Transcript
Dave Bittner (0:02)
You're listening to the cyberwire network. Powered by n2k.
Podcast Host / Interviewer (0:11)
Identity is a top attack vector. In our interview with Kavitha Mariapan from Rubrik, she breaks down why 90% of security leaders believe that identity based attacks are their biggest threat. Throughout this conversation we explore why recovery times are getting longer, not shorter, and what resiliency will look like in this AI driven world. If you're struggling to get a handle on identity risk, this is something you should tune into. Check out the full interview@thecyberwire.com Rubrik. Maybe that's an urgent message from your CEO, or maybe it's a deepfake trying to target your business. Doppel is the AI native social engineering defense platform, fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more Doppel outpacing what's next in social engineering? Learn more@doppl.com that's d o p e l.com. Malicious Chrome extensions pose as AI tools Google says nation states are increasingly abusing its Gemini artificial intelligence tool. Data extortion group World Leaks deploys a new malware tool called Rusty Rocket, An Atlanta healthcare provider data breach affects over 625,000 Apple patches, an iOS zero day that's been around since version 1.0. A government shutdown would furlough more than half of CISA's staff. Dutch police arrest the alleged seller of the Joker OTP phishing automation service. Our guest is Simon Horsewell, senior fraud specialist at Entrust, discussing evolving romance scams ahead of Valentine's Day and fun with filters provides fuel for fishers. It's Thursday, February 12, 2026. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great, as always to have you with us. Researchers have identified 30 malicious Chrome extensions posing as AI tools that have been installed by more than 300,000 users. Discovered by browser security firm LayerX and dubbed the AI Frame Campaign, the extensions share the same code structure and communicate with infrastructure under the domain Tapnetic Pro. While the most popular extension, Gemini AI Sidebar previously had 80,000 users and has been removed, several others remain on the Chrome Web Store with tens of thousands of installs. The extensions load AI features through remote iframes, allowing operators to change functionality without store review. They harvest browsing data and in at least 15 cases Target Gmail by extracting visible email content, including drafts and and transmit it to external servers. Some also enable remote voice capture using the Web Speech API. Users are advised to remove affected extensions and reset passwords if compromised. Google says nation state hacking groups are increasingly using its Gemini AI tool to accelerate reconnaissance, malware development and targeting. In a new report, Google's Threat Intelligence Group, or gtig, detailed activity by groups linked to China, Iran and North Korea. Chinese actors used Gemini to gather information on individuals in Pakistan and analyze vulnerabilities. Iran's APT42 used it to craft phishing Personas, translate lures and support malware developer. A North Korean group targeting the defense sector leveraged Gemini to synthesize open source intelligence and and profile technical roles. GTIG also observed malware called Honest Q that uses the Gemini API to generate C code for follow on payloads. Google says it disrupted some activity but acknowledges actors continue targeting similar victims. Large language models are helping threat groups scale reconnaissance and move from research to active targeting faster, according to GTIG. Accenture Cybersecurity says the data extortion group WorldLeaks has deployed a previously unseen malware tool called Rusty Rocket to enhance its attacks. According to Accenture, Rusty Rocket is written in Rust and targets both Microsoft Windows and Linux systems. The tool enables stealthy data exfiltration and traffic proxying through heavily obfuscated, multilayered encrypted tunnels, blending malicious activity with legitimate network traffic. It also requires a pre encrypted configuration at runtime. A guardrail, researchers say, makes it difficult to detect and monitor world leaks. Active since early 2025, steals sensitive data and threatens to publish it rather than encrypting files, the group has claimed victims, including Nike. Accenture says Rusty Rocket supports persistence and long term data theft. Increasingly, stealthy tooling complicates traditional detection. Accenture recommends monitoring anomalous outbound traffic and strengthening segmentation and testing defenses. Apollo Md, a healthcare physician and practice management provider based in Atlanta, disclosed that a May 22 to May 23, 2025 cyber attack exposed sensitive data belonging to over 626,000 individuals, according to the company's notice and the U.S. department of Health and Human Services breach portal accessed files contained personally identifiable information and protected health information, including names, birth dates, diagnostic and treatment details, insurance data and in some cases, Social Security numbers. By September of last year, Apollo MD had notified affiliated practices and and begun mailing letters offering free credit monitoring. The company has not identified a responsible threat actor, although the Keelin ransomware group listed Apollo MD on its leak site in June of last year. Apple has patched a zero day vulnerability that affects every iOS version since 1.0 and was used in what the company described as an extremely sophisticated attack against targeted individuals discovered by Google's Threat Analysis Group. The flaw resides in Dyld, Apple's dynamic linker, and allows an attacker with memory write capability to execute arbitrary code. Apple said the issue may have been exploited as part of a chain on versions prior to iOS 26. Security researchers noted the vulnerability could be combined with WebKit flaws addressed in iOS 26.3 to enable zero click or one click device compromise. Apple also fixed other issues, including bugs that could grant root access or expose sensitive data, but said the zero day was the only vulnerability confirmed exploited in the wild. More than half of CISA's 2,341 employees would be furloughed if Congress fails to extend Department of Homeland Security funding by Friday, Acting Director Madhu Gadamukkala told lawmakers CISA plans to designate 888 employees as accepted to maintain 247 operations, respond to imminent threats and share urgent vulnerability information. But most proactive cybersecurity work would pause, Ghatamukala warned. A funding lapse would delay deployment of cybersecurity services to federal agencies and and weaken timely guidance to infrastructure operators. Strategic planning, new capability development, training and work on mandated cyber incident reporting rules would halt. Lawmakers remain divided over broader Department of Homeland Security policy disputes, raising the risk of a shutdown during what officials describe as a sensitive period for federal cyber defense efforts. Staying with cisa, the agency published an advisory outlining key lessons from its response to a real world compromise at a federal civilian Executive branch agency. The incident stemmed from exploitation of a known geo server vulnerability, giving threat actors remote access, persistence and lateral movement across systems. CISA mapped observed tactics, techniques and procedures using the MITRE attack framework and provided indicators of compromise to help defenders detect similar activity. The advisory emphasizes swift patching of critical vulnerabilities, maintaining and exercising incident response plans, and centralized logging for effective detection. It also includes mitigation recommendations to improve an organization's preparedness and resilience against sophisticated post compromise activity. CISA encourages all organizations to apply these lessons and use the associated technical details in the advisory to to strengthen their security posture. Dutch police have arrested a 21 year old man for allegedly selling the Joker OTP Phishing automation service, a tool designed to intercept one time passwords and hijack online accounts. The arrest follows a three year investigation that dismantled the Joker OTP phishing as a service operation in April of last year, including prior arrests of its developer and a co developer. Authorities say the platform caused at least $10 million in losses across more than 28,000 attacks in 13 countries. Sold via Telegram license keys, the tool automated calls to victims posing as legitimate companies while prompting them to enter one time passwords sent during login attempts. Targets included PayPal, Venmo, Coinbase, Amazon and Apple users. Police have identified dozens of buyers and say the investigation remains ongoing. Coming up after the break, Simon Horsewell from Entrust discusses evolving romance scams ahead of Valentine's Day and fun with filters provides fuel for fishers Stick around. What's your 2am Security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber.