CyberWire Daily - Your signal is showing.
Episode Date: April 23, 2026Researchers expose covert telecom surveillance campaigns. Lawmakers push new national privacy rules. China-linked actors hide inside compromised device networks. A ransomware forum leak reveals a crim...inal marketplace. GopherWhisper blends into cloud services for espionage. Attackers poison AI with hidden web prompts. Apple patches lingering notification data. macOS admin tools become attacker pathways. CISA orders urgent fixes for a Microsoft Defender zero-day, and their Director nominee withdraws. Our guests today are Johnny Hand and Dustin Childs, hosts of TrendAI's AI Security Brief podcast. A meteorological mystery meets market manipulation. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Introducing the AI Security Brief podcast. Our guests today are Johnny Hand and Dustin Childs, hosts of TrendAI's AI Security Brief podcast. They join Dave to introduce their new show on the N2K CyberWire Network. You can find their first episode here and catch new episodes every other Thursday on your favorite podcast app. Selected Reading Surveillance vendors caught abusing access to telcos to track people's phone locations, researchers say (TechCrunch) Committees on Energy and Commerce and Financial Services Introduce Pair of Privacy Bills to Establish Comprehensive Data Protections for All Americans (Energy Commerce) International cyber agencies share fresh advice to defend against China-linked covert networks (NCSC) RAMP Uncovered: Anatomy of Russia’s Ransomware Marketplace (Security Affairs) New GopherWhisper APT group abuses Outlook, Slack, Discord for comms (Bleeping Computer) Hackers Use Hidden Website Instructions in New Attacks on AI Assistants (Hackread) Apple fixes iPhone bug that let FBI retrieve deleted Signal messages(CVE-2026-28950) (Help Net Security) Bad Apples: Weaponizing native macOS primitives for movement and execution (Talos Intelligence) CISA orders feds to patch BlueHammer flaw exploited as zero-day (Bleeping Computer) Trump’s pick to lead CISA withdraws nomination after months of political impasse (POLITICO) A Hair Dryer May Have Gamed a Paris Weather Sensor for $34,000 on Polymarket (Bitcoin News) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
No, it's not your imagination.
Risk and regulation really are ramping up,
and these days customers expect proof of security before they'll even do business.
That's where Vanta comes in.
Vanta automates your compliance process and brings compliance, risk, and customer trust together on one AI-powered platform.
So whether you're getting ready for a SOC2 or managing an end-toe,
enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals
moving. Companies like Ramp and Writers spend 82% less time on audits with Vanta. That means less
time chasing paperwork and more time focused on growth. For me, it comes down to this. Over 10,000
companies from startups to large enterprises trust Vanta to help prove their security. Get started at vanta.com
slash cyber.
Researchers expose covert
telecom surveillance campaigns.
Lawmakers push new national privacy rules.
China-linked actors hide inside
compromised device networks.
A ransomware forum leak reveals a criminal
marketplace. Gofer Whisper
blends into cloud services for espionage.
Attackers poison AI with hidden web prompts.
Apple patches lingering notification data,
MacOS admin tools become attacker pathways.
SISA orders urgent fixes for a Microsoft Defender Zero Day and their director nominee withdraws.
Our guest today are Johnny Hand and Justin Child's host of Trend AIs' AI's AI Security Brief
podcast. And a meteorological mystery meets market manipulation.
It's Thursday, April 23rd, 26. I'm Dave Bittner, and this is your Cyberwire Intel Briefing.
Thanks for joining us here today.
as always, to have you with us.
Security researchers have uncovered two covert surveillance campaigns
exploiting telecom signaling weaknesses to track individuals' locations worldwide.
Citizen Lab reports the operators posed as legitimate cellular providers
and abused access to global signaling systems to query subscriber location data.
The campaigns exploited vulnerabilities in signaling system 7 or SSC,
and in diameter, a newer protocol sometimes deployed without full protections.
Researchers identified repeated use of infrastructure linked to O-19 Mobile, Tango Networks, UK, and Airtel, Jersey.
One campaign also used Sim Jacker-style hidden SMS commands against a high-profile target.
