A

You're listening to the Cyberwire Network powered by N2K. Do you know how the space and cybersecurity domains connect? T minus Space Cyber Briefing is your guide through the space based systems that expand the attack surface. I'm Maria Varmazis host here at N2K CyberWire and I'm excited to share that T Minus is back now as a weekly podcast, the T Minus Space Cyber Briefing. We have a new dedicated focus on two great things that are even better together. Space and cybersecurity. Because whether we realize it or not, we all depend on space based systems that are, by the way, increasingly Internet enabled. We're talking cybersecurity technologies, policies and organizations that are securing the critical space based infrastructure that powers, protects and connects our lives here on Earth. So join me for T Minus Space Cyber Briefing, new episodes every Sunday.

B

No, it's not your imagination. Risk and regulation really are ramping up and these days customers expect proof of security before they'll even do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. So whether you're getting ready for a SoC2 or managing an enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That means less time chasing paperwork and more time focused on growth. For me, it comes down to over 10,000 companies from startups to large enterprises. Trust Vanta to help prove their security. Get started@vanta.com cyber. A major takedown disrupts the Glass Worm Botnet the White House rewrites federal cyber logging rules as CISA faces cuts amid rising AI threats, federal agencies ramp up scrutiny scrutiny of so called anti tech extremism GCHQ warns Russia is targeting UK infrastructure Researchers uncover stealthy new malware we got AI coding agent supply chain risks and in person extortion tactics targeting US law firms. Europe grabs satellite spectrum Ben Yellen joins us to discuss the bipartisan push for more support of CISA and hacking your way to the main stage. It's Wednesday, may 27, 2026. I'm dave bittner and this is your cyberwire intel briefing. Thanks for joining us here today. It's great as always to have you with us. Cybersecurity firm CrowdStrike says the Glassworm botnet, active for more than six months, has been disrupted through a coordinated takedown with Google and the Shadow Server Foundation. Glassworm used a resilient command and control structure built on the Solana blockchain, BitTorrent, Google Calendar and commercial VPS servers. The malware spread through Trojanized visual studio extensions, GitHub repositories and compromised Python packages. It stole developer credentials, targeted cryptocurrency wallets and enabled remote access on infected systems. CrowdStrike says the operators continuously evolve their tooling and infrastructure to resist disruption efforts. Attackers increasingly target developers and software supply chains rather than end users directly. CrowdStrike warns that weak developer environments and build pipelines can expose every organization consuming affected software. The Trump administration has rescinded a 2021 federal cybersecurity logging directive introduced after the SolarWinds breach, replacing it with a more targeted risk based framework focused on detection and incident response. The updated guidance from the Office of Management and Budget emphasizes continuous monitoring, threat hunting, forensic investigations and rapid response capabilities. OMB Director Russell Voigt said the previous requirements generated large volumes of costly data with limited defensive value. The new framework also expands logging guidance to Internet of Things and operational technology systems, while directing CISA and federal partners to develop a government wide logging architecture aligned with zero trust modernization efforts. The policy reflects growing concern that adversaries are using automation and AI to accelerate attacks beyond the pace of traditional monitoring systems. Agencies will now retain logs in searchable form for six months and retrievable form for one year. Newly obtained intelligence documents reviewed by Wired show federal agencies and fusion centers increasingly monitoring activists, protesters and online communities under a developing category described as anti technology extremism. The reports circulated by the Department of Homeland Security, the FBI and regional fusion centers, cite concerns about protests tied to artificial intelligence, data center construction and anti corporate sentiment. Some assessments warn that unrest linked to AI adoption could evolve into violence targeting critical infrastructure or technology executives. The documents also reference monitoring of public demonstrations, online forums and constitutionally protected gatherings opposing data centers and AI expansion. Civil liberties advocates warn the category is broadly defined and could sweep in peaceful protesters, AI skeptics and environmental activists alongside individuals advocating violence. Federal officials maintain the focus remains on threats involving criminal activity or national security concerns. In her first public speech as director of gchq, Anne Keast Butler warns that the UK faces a moment of consequence consequence as Russia intensifies cyber and hybrid threats against critical infrastructure, supply chains and democratic institutions. Keast Butler says GCHQ is working with intelligence and defense partners to counter cyberattacks, sabotage and espionage linked to Moscow, while also warning about China's growing technological and cyber capabilities. She stresses that advances in artificial intelligence are rapidly reshaping the threat landscape and narrowing the UK's strategic advantage. Her speech also calls for stronger cybersecurity practices across government, industry and households. The Cybersecurity and Infrastructure Security Agency is entering the AI era with reduced staffing, budget cuts and a diminished role in the federal government's response to emerging AI enabled cyber threats, according to reporting from Axios. Since early 2025, CISA has reportedly lost roughly one third of its workforce through buyouts and funding reductions. Industry and former government officials warn the cuts have weakened the agency's ability to coordinate with critical infrastructure operators and respond to increasingly sophisticated threats from advanced AI models. Sources also told Axios that CISA has taken a secondary role in White House discussions surrounding cybersecurity risks tied to frontier AI systems. Former officials argue the agency would traditionally play a central role in shaping national cyber policy and coordinating vulnerability management across government and industry. Later in the show, I'm joined by Ben Yellen to discuss the bipartisan push for more CISA funding. Europe is moving to reserve most of a valuable satellite spectrum band for European oper, setting up a potential clash with Washington over the future of space based connectivity and tech sovereignty. The proposal could limit access for US companies like SpaceX and Amazon while boosting Europe's own satellite ambitions. Our contributing host Maria Vermazes joins us with more on the growing geopolitical battle over who controls the skies.

A

Thanks Dave. As much as data sovereignty is a critical topic in the European Union right now, so too is its companion concern, space sovereignty. That concept encompasses access to radio frequency spectrum bands and there is only so much RF spectrum to go round. That's physics for you. So it is a major development in European space sovereignty, with news reported by Politico and Reuters this week that the European Commission is moving to reserve most of a valuable satellite spectrum band for primarily European operators when current licenses held by US based operators via SAT and EchoStar expire in 2027. The proposal would divide the frequencies into three 10 MHz blocks over the next 20 years, one block for secure EU government communications and the EU's IRIS squared satellite Internet constellation, another block for European startups and the last block would be open to either European or foreign companies. There is also discussion of making the EU exclusive spectrum open to EU adjacent countries like Norway and the uk. Should this plan come to fruition, it would sharply limit spectrum access for US operators like SpaceX and Amazon, both of which are fast increasing their global presence with Starlink and Amazon LEO and acquiring access to spectrum bands. To make that happen, EU officials say that their plan of reallocating the band to prioritize EU access is necessary for European technical sovereignty and secure Internet connectivity. But squeezing out U.S. competition could provoke retaliation from the United States just as the EU and US seem to be nearing finalization of a new trade deal. For the Cyberwire Daily, I'm Maria Varmazes from T Minus Space Cyber Briefing. Back to you, Dave.

B

Be sure to subscribe to the T Minus Space Cyber Podcast wherever you get your favorite shows. Researchers at Fortinet Fortiguard Labs have identified a phishing campaign distributing a Pure Logs malware variant designed to steal credentials, cryptocurrency wallet data, browser sessions and other sensitive information. The campaign used purchase order themed phishing emails containing malicious RAR archives with obfuscated JavaScript files. Once executed, the malware launched PowerShell scripts using process Hollowing to inject code into Microsoft's Ms. Build process and downloaded additional modules directly into memory. Fortigaard says the malware relied on layered encryption, fileless execution, and dynamic plugin delivery to evade traditional detection methods. The malware targeted browser credentials, discord tokens, VPN accounts, email clients, and dozens of cryptocurrency wallets, researchers warn. The attack highlights the continued effectiveness of phishing combined with increasingly stealthy post compromise techniques, the FBI is warning the silent ransomware group, also known as Luna Moth and Chatty Spider, is escalating its extortion operations against US Law firms by using in person social engineering attacks. According to the FBI, attackers pose as internal IT staff through phishing emails and phone calls convincing employees to grant remote desktop access. If remote access attempts fail, the group may dispatch an individual directly to the victim's office to connect malicious USB drives or external storage devices to company systems. The stolen data is then used for extortion campaigns targeting both organizations and their clients. The group has reportedly targeted legal and financial firms since 2023 and was previously linked to Bazaar call campaigns associated with Conti and Ryuk ransomware operations. Researchers at Adversa AI have demonstrated a new supply chain attack technique called SimJack that targets developers using AI coding agents. The attack abuses trusted repositories and symbolic links to silently register a malicious MCP server inside an AI coding environment. Developers may unknowingly approve what appears to be a harmless file copy request, while hidden commands modify agent configurations and execute attacker controlled code. Adversa says the technique could steal credentials, cloud tokens, browser sessions, or compromise CI pipelines without further user interaction. The firm tested the method against several major AI coding agents, including Claude Code, GitHub, Copilot, CLI Gemini, CLI Cursor Agent CLI and Grok build CLI Researchers say the issue reflects growing security risks tied to developer trust in automation rather than a traditional software vulnerability. Coming up after the break, my conversation with Ben Yellen about the bipartisan push for more support of CISA and hacking your way to the main stage. Stay with us. Most environments trust far more than they should and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allow listing, you stop unknown executables cold. With Ring fencing you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. Its powerful protection that gives CISOs real visibility, real control and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source and regain control over their environments. Schedule your demo@threatlocker.com N2K today.

A

Foreign.

B

When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. And it is always my pleasure to be joined by Ben Yellen. He is my co host over on the Caveat podcast and also he from the University of Maryland center for Cyber Health and Hazard Strategies. Ben, welcome back.

C

Good to be with you again. Dave.

B

Interesting story from our friends over at cyberscoop and this is about bipartisan support to take a closer look at some of these budget cuts that CISA has been experiencing here. What are we looking at here?

C

Ben so two members of Congress, Representative Don Bacon, a Republican from Nebraska, and Representative James Walkinshaw, a Democrat from Virginia, spoke during a panel at the National Cyber Innovation Forum and harped on the importance of the Cybersecurity and Infrastructure Security Agency, known as cisa. This agency has suffered significant budget cuts over the past year and a half. A lot of that was due to the Department of Government Efficiency and the fork in the road thing where employees were Incentivized potentially to. To leave unless they face the threat of layoffs. And then even through the fiscal year 2026 budgeting cycle, it's faced significant cuts. Some estimates say about a third of the January 20, 2025 workforce has since left the agency. And this is during a time when the threat landscape is extremely significant. We've seen the high profile attacks, we've heard about advanced potential offensive cyber tools, the threats around something like Mythos or similar technology, not to mention concerns about attacks on our critical infrastructure. So these two members of Congress are coming together, they are encouraging their colleagues as we move into the fiscal year 2027 appropriations process to prioritize funding this agency to prioritize information sharing of cyber threats. And I think this could be a really powerful call for their colleagues. The one thing I will say is that the Republican member here, Representative Bacon, is retiring at the end of this year. So in the next Congress, I think somebody else on the Republican side of the aisle will have to take this over as a cause, given that we will be losing Representative Bacon's voice on this.

B

Are these representatives in a position of influence when it comes to this particular topic?

C

Yeah. So Representative Bacon is the chairman of the House Armed Services Subcommittee on Cyber Information Technology and Innovation. And you know, he spoke passionately in the past about how important this is to protecting our networks and our critical infrastructure, mentioned previous campaigns that we've all known about, like Salt Typhoon. Yeah. And just that our advert. Our adversaries are more sophisticated than they've ever been. And when surveying the threat landscape, we're all terrified of attacks on energy grids or water systems or other things that we rely on as a society for our subsistence. And there's a limited capability for state and local governments to do this on their own just because this is a problem that's national and international in scope. So, yeah, I think both of these guys have significant influence, I think because of Representative Bacon's chairmanship and the fact that he's a member of the President's party, I think his voice is critically important on this.

B

Yeah. As we look at this, I mean, to what degree do we suppose that CISA is seeing these cuts as part of the broader government wide cuts that have been a big part of this administration. You mentioned Doge and CISA got cut there. The proposed budget for 2027 is reducing CISA's funding by between $361 million or even up to over $700 million, depending on which budget document you're looking at. But we've also got this sort of this longtime specter of the President himself having a grudge against the organization for way back when in 2020, saying that the election was fair. And the President doesn't seem to have gotten over that.

C

No, certainly if you read the Truth social feed, he has not gotten over that. Yeah, I think that's a huge element of this. The President fired the chair of CISA post election 2020 during his first term after Mr. Krebs said publicly that he thought was fair and that there weren't any irregularities. And he was fired by tweet. And I think there's certainly a perception out there that some of the President's reluctance or grievances at CISA are still based on what he saw as that improper statement in the aftermath of the 2020 election. And I think that's had a huge impact on it. Now, there are a lot of programs, including ones that weren't directly in the President's line of fire, that have faced significant cuts that I think members, both parties would say are cost effective spending programs that shouldn't have been on the chopping block.

B

Right.

C

Especially for things like public health. I mean, we're looking at what's happening with Ebola. I think at one point Elon Musk said in the Oval Office that he accidentally cut off the funding stream to fight Ebola in Africa and then tried to restore it. So it's these types of things where it's not just one agency, but just given the threat landscape here, I think this is a particularly important one. And one of the things that the Democratic lawmaker James Walkinshaw said here is he's had experience at the local level working for Fairfax county in Virginia, which is a pretty wealthy county that has a sophisticated water system. And in his work there, he saw the critical importance of having these communications channels through this federal agency. And that we need to restore that capability has just not been the same since it lost so many of its staff members and since as an agency, it's kind of been deprioritized.

B

Yeah, yeah. And I suppose, I mean, it's good to see that the representatives are offering bipartisan support for this. It seems like there's pretty much universal understanding that CISA's mission is an important one. Part of me wonders if it's fair to the President to keep going back to the 2020 thing, but it's hard to. Because of the importance of CISA's mission, it's hard to. And the White House's lack of direct information and comment on the justification for cutting cisa, other than just broad budget cutting, it's hard to come to other conclusions. Right.

C

Yeah. Yeah. I mean, I think it leaves a lot of us to just speculate, which you're right. Sometimes is not fair. And I think the representatives here are doing a good job of not making this a Donald Trump story.

B

Right, Right.

C

No matter what happens, we'll have a new president in 2029 and we need this agency to be up and working because of the threat environment.

B

Yeah.

C

And because of the importance to this coordinating agency to state and local governments in particular.

B

Right.

C

And I think that's what they're saying, that they have the requisite experience, both in terms of what they've done in Congress and in their previous careers in local governments. And they're coming at it from that perspective, not in the, you know, let's have a, a food fight about the Donald Trump administration where CISA gets caught in the crossfire. I don't think any of these members of Congress are particularly interested in doing that.

B

Yeah, yeah, yeah. Fair enough. All right, well, Ben Yellen is from the University of Maryland center for Cyber Health and Hazard Strategies and also my co host on the Caveat podcast. Ben, thanks so much for joining us.

C

Good to be with you, Dave.

B

Thanks.

A

Study and play come together on a Windows 11 PC and for a limited time, college students get the best of both worlds. Get the unreal college deal, everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft 365 Premium and a year of Xbox game. Pass ultimate with a custom color Xbox wireless controller. Learn more@windows.com studentoffer while supplies last ends June 30th terms at aka mscollegepc when you need to build up your team to handle the growing chaos at work, use Indeed sponsored Jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit@ Indeed.com podcast. That's Indeed.com podcast. Terms and conditions apply. Need a hiring hero? This is a job for Indeed. Sponsored jobs.

B

And finally, a security researcher found an unusually effective way to get conference talks accepted. Compromise the submission platform first. Researchers at Novi disclosed a stored cross site scripting flaw in pretalks, a popular open source conference management platform used by security events worldwide. The vulnerability allows malicious JavaScript hidden in speaker submissions to execute inside organizer accounts researcher Elad Meged demonstrated the issue by automatically submitting proposals to roughly 40 conferences, all for a deliberately bland talk titled Securing Modern Web Apps. Apparently, subtlety still works. Novi says the flaw could have enabled attackers to hijack organizer sessions, alter submissions, or launch phishing attacks from trusted conference infrastructure. Pre talks patched the issue in April. Medged emphasized the testing remained controlled and non destructive, though he admitted a more outrageous talk title would have been funnier. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.