A

You're listening to the CyberWire network powered by N2K. And now a word from our sponsor arcova. Formerly Morgan Franklin Cyber, arcova is a global cybersecurity and AI consulting firm built by practitioners who've been in the seat. They work directly with enterprise teams to solve complex security challenges, building secure by design programs that hold up as technology and threats evolve. From focused engagements to long term partnership, arcova delivers outcomes that endure because no one should navigate complexity alone. Learn why leading Global Enterprises Trust arcova@www.arcova.com that's a R C O V A.com. CISA warns of actively exploited Lang Flow vulnerability CISA flags critical PTC Windchill vulnerability Phishing activity surges amid war in Iran Google moves up their post Quantum timeline Alleged Redline infosteeler developer faces 30 years in a US prison Bearlify hacktivists launch disruptive ransomware campaign in Russia FCC moves to crack down on robocallers and foreign call centers Anti piracy group takes down anime Play streaming platform I talk with Dave Vitner as we look back on the biggest breaches in the last 10 years and what happens when hackers call the game. Today is Friday, March 22nd, 7th, 2026 and I am Maria Varmazes in for Dave Bittner who is recuperating from RSA and This is your CyberWire intel briefing. Thanks for joining me on this lovely Friday. Hope you're having a good one. Let's get into it. According to a report from Bleeping Computer, the US Cybersecurity and Infrastructure Security Agency, better known as CISA or, warns of active exploitation of a critical flaw affecting the Lang Flow framework for building AI agents. The vulnerability is a code injection flaw that can lead to remote code execution. Researchers at Sysdig observed exploitation of the flaw about 20 hours after its disclosure on March 17. The researchers state attackers built working exploits directly from the advisory description and began scanning the Internet for vulnerable instances. Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise. Users are advised to update langflow as soon as possible and audit their systems for compromise. Germany's Federal Cyber Agency and police took the unusual step of directly warning organizations about a newly disclosed critical vulnerability in PTC, windchill and FlexPLM on underscoring the seriousness of the threat. The flaw, tracked as CVE2026 4681, involves unsafe deserialization that could allow remote unauthenticated attackers to execute arbitrary code on affected systems. The US Cybersecurity and Infrastructure Security Agency has also issued an ICS advisory on the flaw signaling Heightened concern for organizations running the widely used product lifecycle management platforms. While patches are still in development, PTC has released mitigations and indicators of compromise to help defenders detect possible exploitation attempts. Bitdefender is tracking a surge in phishing and malware activity targeting Gulf countries amid the war in Iran, with malicious emails spiking approximately 130% since the conflict began on February 28, Bitdefender states quote, within days activity doubled and at peak reached nearly four times the baseline levels, signaling a sustained and coordinated spike rather than a one off campaign. This clearly suggests that phishing and malware delivery campaigns are being deployed and adjusted in real time, with attackers capitalizing on heightened regional sensitivity and business disruptions. And while state sponsored cyber operations are accompanying the war, much of this phishing activity is financially motivated, with criminal threat actors exploiting fear and uncertainty across the region, Google has accelerated its timeline for transitioning to post quantum cryptography, warning organizations that they may need to be ready by 2029 instead of the previously expected mid-2030s. The shift reflects growing concern that advances in quantum computing and improvements in error correction and algorithms could allow future machines to break today's encryption much sooner than anticipated. The company is prioritizing protections for authentication systems and digital signatures and is already working to deploy quantum resistant cryptography across products like Chrome, Android and its cloud platforms. An Armenian national accused of developing the popular Redline info stealer has been extradited to the United States, where he faces up to 30 years in prison, according to a new report from the Record. The defendant, Hambar Minassian, allegedly worked with co conspirators to maintain Redline's infrastructure, including C2 servers and administrative panels, and collected payments from the malware's affiliates, the US Justice Department states. The indictment alleges that Minastian registered two private servers to host portions of Redline's infrastructure, as well as two Internet domains in support of the Redline scheme. He also allegedly created repositories on an online file sharing site that were used to distribute Redline to affiliates. In November 2021, he allegedly registered a cryptocurrency account that was used to receive payments from Redline affiliates. An international law enforcement effort disrupted the redline operation in October 2024, and the Justice Department unsealed charges against one of Minasian's alleged co conspirators, Maxim Rudimetov. Rudimetov is also facing a maximum of 30 years. A pro Ukraine hacking group known as Bearlify has carried out more than 70 cyber attacks against Russian companies over the past year and is escalating its campaign with newly developed ransomware, according to researchers. Unlike traditional profit driven ransomware gangs, Bearlify appears to be motivated by disruption and political signaling tied to Russia's war in Ukraine. The group has targeted organizations across sectors including energy, telecommunications and finance, sometimes wiping systems rather than negotiating payment. Analysts say that the activity reflects a broader trend of hacktivist style operations, increasingly adopting advanced tooling once associated with state actors or criminal syndicates. The campaign highlights how cyber operations linked to geopolitical conflicts continue to blur the lines between activism, espionage and sabotage, raising the risk of spillover effects beyond the immediate battlefield. The Federal Communications Commission has voted to advance new rules that are aimed at cracking down on illegal robocalls and limiting the role of foreign call centers in handling sensitive U.S. communications. The proposals would tighten certification requirements for obtaining phone numbers, making it harder for scammers to acquire legitimate numbers, and require telecom providers to disclose more information about callers on their networks. Regulators are also exploring restrictions on routing certain customer service calls overseas, particularly those involving sensitive personal data. Officials say many robocall investigations involve resold numbers and offshore infrastructure, creating enforcement gaps. The measures now move to a public comment phase and could reshape how telecom providers manage numbering resources and customer support operations. Ace, or the alliance for Creativity and Entertainment, has shut down the piracy streaming app Anime Play, a platform with more than 5 million users that hosted roughly 60 terabytes of anime content. The coalition sees the app's infrastructure, including 15 domains, backend servers, databases, advertising tools and 29 GitHub repos containing its source code, effectively preventing operators from relaunching the service. Most users were reportedly based in Indonesia. Ace, backed by major studios including Disney, Netflix and Warner Brothers, said the takedown is part of its broader campaign to dismantle large scale piracy networks worldwide. The action highlights how coordinated industry led enforcement operations are increasingly targeting not just websites, but the full technical ecosystems that are supporting illicit streaming platforms. And as we close out the RSAC 2026 week, we thank our ever faithful intern Kevin and treat you to his sign off.

