N2K CyberWire Announcer

You're listening to the Cyberwire Network powered by N2K.

Maria Varmazis

Do you know how the space and cybersecurity domains connect? T minus Space Cyber Briefing is your guide through the space based systems that expand the attack surface. I'm Maria Varmazis host here at N2K CyberWire and I'm excited to share that T minus is back now as a weekly podcast, the T Minus Space Cyber Briefing. We have a new dedicated focus on two great things that are even better together. Space and cybersecurity. Because whether we realize it or not, we all depend on space based systems that are, by the way, increasingly Internet enabled. We're talking cybersecurity technologies, policies and organizations that are securing the critical space based infrastructure that powers, protects and connects our lives here on Earth. So join me for T Minus Space Cyber Briefing New episodes every Sunday.

Dave Bittner

Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with threatlocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source and regain control over their environments. Schedule your demo@threatlocker.com N2K today. CISA directs agencies to patch Smarter, not harder. The House fails to extend FISA. Europol pulls over Audi A6 GitHub announces npm security updates Anthropic rejects Fable 5 jailbreak claims CISA gives feds three days to patch a critical Avanti Sentry vulnerability. Google confirms Shiny Hunters exploited a critical Oracle PeopleSoft vulnerability. Fancy Bear shifts part of its infrastructure to compromised edge devices. Pundits push for cyber core scholarship budgets. Our guest is Dr. Renee Burton, VP of Threat Intelligence at Infoblox, discussing scams targeting the World cup and Amazon drivers sweat through a software update. It's Friday, june 12, 20266 I'm dave buettner and this is your cyberwire intel briefing. Thanks for joining us here today. Happy Friday. It is great as always to have you with us. CISA has issued a new directive that requires federal agencies to prioritize vulnerability remediation based on four key risk factors. Whether a vulnerability affects a public facing asset, can be exploited automatically, enables full system compromise or is being actively exploited in the wild. The move reflects a broader shift toward risk based vulnerability management, which CISA describes as patch smarter, not harder. Under the directive, vulnerabilities meeting all four criteria must be fixed within three days and agencies must conduct forensic reviews to check for potential compromise. Agencies are also required to update vulnerability management policies immediately, revise remediation processes within 60 days and fully comply with new timelines within 180 days. CISA says the policy is driven in part by artificial intelligence accelerating the discovery and weaponization of software flaws. Officials argue that focusing resources on the most dangerous vulnerabilities will improve security outcomes and reduce patching burdens. While the directive applies only to federal agencies, CISA is encouraging private sector organizations to adopt a similar risk based approach. Industry experts generally support the move, though some question whether aggressive three day remediation deadlines will be achievable at scale. The US House of Representatives effort to temporarily extend section 702 of the Foreign Intelligence Surveillance act failed Thursday on a 218198 vote, likely allowing the surveillance authority to expire for the first time since its creation after 911 19. Republicans joined nearly all Democrats in opposing the measure. The dispute centered on President Trump's appointment of Bill Pulte, a mortgage agency director with no national security background, as acting director of national intelligence. Democrats argued that extending surveillance powers while Pulte oversees the intelligence community would pose a greater risk than allowing the program to lapse. Republicans countered that section 702 is vital to national security and and provides critical intelligence on foreign threats. The failed vote came just before Trump nominated former SEC chair Jay Clayton as a permanent intelligence chief. While a FISA court has ruled that Section 702 operations can continue temporarily even without congressional renewal, uncertainty remains over whether telecommunications providers will continue cooperating as absent explicit legal authorization. The episode highlights ongoing tensions between national security priorities, privacy concerns and political battles over intelligence oversight. An international law enforcement operation has dismantled Audi A6, a cryptocurrency laundering service accused of processing more than 336 million euros in illicit funds between 2022 and 2025 for ransomware gangs, cybercriminals. Authorities believe the service acted as a major financial hub for criminals seeking to conceal the origins of stolen cryptocurrency. The coordinated action, led by agencies including the US Secret Service, irs, criminal investigation, Polish police, Europol and Eurojust, resulted in the arrest of two alleged administrators in Georgia the seizure of more than 30 servers, takedown of 25 domains, confiscation of vehicles and properties and the freezing or seizure of cryptocurrency assets. Investigators say Audi A6 operated a professional laundering scheme using thousands of fraudulent exchange accounts and more than 6,000 know your customer records tied to money mules. Europol linked the service to over 15 ransomware and cryptocurrency theft investigations worldwide. The case highlights the growing professionalization of crypto laundering, which has become a critical support service for the global cybercrime ecosystem. GitHub's npm team has announced major security changes coming to npm version 12, scheduled for release in July, aimed at reducing software supply chain attacks by shifting from implicit trust to explicit approval. The update will block three previously permitted behaviors by default automatic execution of install scripts, dependencies pulled directly from Git repositories and packages sourced from remote URLs outside official registries. Developers can prepare now by upgrading to npm 11.16 or later, which includes warnings and a new npm approvescript tool for creating allow lists of trusted scripts. Security experts largely welcomed the changes. Semgrep CEO Isaac Evans said stronger defaults are needed as supply chain attacks become cheaper and easier to execute. However, researchers also warned of potential downsides. Paul McCarty cautioned that developers may simply approve blocked scripts to avoid workflow disruptions, while attackers could shift their focus to private software repositories or or hide malicious activity among legitimate workarounds created to bypass the new restrictions. Anthropic has rejected claims that its newly released Claude Fable 5 model was successfully jailbroken. Researcher Pliny the Liberator claimed to bypass safety restrictions using advanced prompting techniques and published screenshots and an alleged system prompt. Anthropic responded that the examples did not demonstrate a true jailbreak, which would require bypassing independent safety classifiers and enabling meaningful assistance for high risk activities. The company said some outputs were not generated by Fable 5, while others contained only publicly available information. Anthropic added that extensive red teaming and post released reviews for found no evidence that its core safeguards had been circumvented. CISA has ordered federal agencies to patch a critical Ivanti Sentry vulnerability within three days. The maximum severity flaw is an OS command injection vulnerability affecting Avanti's Security Gateway appliance formerly known as MobileIron Sentry. The directive follows reports from Shadow Server that attackers had already compromised numerous Internet exposed Sentry gateways just one day after Ivanti released patches and stated it had no evidence of active exploitation. The move highlights CISA's new emphasis on rapid remediation of actively exploited high risk vulnerabilities. Google has confirmed that the Shiny Hunters threat group exploited a critical Oracle PeopleSoft vulnerability as a zero day to steal data from organizations before mitigations were released. The unauthenticated remote code execution flaw affects PeopleSoft, Enterprise PeopleTools and related applications. According to Mandiant and Google Threat Intelligence Group, attacks occurred between May 27 and June 9, primarily targeting higher education institutions. Google notified more than 100 potentially exposed organizations, with some experiencing data theft. The University of Nottingham is the first confirmed victim. Oracle has issued mitigations, but patches do not yet appear to be available. Researchers from Sequoia's Threat Detection and Research Team report that the Russian GRU linked APT28 group, also known as Fancy Bear, has shifted part of its infrastructure to compromised edge devices, including Ubiquiti edge routers infected with the Mubot botnet and routers targeted in its Frostarmada campaign. Rather than relying primarily on cloud servers, APT28 is using compromised routers to relay stolen credentials, host phishing pages, proxy authentication traffic, and support mailbox takeover operations. The approach provides stealth resilience and geographic diversity by blending malicious activity with legitimate residents, residential and small business Internet traffic. Researchers also observed DNS hijacking techniques that redirect users to attack our controlled infrastructure, enabling interception of authentication flows and potential theft of OAuth tokens. Despite past law enforcement disruptions, compromised edge devices continue to support operations. The findings highlight the growing importance of securing routers, monitoring DNS changes, and detecting unusual authentication activity. An opinion piece co authored by retired Rear Admiral Mark Montgomery and Sophie McDowell from the foundation for Defense of Democracies, argues that the federal CyberCorps Scholarship for Service program is critical to preparing the U.S. cybersecurity workforce for the growing impact of artificial intelligence. The program, which has placed nearly 5,000 cybersecurity professionals into government roles over the past 25 years, provides scholarships and training in exchange for federal service. The authors contend that AI is accelerating both cyber defense and cyber threats, making specialized expertise increasingly important. In response, CyberCorps now requires participants to develop skills in both applying AI to cybersecurity operations and and securing AI systems themselves. The piece criticizes the Trump administration's proposed budget cuts, which would reduce program funding from congressional levels of roughly $63 million to $21.7 million. The authors praise Congress for restoring funds and encouraging greater AI integration, arguing that expanding cybercore is essential to addressing government cybersecurity workforce strategies and preparing for future AI driven threats. Coming up after the break, my conversation with Dr. Renee Burton, VP of Threat Intelligence at Infoblox. We're discussing scams targeting the World cup and Amazon drivers. Sweat through a software update. Stay with us.