Continued signaling layer abuse shows global mobile infrastructure still enables covert
tracking its scale, creating persistent exposure for executives, activists, and government officials
despite known risks.
House Republicans have introduced two coordinated bills aimed at expanding nationwide privacy protections
and strengthening consumer control over financial and personal data.
The Secure Data Act would establish a national privacy and data security standard,
create rights to access, delete, and limit use of personal data
and require consent for processing sensitive information.
It would also impose disclosure and minimization requirements
on companies and data brokers
with enforcement by the Federal Trade Commission and State Attorneys General.
The Guard Financial Data Act would modernize the Graham-Leach-Blylea Act
by requiring opt-in consent before sharing sensitive financial data.
data and allowing customers, including former customers, to access or delete stored information.
The proposals signal a coordinated effort to reshape U.S. privacy governance and increase
accountability for organizations handling sensitive consumer and financial data.
International cybersecurity agencies warn that China-linked threat actors are increasingly
using covert networks of compromised devices to disguise their operations and evade detection.
The UK National Cybersecurity Center, part of GCHQ and 15 international partners,
release joint guidance describing how attackers exploit vulnerable edge devices,
such as home routers and smart devices, to route malicious traffic, steal data,
and maintain persistent access to critical sectors.
The advisory also highlights indicator of compromise extinction,
where forensic clues disappear quickly,
complicating detection and response.
Experts say defenders must shift toward intelligence-driven monitoring
and stronger baseline protections
as attackers scale infrastructure designed to obscure attribution
and persistence across global networks.
A leaked database from the Ramp Cybercrime Forum
is offering rare insight into how ransomware operations function
as structured criminal marketplaces,
rather than isolated attacks.
According to Comparatex analysis,
the leak includes records spanning November 2021 through January 24,
covering over 7,700 users, over 1,700 forum threads,
more than 340,000 IP logs, and nearly 1900 private conversations.
The forum supported access sales to compromised corporate networks,
Ransomware as a service recruitment and deal negotiations in private messages.
Listings targeted organizations across more than 20 countries,
with the United States appearing in 40% of identified cases.
The data illustrates how specialization across access brokers,
malware operators, and affiliates enables ransomware campaigns to scale faster
and become harder for defenders to disrupt.
researchers have identified a previously undocumented threat actor called Gofer Whisper,
using legitimate cloud platforms to conduct espionage against government targets.
According to ESET, the group has operated since at least 2023 and deployed a Go-based malware toolkit
against a Mongolian government entity, compromising 12 systems and likely dozens more victims globally.
The tool set includes multiple backdoors that use Slack, Discord, and the Microsoft Graph API
through Microsoft 365 Outlook for command and control,
plus a custom ex-filtration utility that uploads stolen data to file.io.
Analysis of command activity patterns and metadata linked to the activity to China.
Blending command traffic into trusted enterprise services complicates detection,
and enables persistent access across sensitive government environments.
Researchers warn that attackers are actively using indirect prompt injection techniques
to manipulate large language models through hidden instructions embedded in ordinary websites.
ForcePoint X Labs reports threat actors concealed commands in web content
using hidden text, metadata, and styling tricks that AI agents can read,
but users cannot see.
Telemetry identified 10 live cases in April
involving actions such as API key theft,
fraudulent payment attempts, denial of service behavior,
and data deletion commands.
Researchers say the technique exploits LLM's inability
to distinguish between data and instructions
when processing external content.
Organizations deploying AI assistants
or coding agents may face new risks if models execute hidden web instructions as trusted commands
during routine browsing or automation tasks.
Apple has released security updates for iPhones and iPads to fix a notification logging flaw
that allowed deleted app notifications to remain stored on devices.
The vulnerability affected notification services and was addressed with improved data redaction
in iOS and iPadOS updates.
Signal confirmed the flaw enabled authorities
to recover message notification content
even after the Signal app was deleted,
though Apple said it has no evidence of active exploitation.
Residual notification data can expose sensitive communications
even after apps are removed,
highlighting risks in mobile notification storage.