B

Well, that's a wrap for one last time this year. I'm Kevin the intern, N2K's official unpaid cyberwire intern and literal man on the street signing off. I hope everyone had a great conference and a safe trip.

A

Stay with us after the break. The breaches that defined a decade of the Cyber Wire Daily. Dave Buettner and I sit down to Discuss the biggest breaches in the last 10 years and what happens when hackers call the game. The Cyber Wire daily is turning 10 this year. We are celebrating all year long. And today we're looking back at the breaches that didn't just make headlines, they changed the conversation. And I, alongside Dave Buettner, walk through the cyber incidents that still stick with us. Here's our conversation right now. It's 2026 when we're recording this, but honestly, 2014 feels like a good place to start, even though it's okay math. 12 years ago with the Sony hack,

C

I think it was a milestone. I think the Sony hack was one that gained national attention. It had a lot of geopolitical influence. There were elements of intelligence gathering. Sony, of course, hard to get a bigger, well recognized brand for a multinational organization.

A

They make my tv.

C

Yeah, I mean, yeah. I mean, it's a brand that many of us have great affection for, you know, dating back to our first Walkman back then.

A

Oh, gosh, yes. Yeah, yeah.

C

So I think it grabbed a lot of people's attention that a big, major brand could get hit this way and sort of, I think, set the global stage for these large scale breaches.

A

Yeah. And there was that intrigue with the movie, wasn't there? Yeah. So there was this kind of made for the headlines story that I think it added this layer.