Dr. Renee Burton

Foreign.

Dave Bittner

When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com.

Microsoft 365 Advertiser

Study and play come together on a Windows 11 PC and for a limited time, college students get the best of both worlds. Get the unreal college deal everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft 365 Premium and a year of Xbox Game Pass ultimate with a custom color Xbox wireless controller. Learn more@windows.com studentoffer while supplies last ends June 30th terms at aka mscollegepc.

Dave Bittner

Doctor Renee Burton is Vice President of Threat Intelligence at infoblox. We recently got together to discuss scams targeting the World Cup. So Rene, we have a big sporting event coming up here. Some folks are going to be playing some soccer or as the rest of the world calls it, football. And this brings with it a bunch of people who really want to check these games out, which is understandable. But it doesn't come without risk here. What are we talking about today?

Dr. Renee Burton

Yeah, well of course I think there will be in person risk with all of the millions of people flooding cities around the United States. But there's also the fact that, you know, you can't actually travel there. So we're seeing a really interesting range of threats that we're using lookalike domains essentially associated with the World cup from what you would expect, right? Like you expect ticketing scams, but the sophistication of some of those has been quite incredible and all the way to actors who are really connected to long term malware distribution. So it's a very interesting mix of things that are happening around the World Cup.

Dave Bittner

Well, one of the things that caught my eye, and I know this is something you and your team have been looking into, is this option for viewing the World cup is called Superbox. Now that's not something I'm familiar with. Can you fill us in? What is Superbox about.

Dr. Renee Burton

Yeah. So Superbox is one of many cheap TV devices that are out there. It's a specific brand. There's been a lot of coverage about them within, I don't know, the last year because of software that was deployed on them which essentially allows that box. So you go, when you go on Amazon, you buy this cheap TV device because you want to get streaming sports for free or for cheap. And so you buy that and it turns out that when you plug that in, it already has software loaded on it that takes your device and makes it part essentially of a botnet, right? They wouldn't use that term. They use the term, what's called residential proxy service. But essentially it makes your device part of a network which an external provider owns and can now control sending traffic through, that kind of thing. And Superbox is one of the many, many ways in which this happens. And we did see specific examples where there was advertisement for being able to use your Superbox to get to see the games.

Dave Bittner

And so the infection. Is that actually on the super box itself or are they actually making their way into your television?

Dr. Renee Burton

It is on that super box. That's one of the ones that's been pretty well studied. And there was action taken by Google, I think it was last year, and then in January, related to these. But aside from them, there are many other things. Like we've seen an actor who is a Vietnamese actor who's offering again, streaming, right? But when you download these different apps, they also have these SDKs, right? This ability that you as a user are suddenly opted in to allowing your device to be used as a node in their network.

Dave Bittner

So the streaming of the sporting event is the lure and that's how they get you to get the device in your home. And then before you know it, you're helping be a part of this botnet.

Dr. Renee Burton

Yeah, exactly. And a lot of it's really interesting, like pre planning that the Vietnamese actor is an actor who runs a. Also runs Async Rat Remote Access Trojan. And they actually procured one of the domains for the 2026 World Cup. They bought it back in 2024 through an auction. So they paid $600 for it. It shows the pre planning, right? Like in 2024, they have the forethought to buy a domain that had been used by a blogger who's like a soccer fan and paid 600 bucks for it and are now using it as part of a whole lookalike domain, illegal streaming type scam world.

Dave Bittner

Now suppose you become part of this botnet As a user of one of these super boxes, does the box continue to function the way that you expect it would be? Would you have any awareness that anything was amiss?

Dr. Renee Burton

Generally you're not going to, I think, you know, in theory, if, if you're using your box while it's part of, you know, being used for part of a denial of service, maybe then, but my understanding is that the volumes going aren't high enough for you as an individual to necessarily notice. But when they're combined right, with tens of millions of devices around the world, that can be quite dramatic and have caused some of the largest denial of service attacks that have been seen ever.

Dave Bittner

Could this potentially get me in trouble with my ISP?

