A

You're listening to the Cyberwire Network, powered by N2K.

B

Looking to understand the cybersecurity risks emerging beyond Earth's atmosphere? In the weekly Signals in Space newsletter, T Minus host Maria Vermazes and producer Ethan Cook connect the dots between terrestrial infrastructure and the growing attack surface in space. Each week you'll get the latest space cyber headlines, direct access to the week's T Minus podcast conversation, plus expert insights and resources to help security professionals better understand this rapidly evolving domain. Space systems are becoming critical. Infrastructure Signals in Space helps you stay ahead of the threats shaping the next frontier. Subscribe now to the Signals in Space newsletter.

A

Foreign.

B

No, it's not your imagination. Risk and regulation really are ramping up, and these days customers expect proof of security before they'll even do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. So whether you're getting ready for a SoC2 or managing an enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That means less time chasing paperwork and more time focused on growth. For me, it comes down to this. Over 10,000 companies, from startups to large enterprises, trust Vanta to help prove their security. Get started@vanta.com cyber. Iranian hackers hit LA Transit Chinese cyber operators target Middle east infrastructure Dutch police take down a 17 million device botnet Researchers uncover a phishing risk in ChatGPT Anthropic prepares its mythos model for release Chrome patches 22 critical bugs Zapier fixes a dangerous vulnerability chain Shiny Hunters claims a charter breach A data broker who fueled scams against millions of seniors heads to prison Maria Vermazes joins me for a look back at a decade of ransomware and a Google Insider allegedly went from threat hunting to bet hunting.

A

Foreign.

B

It's Friday, May 29, 2026. I'm Dave Bittner and this is your Cyberwire intel briefing.