C

Yeah. And the south park guys were involved with it, and I mean, it had a little bit of everything when it comes to intrigue. Something for everyone. So, yeah, it really was kind of a starting point. And then I guess the one that really was on my radar when I switched careers and started being a cybersecurity professional was the OPM breach.

A

Oh, yeah.

C

And that had just happened when I joined the Cyberwire.

A

Baptism by fire.

C

Yeah, well. And several of my coworkers had been personally affected by that because they had security clearances. And so the OPM breach, which was 2015, I believe, and that's the Office

A

of Personnel Management for the US Federal government.

C

That's right. That's right. And so this was a major breach of all kinds of information that they were in charge of keeping safe, including things about people's security clearances. So some of our nation's greatest secrets were revealed. It turns out our adversaries, we think was China was in there for a long time. So they got all of this information that was extremely valuable and extremely sensitive. And it turns out it was because they had outdated equipment and outdated security protocols. And, you know, it wasn't. How do I say this, we contributed to that breach through retrospective negligence as much as the alleged Chinese through their own retrospective negligence. Right.

A

Love that.

C

Yeah. Feel like that's how all of us Gen Xers grew up, right? With retrospective negligence.

A

Drinking from the hose. Yeah, yeah.

C

So as much as the Chinese certainly have great tradecraft, I think our government learned a lot from that breach as to what to do and not to do. So that one was another biggie back then.

A

So after opm, we can go through this chronologically if you'd like. If. If there's another breach that sort of bubbles up in the intervening years.

C

I mean, what. I Guess it was 2017, we had WannaCry and not Petya, which really showed global disruption, where shipping companies got affected and systems were actually shut down. And so again, kind of an aha moment of what happens if somebody can either intentionally or accidentally hit the off switch on a global network or a global basis, how's that going to affect everybody? So, yeah, that got a lot of people's attention.

A

Yeah, it sure did.

C

And then also 2017, we had Equifax,

A

still dealing with the fallout from that one to this day.

C

Yeah, right, yeah. I'm sure all of us are still enjoying our two years of credit monitoring and.

A

Yes, enjoying. Definitely enjoying. Yeah.

C

Right. And then 2020 we had solar Winds, which I think revealed risks of supply chain compromise and trusted software ecosystems. That. That was really the one that put a big red star on supply chains and third party providers.

A

Yeah, yeah. And is that one of the ones where like, the CISO was held responsible for what happened, or am I misremembering that one?

C

Yeah, yeah, no, the CISO was in jeopardy of legal criminal charges. And so at that time, if you were a ciso, you were like, what?

A

Yeah, he was eventually cleared, if I remember.

C

Yeah, that's my recollection as well.

A

Yeah. I mean, that seems like a huge paradigm shift to say now people are personally responsible for a massive organizational problem. I mean, that's. I don't know if that. That's scary as heck.

C

Right. And to be potentially responsible criminally when, especially when you put that against. I think we can agree that the trend in the US is that when a company does something bad or irresponsible, generally they pay some sort of a fine, they admit no wrongdoing, and nothing really bad happens to the executives. Maybe every now and then someone might get fired or demoted, but rarely, rarely do we see anyone sent to jail.

A

Yeah. Costs of doing business. Right. I mean. Yeah, Right.

C

And so that. That hazard Was there. That peril was there for CISOs, I think caught a lot of people's attention, had them calling their congresspeople and saying, how do we, how do we reconcile this, you know, how do we protect ourselves? What kind of insurance do we need? Yeah, so there were all those sort of add on effects to solar winds that again made everybody sort of sit up in their seats and say, hmm, okay, this is the future.

A

I'm curious about your thoughts on threat actors and the kinds of threat actors that you've been seeing the last 10 years. Are they predominantly one type of group or are we seeing more differentiation or are things sort of converging in terms of who tends to be behind a lot of these major breaches that you've covered?