Dr. Renee Burton

Well, that's a good question whether ISPs are enforcing, but they certainly are looking at it, right? And from a volume metrics, you're essentially being, say for instance, even in a legitimate way. A lot of AI companies are using these for scraping. When you come out of a residential IP address rather than a data center, you're going to get access to more stuff, you're going to get blocked less. So the scraping world, and by the way, the security world uses residential proxies to be able to access stuff. They have free access to your node within a certain volume and as you say, like the ISP should be able to see at least that volume coming through.

Dave Bittner

Well, for the fans out there who want to check out the World cup, what's your advice to be able to do that but also stay safe?

Dr. Renee Burton

Well, the main thing is really make sure you're going through legitimate services. You know, in addition to this Superbox situation with residential proxies, we've seen a number of really good mimicked domains that the domain looks good and the site looks good and they've got incredibly complicated fake ticketing services. So the, you know, the whole setup is quite elaborate. But in that case you're trying to buy a ticket for a game, you're not going to be able to get the ticket, they're just going to steal your money and in other cases they are stealing, you know, your credentials, for instance. So paying a lot of attention and trying to ensure that, you know, if you want to go, then you're going to FIFA.com, right? So rather than going to something that's like FIFA-2026.org

Dave Bittner

so it's so complicated.

Dr. Renee Burton

It is.

Dave Bittner

And I can't help, I imagine the heartbreak of someone walking up to the venue with their tickets in hand or a QR code on their mobile device thinking this is the day I'm going to be able to see this match that I've been looking forward to for however long and it getting scanned and someone saying I'm sorry, this is not a valid ticket. Just how devastating that would be.

Dr. Renee Burton

Yeah, can you even imagine? It's like not only the cost, but just the whole expectation and not being able to do it. It's unfortunate that there's a lot of criminals in the world who care less.

Dave Bittner

That's Dr. Renee Burton, VP of Threat Intelligence at Infoblox.

N2K CyberWire Announcer

When you need to build up your team to handle the growing chaos at work, use Indeed Sponsored Jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit@ Indeed.com podcast. That's Indeed.com podcast terms and conditions apply. Need a hiring hero? This is a job for Indeed Sponsored

Home Depot Advertiser

Jobs this Father's Day do more with dad and spend less with low prices guaranteed at the Home Depot, get him fired up with a new grill and accessories like the next Grill 5 burner for just $299 so you can spend more time together while he becomes the grill master he was always meant to be. Or build memories with savings on top brand power tools so you can tackle projects side by side, gift more and do more together. This Father's Day with help from the Home Depot. Exclusions apply to homedepot.com pricematch for details.

Dave Bittner

And finally, Amazon Delivery drivers are voicing frustration over a recent software update in their Rivian built electric delivery vans that changes how air conditioning operates during stops. Drivers say the system now shuts off cabin cooling if the sliding door remains open and the driver is out of the seat for more than 30 seconds, a common occurrence on routes that involve constant hopping in and out of the vehicle. Amazon disputes the characterization, arguing the update actually extends climate control by keeping the AC running for up to 10 minutes after a driver exits, with the timer resetting at each stop. The catch, however, is that leaving the side door open triggers a battery saving shutdown after 30 seconds. For drivers racing through summer deliveries, that distinction feels a bit academic. Many say they spend more time outside the van than inside it, meaning the cabin often has ample opportunity to reheat itself between stops. In theory, the update improves comfort in practice, some drivers say it's transformed the air conditioner into an enthusiastic but short lived participant in the delivery process. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's Research Saturday and my conversation with Martin Zujic, Technical Solutions Director at bitdefender. The research is titled Famous Sparrow Apt Targets Azerbaijani Oil and Gas Industry. That's Research Saturday. Check it out.

Maria Varmazis

Hello Maria Ramazas Here on Sunday's T Minus Space Cyber Briefing, we have my interview with journalist Sean Waterman on recent initiatives for incident detection and response on satellites, not just on ground stations. That Sunday on T Minus. Don't miss it.

Dave Bittner

We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Piffner. Thanks for listening. We'll see you back here next week. Foreign

Columbia Omnishade Advertiser

you can't reason with the sun. Trust us, we've tried. This summer, it's time to put that angry ball of fire on mute. Columbia's Omnishade technology is engineered to protect you from the sun's harsh rays that can burn and damage your skin. The sun is relentless, but so is our gear. Level up your summer@columbia.com to spend more time outside and less time. Stay slathering on aloe lotion. You're welcome, Columbia. Engineered for whatever.