A

Foreign

B

thanks for joining us here today and happy Friday. It's great as always to have you with us. Iranian linked hackers were likely behind a March cyber attack that disrupted parts of the Los Angeles County Metropolitan Transportation Authority. According to Israeli cybersecurity firm Gambit Security, the company said it uncovered at least 700 GB of stolen emails, backups and other files after the data was accidentally exposed online. Gambit's investigation traced the server hosting the data to a known hacking operation previously linked by Israeli officials and researchers to Iran. The attack disrupted passenger facing digital services including arrival time displays and digital fare card systems. Gambit reported that the operation went beyond data theft, with attackers allegedly deleting virtual machines, databases, storage volumes and backup infrastructure in an apparent effort to hinder recovery efforts. A group called Ababeel of Minab claimed responsibility shortly after the intrusion. While the group presents itself as an independent activist organization, security researchers have long suspected ties to Iranian state backed cyber operations. US Authorities, including the FBI are investigating the incident, though official attribution remains unresolved. Chinese state aligned hacking groups are increasingly exploiting geopolitical instability in the Middle east to target maritime, energy and government organizations. According to ESET's latest APT activity report, researchers observed Chinese cyber operations focused on improving Beijing's visibility into regional political and economic developments following US military actions against Iran. Activity included attacks on maritime related government entities in Venezuela, Syrian government networks and an AI and robotics company in South Korea, reflecting China's broader strategic and economic interests. The report also highlighted continued Russian cyber activity targeting Ukraine, including attacks on military linked organizations, drone manufacturers and logistics providers, as well as destructive malware campaigns attributed to Sandworm. Meanwhile, Iran linked cyber operations appeared to shift from established state backed groups to proxy and hacktivist actors, with Israel remaining a primary target for espionage and disruptive attacks. Dutch police have dismantled a botnet containing at least 17 million compromised devices after a tip from a researcher at the Netherlands National Cybersecurity Center. Investigators identified roughly 200 servers supporting the botnet's infrastructure within the country and seized several systems for analysis. A hosting provider subsequently shut down the network after determining it was being used for criminal activity. Authorities did not disclose the botnet's name, the specific devices involved or how it was used, though officials noted botnets are commonly leveraged for phishing, distributed denial of service attacks and online fraud. The takedown comes amid growing concern over residential proxy networks, which cybercriminals increasingly use to disguise malicious traffic. Separately, the NCSC reported cyber attacks against Dutch organizations fell to a nine year low in 2024, a trend it partly attributed to broader adoption of multi factor authentication. A prompt injection technique dubbed ChatGFish could allow attacker controlled web content to influence ChatGPT's responses when users request page summaries. According to permiso threat hunter Andy Ahmedi, hidden instructions embedded in a webpage's markdown can cause the chatbot to display convincing phishing links or fake security alerts that appear to originate from ChatGPT itself. Amedi demonstrated how attackers could insert fraudulent account warnings and malicious links into otherwise legitimate summaries. He also showed that embedded QR codes could redirect victims from their desktops to attacker controlled websites or mobile devices, potentially bypassing browser based security protections. The vulnerability stems from ChatGPT treating untrusted external content as trusted input during summarization. Ahmedi reported the issue to OpenAI through Bugcrowd, but said he has not received confirmation that a fix has been implemented. Researchers recommend treating AI generated content as untrusted and strengthening safeguards around rendered external content. Anthropic says it plans to make its powerful Mythos class AI models available to all customers in the coming weeks after initially restricting access over cybersecurity concerns. Introduced in April for select organizations and security researchers, Mythos was withheld from public release because of concerns that advanced coding and reasoning capabilities could be misused by attackers. The company now says it has made significant progress developing safeguards to reduce those risks. Anthropic claims Mythos delivers substantial improvements in code reasoning and autonomy compared to its current flagship model, Claude Opus 4.8, though it has not confirmed exactly which version will be publicly released. Google has released a Chrome 148 update that patches 151 vulnerabilities, including 22 rated critical. The most severe flaws include an out of bounds write in the GPU component and a use after free bug in network, with each earning researchers a $43,000 bug bounty. Most critical issues involve memory safety weaknesses that could potentially enable remote code execution or sandbox escapes. The Update also fixes 123 high severity vulnerabilities. Google says it has paid more than $130,000 in rewards so far, though many payouts remain undisclosed. The company has addressed more than 350 vulnerabilities across Chrome 148 releases since late March, with many discoveries attributed to Google's internal research efforts. Researchers at Token Security uncovered a chain of five vulnerabilities in the automation platform Zapier that could have allowed attackers with only a free account to compromise millions of users and their connected services. By linking several seemingly routine flaws, the researchers were able to access internal systems, recover credentials, and identify a code signing key tied to software running in every logged in user's browser. In a worst case scenario, an attacker could have modified automations, sent emails, moved data or interacted with connected applications while appearing to be a legitimate user. The researchers also demonstrated access to a third party executive's Gmail account through an exposed key. Token Security reported the issues in February, and Zapier says all vulnerabilities were patched within weeks with no evidence of exploitation. The Shiny Hunters extortion group has claimed responsibility for a breach of Charter Communications that exposed data from 4.9 million accounts. According to have I Been Pwned? The attackers allegedly gained access through a voice phishing attack targeting an employee's Microsoft Entra account and then stole data from Charter's Salesforce Environment. Exposed information reportedly included names, email addresses, phone numbers, physical addresses and some employee records. Charter confirmed the breach, but stated that no sensitive personal information or customer proprietary network information was exfiltrated after Charter refused to pay a ransom. Shiny Hunters allegedly published the stolen data on its leak site. A North Carolina man has been sentenced to more than 10 years in prison for supplying personal information on over 7 million elderly Americans to scammers who use the data in lottery fraud schemes. Troy Murray, who operated under the alias Steve Dixon, pleaded guilty to conspiracy to commit wire fraud and received a 121 month prison sentence along with forfeiture of $5.2 million. Prosecutors said Murray stole thousands of lead lists containing names, addresses, phone numbers and email addresses between 2016 and 2023, generating more than $5.2 million while contributing over $9.5 million in victim losses. He allegedly distributed at least 22,000 lead lists and later accepted payment through prepaid gift cards. Authorities also charged his son with laundering $1.6 million fraud proceeds. Coming up after the break, Maria Vermazes joins me for a look back at a decade of ransomware and a Google Insider allegedly went from threat hunting to bet hunting. Stay with us.

A

Foreign.

B

Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with threatlocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose Threat Locker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. Longtime listeners know that we are celebrating our 10th anniversary here at the Cyberwire. And today Maria Vermazes joins me for a look back at a decade of ransomware.

A

All right, well, welcome back, everybody. It is my pleasure yet again to welcome Dave Bittner, host of the Cyberwire Daily, to speak with me today. Hi, Dave.

B

Hello. Good to be back.

A

Yes, good to see you, Dave. And we are, as we have been this past year, celebrating 10 years of the Cyber Wire Daily, which again, what a feat. Congratulations, Dave.