C

Yeah, I mean, I think it's two main groups. Of course you have the folks who are doing espionage on behalf of nation states and that's a tale as old as time. But then you've got the financially motivated threat actors. Again, a tale as old as time, just with updated tools. And that can be everything from gift card fraud to major ransomware campaigns. Another thing we've seen over time is more blending of the threat actors where you'll see perhaps state actors, state sponsored actors who are doing a little side work, who are out there getting some money and the nation states are willing to look the other way, allow them to supplement their incomes, their activities through theft or, you know, selling illicit things, all that sort of thing. So I think the lines have gotten fuzzier and yeah, so that's definitely one of the trends we've seen when you

A

reflect on the last 10 years, specifically about breaches and their trajectories and the kind of stories that you've seen. I mean, I'm curious about your feelings on where we're headed. Is there hope?

C

I would say, you know, when you go through the stages of grief and land at Accept, I'm kind of there. I mean, we've heard it for all the time I've been at this, people have been saying it's not a matter of if, it's a matter of when. And I think at the outset I was a little more resistant to that notion, but I think it's true. So I try to remind myself to maintain my empathy and my sympathy for the folks that this happens to the last thing in the world. And I do not like that some people in our industry have a sense of smug superiority when it comes to these sorts of things. I have no time or patience for that because I don't think it's helpful. So, look, I think people are out there fighting the good fight. They're doing it in good faith. And we all have to function within the world that we're in. And that world is constantly changing. You look at the shifts in just the political winds and the leaders and the nations and all those sorts of things. People often ask me when they hear we do a daily podcast. They're like, well, how do you come up with enough stuff to talk about every day? I go, ha,

A

right, not really a problem.

C

The challenge is narrowing it down to the top 10 things to talk about every day, because this never stops. So on the one hand, there's that, and sometimes it can be a lot. It can get you down. You can feel like, you know, I'll joke sometimes that, hi, I'm Dave Buettner, and here's today's Bad News. But on the other hand, you see the people who are out there doing the good work, who are innovating, who are, as I said, in good faith, trying to make this world a little bit safer, trying to help each other learn more, contribute to the community, and all of those things I find uplifting. And they do give me hope. And that's how I keep going every day, knowing that we're in this together, we're trying to fight the good fight, and we're making progress. So it's not as fast as I think any of us would hope that it is, but it's a fight worth fighting. So I'm glad to play a very small part in helping, try to keep people up to date and informed when it comes to all this stuff.

A

And that was me, Maria varmazes, alongside my N2K colleague Dave Bittner, walking us through some of the biggest cyber incidents of the last 10 years. And if you enjoyed our chat, and I certainly hope you did, and if you want to hear more of it, be sure to tune in on Sunday to your Cyberwire daily podcast feed to hear our full conversations. AFC Ajax says a recent breach exposed limited supporter data, but reporting suggests that the impact may have gone far beyond a routine leak. An attacker exploited vulnerabilities in the club's systems to access internal data, including email addresses and details tied to a small number of banned supporters. And that's banned. B A N N E D Ajax says the issues have been fixed and there's no evidence of further spread. However, an investigation found the same flaws may have allowed outsiders to do more than just look around. They may have been able to play manager, too. And by abusing exposed APIs and shared digital keys. It was reportedly possible to impersonate users, transfer season tickets, alter account details, and even lift those tricky stadium bans. In one case, a journalist demonstrated just how easy it was grabbing a VIP ticket from a director's account in seconds and using it to access a match. The vulnerabilities may have put hundreds of thousands of supporter accounts and tens of thousands of tickets at risk. And while Ajax is emphasizing the limited confirmed exposure, the ability to manipulate accounts as well as access data points to a deeper breakdown, less a contained breach and more a system that left the door wide open and the playbook sitting right next to it. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com and be sure to check out Recent Research Saturday Tomorrow, where Dave Bittner sits down with Omer Nindberg, CTO of Novi Security, to discuss their work on From PDF to pwn. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We are mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kielpe is our publisher. Our host is Dave Bittner and I am Maria Varmazes. Thanks for listening. Have a great weekend.

C

Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With ThreatLocker allowlisting you stop unknown executables cold. With Ring Fencing you control how trusted applications behave and with threatlocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. Its powerful protection that gives CISOs real visibility, real control and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source and regain control over their environments. Schedule your demo@threatlocker.com N2K today.