they're worried about a couple of different risks here. The first is that we have our own Cloud Act, the U.S. Cloud Act, which allows U.S. authorities to access data held by American companies even when stored in the EU. So obviously that kind of
Starting point is 00:16:56 violates their sovereignty if our government can snoop in on data stored in the EU. And then this concern about a so-called kill switch where we issue sanctions or other government actions that prevent our companies from providing cloud services to European users, which would be a disaster. Like if the EU lost our cloud computing services, that makes up 70% of their cloud computing market. And so, yeah, it's going to be really difficult. Imagine if your cloud computing service preferred service of choice failed or was shut down and how much important data you'd lose. So they've come up with a framework where there are four sovereignty assurance levels going up from level one, which is lower risk.
Starting point is 00:17:48 For level one, data must be hosted in the EU and protected from foreign reporting requirements all the way up to the strictest standard, which is level four. requiring full independence from foreign controlled companies and high cybersecurity certifications. So this could have a big impact on the market in the United States for cloud computing, the ability for our big cloud computing companies to continue to do business in the European Union, and for just general diplomatic relations with the EU as they tried to establish these new spheres of sovereignty, this one being technological sovereignty.
Starting point is 00:18:24 And this goes beyond the Trump administration, right? I mean, this is kind of a recalibration of the global trading order. Is it fair to say since World War II? Yeah. I mean, I think we've been on a glide path, especially starting the past 45 years or so, to increase globalization, a common global market in the last 30 years, a free and relatively resistance-free Internet, where people in the United States can view things that are hosted on European servers.
Starting point is 00:18:59 And I think because of, you know, Trump might be the initial catalyst as somebody who has expressed these America-first ideals, somebody who is more protectionist when it comes to trade. But, yeah, it does go beyond them. I think European countries are recognizing that even if Trump leaves office, there's still this latent desire among a significant portion of the U.S. population to be more protectionist, to focus on U.S. companies,
Starting point is 00:19:27 to issue things like tariffs and sanctions, to protect U.S. companies at the expense of European companies. And that can include things like banning these companies from serving the European Union or being in the European Union market. So I think the fact that that movement exists in this country is inspiring the European Union to take action and to prepare for a world in which they can be self-sufficient without reliance on our technological resources.
Starting point is 00:19:54 Surely, if I'm one of the big U.S. cloud providers, I am letting the White House know that I'm not at all pleased about this. Do you think this administration has an open ear to those sorts of complaints? I think they definitely have an open ear. I mean, there have been a lot of concerns about this. Companies have expressed the concern, seeing this new EU initiative that they could be shut out from the European government's cloud market, even though there are some exceptions and derogations
Starting point is 00:20:25 that can allow U.S. providers to step in when there aren't adequate alternatives. But, yeah, I think they might have the ear of the White House. But as we've seen in things like the imposition of tariffs, sometimes the Trump administration is willing to go against big business interests, including cloud computing titans, I would guess. Even if some of these people have been his political supporters, and even if it would have an impact on U.S. markets. And even when Trump has been forced to back down, there could be a future president
Starting point is 00:20:55 who is not as keen to get cold feet when the stock market crashes, for example, and who might be more ideologically predisposed to maintaining these levels of separation. So, yeah, I mean, I can understand why there's a concern among these companies and why these companies would, if and when this law gets enacted,
Starting point is 00:21:17 face significant challenges, meeting some of these higher assurance levels. Ben Yellen is from the University of Maryland Center for Cyber Health and Hazard Strategies and my co-host on the caveat podcast. Ben, thanks so much for taking the time for us. Thank you. As organizations grow, so does complexity. New applications are deployed, vendors are granted temporary access,
Starting point is 00:21:54 and remote support tools are installed. Many of them never go away. In my recent conversation at RASC, 2026 with Rob Allen, chief product officer at Threat Locker, he explains how these forgotten tools create hidden pathways into enterprise environments and why attackers increasingly exploit what's already inside the network instead of trying to break through the perimeter. Learn how to reduce lingering access, shrink your attack surface, and implement zero trust more effectively by listening to the full conversation at explore. The Cyberwire.com slash threat locker.
Starting point is 00:22:36 This spring, denim gets a softer, lighter update. Introducing Old Navy's drapey denim wide leg, a new fit that moves with you. It's everything you want denim to feel like for summer. Easy, breathable, and effortlessly cool. With a fit that creates natural movement and a wide leg that feels modern, not overwhelming. Plus, that signature, wait, for this price? Moment. Old Navy's drapey denim wide leg.
Starting point is 00:23:02 Hey y'all, it's Kelly Clarkson with Wayfair. Ever order furniture online and wonder what if? Like, what if it doesn't hold up? That sofa was four days old. You should have ordered from Wayfair. With Wayfair, there's no what if. Just style you love and quality you can trust. Visit Wayfair.Care. Every style, every home. And finally, in what may be the most delightful circular startup idea of the year, a company called Slop Fix has built a business around cleaning up AI generated code. using AI coding agents to do the cleaning. For a starting fee of $10,000 a week, its engineers promise to shrink bloated code bases while preserving functionality. They get paid based on how much code they delete.
Starting point is 00:23:53 Before touching a project, SlopFix documents every screen and endpoint as a regression checklist, then delivers a leaner code base, guardrails to prevent future bloat, and a two-week warranty. The timing is no accident. Get Clear reports. Duplicated code has surged 81% since 2023, while refactoring has nearly disappeared, as AI-generated vibe coding increasingly produces sprawling, repetitive software.
Starting point is 00:24:24 Slop Fix's premise is simple. Use AI to clean up AI's mess. And that's The Cyberwire. For links to all of today's stories, check out our daily briefing at the Cyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey and the show notes or send an email to Cyberwire at N2K.com. N2K's lead producers Liz Stokes were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazis.
Starting point is 00:25:20 Our executive producer is Jennifer Ibn. Peter Kilpsey is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.