Researchers at Cisco Talos warn
that attackers can exploit
built-in macOS administrative features to move laterally and execute code across enterprise environments
without traditional malware. The study shows adversaries can repurpose native capabilities
such as remote application scripting, AppleScript Spotlight metadata, and common utilities
including SSH, Socat, Netcat, and SNMP to deliver payloads, transfer tools, and maintain
persistence. Techniques include storing malicious code in finder metadata and using legitimate inter-process
communication channels that evade typical endpoint detection telemetry. Researchers say these
living off-the-land methods exploit gaps in macOS monitoring compared with Windows environments.
Growing enterprise macOS adoption increases exposure to stealthy attacks that blend in to normal
system activity and bypass conventional detection controls.
SISA has ordered U.S. federal agencies to patch a Microsoft defender privilege escalation
vulnerability, exploited in ongoing zero-day attacks within two weeks. The flaw allows low-privileged
local attackers to gain system access on unpatched devices. Microsoft released fixes on April
14th and Huntress reported evidence of hands-on keyboard intrusion act.
activity linked to the vulnerability. Sissa added the issue to its known exploited vulnerabilities
catalog with a May 7th remediation deadline. Additionally, Sean Planky has withdrawn his nomination
to lead Sisa after more than a year without Senate confirmation. Planky notified Homeland Security
leadership and the White House that the Senate would not advance his nomination, which had been pending
since March 2025, despite clearing committee review.
His withdrawal follows reported opposition tied to an unrelated Coast Guard shipbuilding dispute
and comes amid broader leadership turnover at Sisa.
Coming up after the break, my conversation with Johnny Hand and Dustin Childs, host of Trend
AI's new AI Security Brief podcast, and a meteorological mystery meets market manipulation.
with us. Quick question. Have you watched Project Hail Mary yet? Humanity is facing an existential threat
and racing to solve it with the clock ticking. For security teams, that probably hits close to home
with AI use rapidly spreading. Everyone's using AI, marketing, sales, engineering. Chris the
intern without security even knowing about it. That's where Nudge security comes in. Nudge finds
shadow AI apps, integrations, and agents on day one, and helps you enforce policy without blocking
productivity. Try it free at nudgesecurity.com slash cyberwire. Maybe that's an urgent message from your
CEO, or maybe it's a deep fake trying to target your business. Doppel is the AI-native social
engineering defense platform fighting back against impersonation and manipulation. As attackers use AI
to make their tactics more sophisticated,
Dopple uses it to fight back,
from automatically dismantling cross-channel attacks
to building team resilience and more.
Dopple, outpacing what's next in social engineering.
Learn more at doppel.com.
That's D-O-P-P-E-L.com.
Johnny Hand and Dustin Childs are hosts
of Trend A-I's brand-new AI Security Brief podcast
right here on the N2K Cyberwire Network.
I caught up with Johnny and Dustin for insights and a sneak peek at the show.
Well, Johnny and Dustin, welcome to the show.
It's great to have both of you with us here, and I appreciate you taking the time.
No problem. Happy to be here.
Yeah, thank you.
Well, let's start out by learning a little bit about both of you.
Dustin, can I start with you?
Where did you get your start and what led you to where you are today?
Oh, wow.
That's going to take me back.
So I actually got my start in Infosec back in 1990.
believe it or not, when I was assigned to the Air Force unit designed to catch hackers.
So that's where I, you know, learned everything back on ancient systems and everything else
when we were happy to catch a port scan.
But from there, I did that quite a while, worked for the government,
then moved to Microsoft as part of their Microsoft Security Response Center.
I did patch Tuesday for about seven or eight years.
And, you know, did a lot of different things to take you back.
if you remember conficker, Stuxnet,
a lot of those were my cases where I was a program manager for that
and getting those updates off the door.
And then at the beginning of 2015, I joined the Zero Day Initiative
and have been here ever since
that it's a lot more fun on this side,
receiving bugs and paying for bugs and running Pone to Own
than it is trying to fix everything.
So, yeah, that's kind of been my journey in a real quick step.
So it's been a lot of really actionable stuff,
a lot of learning over the years.
So it's been really great.
No, that is quite a journey.
Johnny, how about you?
Very similar to Dustin.
I started out in the U.S. Navy as a technologist and have pretty much been tasked with deploying and securing technology pretty much across every type of environment.
Of course, obviously naval ships, but I started working back in 2006 more focused on information security as an information assurance manager for the command that I was at and then just fell in love with cyber operations.
in general, moved around a little bit in the Navy and had experience to go as a technologist
and as a leading technologist with the Naval Special Warfare Development Group, so working
with SEAL teams and special operations, and then transition from there into the Navy Cyber Defense
Operations Command, really focusing on defensive cyber operations at scale for the DOD.
And then once I got out of the military, I moved into the higher education space, had the
opportunity to build a security program and start leading technology initiatives in the university
landscape, which is definitely more interesting in many ways, especially from the viewpoint of having
a large international student population. So it's always an interesting environment to secure
and then just really fell in love with the operations there and building out programs.
And now have made the switch from being a customer of Trend AI into focusing on adoption and
really innovation around AI.
Well, the podcast is AI security brief.
Let's start with some high-level stuff here.
What prompted the creation of the show?
I think as trend AI,
micro-transitioned into trend AI,
we wanted to kind of highlight some of the work we're doing
and we wanted to see what work others were doing,
not only just for our knowledge and notification,
but to give our listeners some actionable stuff.
There's so much hype around AI,
and there's so little actionable takeaways
that people really understand.
So we're looking to bridge that
and give an opportunity for real practitioners
in the AI space
to give CSOs and other security leaders
things that they can really do
and understand about how to defend their environment
from potential AI threats
and then how to use AI to defend their environment as well.
So I think from my perspective,
Johnny, I hope you chime in here as well.
But that's really, I think,
the goal of the podcast.
Yeah, it's a great focus, too, because I think that the ground has shifted for many of the
security practitioners.
And it's honestly really hard to keep up with the pace of innovation, but also the pace that the threat actors and
adversaries are using AI against us as well.
So we really wanted to take an approach where we looked at the innovation and really celebrated
the innovation, but also looked at the opportunities to give, like Dustin said, those really
foundational opportunities to secure your environment against the innovation that's happening at scale.
You know, one of the things that I really enjoy about your show is in a world where there is so much
noise around everything AI, you're having real conversations with real leaders in the space.
Can you dig into that a little bit for me, Johnny? Who are the folks that you're talking to?
When we started looking at the podcast as an opportunity to connect not only the challenges of
today, but like where we're leading. You know, we often talk about this is being for those security
leaders that are looking, you know, out into the future, getting six months ahead of, of what's
coming next. And so in order to do that, we're not just focused on, you know, the C-suite leaders,
you know, like many people talk to. I think we've looked across and we want to talk to practitioners.
We want to talk to those that are in the trenches every day, but also those that are at the board
level that are being pressured in many ways to adopt AI and innovate.
And ultimately, the conversations are centered around building confidence so that they can be
excited and feel competent to innovate.
So we're looking at and having those conversations with threat researchers and law
enforcement and the security leaders, those CSOs, but also just looking across the
the landscape at everyone that has a touch point involved with AI security.
Dustin, from your point of view, what's the value proposition here?
What are you hoping people come away from the show with?
Well, I think the number one thing is we want listeners to finish an episode thinking,
I just learn something I want to share with my team,
or I just learn something I want to go have a further conversation with about the people
who I work with and how it impacts us.
So whether it's where the AI threat landscape is heading or actually,
advice that they can take and use immediately or clarity on just what is the latest thing that
marketing is pitching to us that we need to really understand, but how to connect the AI security
risk to business in a way that gets the board to listen. And that's really what I'm hoping
that the listeners will take away. Well, let's give our listeners a little preview here. I know
you have a few episodes ready to roll here as the show launches. Can you give us a little sneak peek
at what we can expect to hear?
