Hackers ignore the ceasefire.

CyberWire Daily – "Hackers Ignore the Ceasefire"
Date: April 9, 2026
Host: Dave Bittner (N2K Networks)

Episode Overview

This episode covers ongoing cybersecurity threats and trends, focusing on continued Iranian cyber operations despite a recent ceasefire, major news in software vulnerabilities and right-to-repair, and highlighted insights from Edgar Capdevieli, CEO of Nozomi Networks, on industrial/operational technology (OT) security amid global tensions and AI-driven threats. The episode blends current events with expert industry commentary.

Key Discussion Points & Insights

1. Iran-Linked Hackers Persist After Ceasefire ([00:14]–[03:39])

Pro-Iranian Hacker Groups: Despite a fragile ceasefire among Iran, the US, and Israel, groups vow to continue cyber operations.
- Notably, group “Handela” pauses US-targeted attacks but continues targeting Israel and reserves right to resume US operations.
Critical Infrastructure at Risk:
- US authorities warn that Iran-linked threat actors have already infiltrated programmable logic controllers in essential sectors (ports, power plants, water systems).
- Agencies urge immediate defense upgrades.
Expert Warning: Ceasefires could trigger increased cyber activities as attackers shift to softer, commercial targets (defense contractors, data centers).
- Most attacks are symbolic but signal persistent, evolving cyber risks in modern conflicts.

“Experts caution that cyber activity may actually increase during a ceasefire as threat actors shift attention toward U.S. companies connected to the war effort.” – Host ([01:18])

2. Security Industry and Vulnerability News ([03:39]–[08:12])

Microsoft Suspends Open Source Developer Accounts:
- Temporary suspensions affected major projects (Wireguard, Veracrypt, Memtest86, