
Loading summary
A
Cybersecurity Today is brought to you by nordlayer. Teams today work across multiple tools and devices, but security often remains fragmented, and this is exactly what Nord Layer can help you address. Nord Layer gives your company centralized control over access by individuals and teams and keeps connection secure from anywhere with no additional hardware required. Visit Nordlayer.com cybersecurity today and use the discount code NLSUMMER26 for a special discount on your purchase.
B
ShareFile Customers told to pull the plug on Risky Server, a ransomware negotiator learns the price of playing both sides Dutch police have a hacker's voice and they're threatening to release it. A new extortion crew talks its way into SharePoint, and another insurance breach leads to leaked driver's licenses. This is Cybersecurity Today, and I'm your host David Shipley. Let's get started. Progress Software has ordered customers running ShareFile storage zone controllers to shut them down immediately, not patch the servers. Shut them down. The emergency email went out Thursday night titled Service Disruption Immediate Action Required. Progress says it's facing a credible external security threat targeting the on premise component of its file sharing platform. The company has already disabled cloud access for affected accounts, but it says that's not enough. Customers must manually power down the Windows servers hosting their controllers as a critical additional step to ensure the safety of your data system. Administrators on Reddit report widespread shutdowns as the order landed. Here's what the storage zone controller does. Most ShareFile customers run cloud only, and they're not affected. But organizations with data residency or regulatory requirements can deploy a controller on their own infrastructure, keeping files local while sharefiles Cloud handles authentication and sharing. That makes the controller Internet facing. By design, it's useful, but it's also exposed. What Progress hasn't said so far is telling. No CVE has been specifically tied to this incident, no description of the threat, and no timeline for restoration. When a vendor has a fix, it tells customers to patch a shutdown order suggests there isn't a fix yet, or that it may not be fully even understood. And there's a risk here that there's something going on that's more than what a patch alone can fix. This same controller has had two critical chainable flaws, an authentication bypass and unauthenticated remote code execution. Both were disclosed in April and since patched. Some threat intelligence reports are linking this shutdown to those bugs, but Progress hasn't confirmed any connection. You may remember the name Progress Software. It's the owner of MoveIt, whose 2023 0Day Let the Clop gang raid more than 2,700 organizations. Progress says it has no indication of unauthorized access to accounts or data tied to this issue and is promising further updates. If you're running one of these sharefile storage zone controllers, get them turned off if you haven't already. A man many companies hired to talk them out of ransomware disasters or was secretly working for the other side and now he's going to prison for nearly six years Angelo Martino, a former ransomware negotiator at Chicago based Digital Mint, was sentenced Thursday to 70 months in prison. His job was to negotiate ransoms down for victims. Instead, prosecutors said he fed the Black Cat ransomware gang operators his clients confidential negotiating positions and and insurance policy limits so the criminals could squeeze out the maximum payment, then cut him in on the proceeds. Five victims he represented paid a combined $75 million, including a non profit that handed out over $27 million. Federal prosecutors call him a double agent. Their sentencing memo put it plainly, this wasn't a crime of opportunity. It was a sustained abuse of trust and it was driven by greed. Martino didn't stop at sabotaging negotiations. He also teamed up with two other incident response professionals, one from Digital Mint and one from Signia, to deploy Black Cat ransomwares themselves against more than five American companies. Both co conspirators got four years each earlier this spring. The government has seized $10 million from Martino so far, including cryptocurrency vehicles, a food truck and a luxury fishing boat. A restitution hearing is set for September 17th. Dutch police say they know what the Ododo hacker sounds like and he has a few weeks to turn himself in before the whole country hears what he sounds like. The February breach at Dutch telecom company Odido exposed personal data on 6.2 million customers names, addresses, bank account numbers, passport and license details. The Shiny Hunters gang claimed the attack and leaked the data in waves after Odido refused to pay a 1 million euro ransom. Now police say the intrusion started with a phone call. Shortly before the hack, a Dutch speaking man called Odido's customer service. Posing as one of the company's own IT employees. He talked the staff into a phishing site and gathered their credentials. Investigators have analyzed the recording and believe the voice is genuine and local. They suspect the perpetrators have talked about the hack online or within their own circles, and they're asking anyone who knows something to come forward. As for the caller himself, police are strongly urging him to walk into a station voluntarily and turn himself in if he doesn't, the recording they have goes public. A new extortion crew is stealing corporate data without dropping a single piece of malware and without ever asking anyone for a password. Researchers at ReliaQuest have profiled the group, which they're calling Helix. The Playbook starts with a phone call. In one confirmed case, the caller impersonated the victim's own manager by name with spoofed caller ID and walked the employee through entering a device code into Chrome. The employee never typed credentials into a fake page. They authenticated using Microsoft's own real infrastructure. The attacker just walked away with the session token. From there, Helix registers its own authenticator app for persistence, then gets to work on SharePoint, enumerating everything the account can reach and bulk downloading it from dedicated infrastructure. The stolen files then become part of the extortion demand. ReliaQuest believes Helix likely grew out of the Black File and Shiny Hunters ecosystem, the same vishing first world behind the Odido breach. We just covered the brands change, the phone call tactics stay the same. The most important thing that organizations can do to defend against this disable device code authentication if you don't need it. In Microsoft 365, you can also do things like restricting SharePoint to managed devices and blocking newly registered domains. Don't forget this is also where security awareness education plays a critical role. Another week, another mountain of driver's licenses lands in criminal hands. US insurance provider Assurance America has confirmed a breach affecting 6.99 million people, the largest known spill of American driver's licenses so far this year. The company found hackers inside ITS systems on March 17. The investigation wrapped on June 15. Stolen data includes names, contact information, license numbers, and details on policies, vehicles and claims. Here's how they got in Assurance America says the attackers targeted one of its employees, and the company disabled the compromise credentials. It hasn't said exactly how those credentials were stolen. TechCrunch asked the CEO whether the company had had contact with the hackers or had paid a ransom. They've had no response so far. And that's Cybersecurity today for Monday, July 13th. I'm on the road this week in beautiful Frisco, Texas, for the exchange Security Conference. If you're at the event, please do drop by to the Boseron booth and say hi. Thanks for listening. Do. And if you like the show, please let us know. You can drop us a note@technewsday.com or CA, or you can leave a note under the YouTube video. I'll be back on Wednesday with the
A
Latest Headlines Once again, we'd like to thank Nordlayer for their support in sponsoring this show. Teams today work across multiple tools and devices, but security often remains fragmented. This is exactly what NORD Layer can help you address. It provides a network security platform with easy to manage network access, monitoring and control, and without additional hardware or complex infrastructure. Nordlayer helps businesses of all sizes manage and secure access to company resources, going beyond what traditional VPNs can offer. And it provides encrypted connectivity with visibility across your entire network environment. And did we mention no new hardware required? Visit nordlayer.com cybersecurity today and use the code NL Summer 26 for a special discount during their summer sale.
Host: David Shipley
Episode: ShareFile shutdown, double-agent ransomware negotiator sentenced, Helix uses vishing
Date: July 13, 2026
In this episode of Cybersecurity Today, host David Shipley delivers the latest updates on urgent cybersecurity incidents impacting businesses worldwide. Shipley dives into emergency actions demanded of ShareFile customers, the shocking sentencing of a double-agent ransomware negotiator, police leveraging unusual tactics after a massive Dutch telecom data breach, the emergence of a new malware-free extortion crew called Helix, and a record-breaking insurance data breach. The episode emphasizes the escalating sophistication of threat actors and highlights actionable defense strategies for organizations.
[00:37 - 02:55]
[02:56 – 04:28]
[04:29 – 05:40]
[05:41 – 07:03]
[07:04 – 08:23]
“Not patch the servers. Shut them down.”
— David Shipley [00:44]
“If you’re running one of these ShareFile storage zone controllers, get them turned off if you haven’t already.”
— David Shipley [02:51]
“This wasn’t a crime of opportunity. It was a sustained abuse of trust and it was driven by greed.”
— David Shipley quoting prosecutors [03:42]
“Police are strongly urging him to walk into a station voluntarily and turn himself in. If he doesn’t, the recording they have goes public.”
— David Shipley [05:30]
“The attacker just walked away with the session token.”
— David Shipley [06:17]
“Don’t forget this is also where security awareness education plays a critical role.”
— David Shipley [07:00]
This week’s episode of Cybersecurity Today demonstrates the ever-evolving tactics and increasing boldness of cybercriminals, while highlighting the crucial role of rapid communication, internal controls, user awareness, and process changes in defending against high-profile threats. Listeners receive not just headline news, but practical remediation advice for emerging cyber risks.