Sure. Our first one is how does AI change the economics of cybercrime? And that features Bob McArdle. He's the director of cybercrime research at Trend AI. And he has been working with law enforcement on cyber crime for over 20 years. He gave a talk at RSA about how AI is affecting the cost of cyber crime. And spoiler alert, it's lowering the cost. So the criminal service economy is being rebuilt around AI. And it's perfectly structured for it. So we have this great conversation.
about where the cybercrime folks are using AI and some actual items that people can do knowing that this is coming.
Johnny, you want to pick up with us what else we have to look forward to?
Yeah, we also had great conversations with Ashish Rajan, who is a CISO author and a host of Cloud Security Podcast.
He's also a co-host of the AI Security podcast. So really great conversation and a practical conversation because we talked about the viability of the fact that really,
anyone can code now using AI and how that's going to impact the SaaS applications and the
different secure applications that we have. And he did a really great job of diving into that
subject and really talking about the impact that vibe coding and those components are going to
have on the SaaS industry. Yeah, I saw another one of your upcoming episodes that has to do with
AI and who's responsible when AI can make mistakes. Dustin, what can we look forward to there?
Yeah, our next episode is entitled, Who's Responsible When AI Starts Making Mistakes?
And it features Sush and Jane, who's the president and CEO of Vinta Security.
And it really looks at how do you talk to your board about the technical risk in a way that can translate into budgets for you to actually manage that risk?
Johnny, who do you suppose your target audience is here?
Who are you trying to reach?
Our focus is really on those security leaders that are really struggling.
with adoption, trying to understand how to secure the AI that's in their environment.
So we're focused on security leaders at the CSO level, those CIOs, those CTOs, that are really
trying to get their hands on what's happening, what's innovation at scale, and how can they
secure that.
All right.
Well, the show is AI Security Brief.
That is from Trend AI, and the hosts are Dustin Childs and Johnny Hand.
Gentlemen, best of luck with the new show.
And thanks so much for taking the time for us.
You're very welcome and thank you for having us.
Yep, thank you.
We've got a link to the first episode of the AI Security Brief podcast in our show notes.
You can catch new episodes every other Thursday on your favorite podcast app.
Local news is in decline across Canada, and this is bad news for all of us.
With less local news, noise, rumors, and misinformation fill the void, and it gets harder to separate truth from fiction.
That's why CBCC.
ABC News is putting more journalists in more places across Canada,
reporting on the ground from where you live,
telling the stories that matter to all of us,
because local news is big news.
Choose news, not noise.
CBC News.
The Madamy Holmes bike for brain health supporting Baycrest returns
on May 31st for its fifth anniversary
with a new start and finish at the Aga Khan Museum.
Join thousands of cyclists as we take over the DVP
and Gardner Expressway in support of dementia research and brain health.
riders of all abilities are welcome, and both regular bikes and e-bikes can participate.
Bring your friends, family, or corporate team, and make an impact.
Register today at fightforbrainhealth.ca.
And finally, French authorities are investigating unusual temperature spikes at a Paris airport weather sensor,
after anomalies aligned with roughly $34,000 in prediction market payouts.
Mateo France filed a complaint following two.
brief readings above 22 degrees Celsius at Charles de Gaulle Airport on April 6th and April 15th,
each resolving Polymarket wagers in better's favor. Meteorologist Paul Marquis said nearby stations
showed no matching changes and concluded physical intervention with a heating device was the most plausible
explanation. Polymarket later switched its Paris temperature data source to Le Bourget Airport,
Markets that rely on a single physical sensor create incentives to influence that center,
turning routine weather instrumentation into an unexpectedly lucrative target for creative forecasting.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights to keep you a step ahead in the rapidly changing world.
of Cybersecurity. If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at n2K.com.
N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound
design by Elliot Peltzman. Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Iben. Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here.
tomorrow. Sorry. Investing, trading, that isn't a personality. You don't need the voice. You don't need the
jargon. You don't need the podcast. You already know how to trade. You've done it your whole life.
And TD Easy Trade taps into that instinct so you can build something real. No minimums, no monthly fees,
24-hour support, no investor personality required. Because you are made to trade. And TD Easy Trade is made to
Help. Download it now.