B

It's hard to believe time flies when you're having fun.

A

Oh, that's so sweet. So 10 years is a decent amount of time, you know, blink of an eye for some and quite an age for others. And when I think of the last 10 years, I'm pretty sure I've said this every conversation we've had. But to me, the true story of the last 10 years in the cybersecurity realm has been ransomware. That is the number one thing that I think of. So we're gonna dedicate our time today to talking about ransomware, how it has changed extraordinarily over the last 10 years. And you've watched it all happen. So if we do our Wayne's world, going back 10 years, ransomware was like back in 2016, 2017. How would you have described it back then for those that maybe have forgotten or weren't there for this?

B

Well, I mean, you know, when I started doing this every day. So 10 years ago, you know, ransomware had been around for a while. The idea of it had been around for a while, but it becoming a business, people making their living off of it widely was pretty new still. And my recollection is that in the early days, it was what we would look back at now and consider to be, you know, adorable small time street crime versions of ransomware. Right. Someone would, they were targeting individuals. It was like, you know, walking down the street and being mugged, except on your computer. People would get you for $100 or a couple hundred dollars. But it really wasn't gonna change your life very much. Chances are, you'd pay the ransom, your files would be unlocked, you'd go about your business, and that's what it was.

A

Yeah. There was also the accelerant of much more potent threats that were doing much more damage and casting a much wider net. And I would be remiss if I didn't just say the word wannacry. I mean, it makes me wanna cry. It made us all wanna cry. Do you remember hearing about WannaCry for the first time? Or do you remember that story unfolding? Cause that really was seismic.

B

It was, yeah, it was 2017, I believe that WannaCry happened. And I think that was really the moment that ransomware became generally present for the general public. People knew what ransomware was. It wasn't just a niche thing anymore. What did wannacry, what did it get? About a quarter million computers all over the world. But also what it got, you know, they disrupted hospitals and transportation systems and manufacturers. So it was hitting people where they live, shutting down people's work and that sort of thing. So really showed how ransomware could spread globally using unpatched vulnerabilities. And it was an eye opener for people all over the world. You know, I think it's also worth just taking maybe a half step back at that point of time. I remember right around that era, right around 2017, interviewing people, experts in cybersecurity who really thought ransomware was gonna be winding down.

A

Yes. Yeah, right. Yep, I remember. It was just. It was a bit of a footnote in this. In the. The threat reports that were coming out. It was like, yeah, it's this thing, but don't worry about it, you're fine. Don't even think about it.

B

And what they thought the real threat was going to be crypto mining, because that was, I use air quotes, a victimless crime where you sneak into someone's computer and you have it run all night mining bitcoin for you. And they don't know, doesn't really affect what they're doing. So you're not gonna attract law enforcement because you're not really hurting anyone other than, you know, using up their electricity. But of course, that didn't happen. It went completely the other way.

A

And when we look back at the evolution of ransomware over the last 10 years, I think something that's also noticeable is how the nature of the threat has evolved in. I hate calling it interesting, cause it's dangerous, but it is, as we analyze it, it's interesting. From straight up extortion to extortion on several different levels. Not just I want your money, but also I have now your intellectual property. That is, to me, darkly fascinating that that's what we ended up with.

B

Yeah, you're absolutely right. I mean, we went from just locking up the files and saying, if you want the key, please send us some money, to both locking up and exfiltrating files. And now plenty of groups don't even bother to lock up the files. All they want to do is exfiltrate the files and then they'll say, hey, if you don't want these files leaked and you don't want to suffer the reputational damage, please pay us money. And, you know, just recently we saw the thing with Canvas where it seems like Canvas paid the ransom in order to get their files back. And people are. How do I describe this? They have, I guess, appropriate skepticism when the folks at Canvas are saying that the bad actors assured them and provided somehow proof that the files had been deleted. Like had a screen capture of someone emptying a trash can.

A

Yeah, you can't doctor that. That's just science. Yeah.

B

Right. So I think that also, not to get too philosophical and out of our range of conversation here, but it really does become a who can you trust conversation.

A

Your thoughts on where it's going with ransomware? Not that. Not that you necessarily know better than anybody else, but, you know, I'm curious your thoughts on this?

B

Well, it seems like it's trending in a good way, or maybe at least it's not. Doesn't seem to be getting worse anymore. The numbers are going down in terms of the number of attacks and

C

the

B

amount of money that the bad guys are getting. It's still a lucrative business. I wonder how much of the decrease is due to the fact that so many people have updated their basic hygiene that the low hanging ransomware fruit just isn't there anymore. It takes a much larger investment through social engineering to make this happen. So you kind of. You've weeded out a lot of the ransomware operators who are just doing it for giggles. And now we've got these groups that are organized crime who are financed either independently or by nation states, and they're still doing their thing, still going after the big whales. But is it. Can we say that an upside to ransomware is that it forced everyone into better basic hygiene? Like how many people have multi factor authentication because of the fear of ransomware or because they actually got hit by ransomware.

A

Yeah. What a terrible success story that is. If that's.

B

Yeah. Unintended consequence.

A

Yeah. Well, I'll take that one. That's a good unintended consequence. Or intend. Yeah. On their part. Unintended.

B

Right.

A

But wouldn't, I mean, truly the criminals are looking for the quickest buck or quickest coin. So if there are other methods that are now just so much easier for them to do, maybe they're also just walking away from ransomware. Because social engineering with AI is now so much easier.

B

True.

A

Yeah. I wonder if something's taking its place. I'm sure there is something, right?

B

And you know, Maria, I don't have to run faster than the bear. I only have to run faster than you.

A

That's right. And I don't run very fast. As all our hacking humans listeners know, I click all the links. So you know,

B

I am no speed demon myself. Yeah, I mean, look, it's here to stay, certainly for the short term, and it'll be interesting to see how much AI actually affects it. But hold on to the bar, because here we go. We're heading up the lift hill. There's more to my conversation with Maria. We will be posting the extended version of our conversation this weekend. Look for that in your Cyberwire feed.

C

No one goes to Hank's for his spreadsheets. They go for a darn good pizza. Lately, though, the shop's been quiet, so Hank decides to bring back the $1 slice. He asks Copilot in Microsoft Excel to look at his sales and costs help him see if he can afford it. Copilot shows Hank where the money's going and which little extras make the dollar slice work. Now Hanks has a line out the door. Hank makes the pizza. Copilot handles the spreadsheets. Learn more@m365copilot.com Work.

A

So good, so good, so good.

D

Everything you want for summer is at Nordstrom Rack stores now and up to 60% off. Stock up and save on the brands you love, like Vince, Sam, Edelman, Frame and Free People. Join the Nordy Club to unlock exclusive discounts. Shop new arrivals first and more. Plus, buy online and pick up at your favorite Rack store for free. Great brands, great prices. That's why you rack.

B

And finally, a Google security engineer is facing insider trading charges after prosecutors say he turned confidential company data into a remarkably successful prediction market strategy. Michel Spagnuolo, a Google employee since 2014, allegedly used access to Google's unreleased year in search rankings to place highly accurate bets on the decentralized platform Polymarket under the alias Alpha Raccoon. The Raccoon mask came off when investigators started rummaging through the digital trash cans, according to authorities. Spagnuolo wagered roughly $2.75 million on whether certain people would appear in Google's annual trending search lists then collected about $1.2 million in profits when the results were publicly released. The alleged winning streak attracted attention online, where users began speculating that Alpha Raccoon had inside knowledge. Prosecutors say the account was later scrubbed of its username and the proceeds were moved through cryptocurrency services designed to obscure transactions. Now the engineer who helped Secure Systems is accused of exploiting privileged access to game a market, a strategy that proved lucrative until investigators started searching as well. He faces fraud and money laundering charges carrying potential decades long prison sentences. As investment strategies go, access to confidential data tends to perform well, at least until discovery begins. And that's the Cyberwire for links to all of today's stories, check out our daily briefing@thecyberwire.com and hey, Maria Varmaz is here.

A

Be sure to join me on Sunday for T Minus Space Cyber Briefing. In this upcoming episode, we're going to be talking about GPS and why it matters in a cybersecurity context. That's T minus Space Cyber Briefing on Sunday. Don't miss it.

B

Be sure to check out this weekend's Research Saturday and my conversation with Marco Giuliani, vice President and Head of Research at threatdown. The research we're discussing is titled gotchiloader Adopts AI Skill Lure. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producers, Liz Stokes, were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes, our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.

A

Sam.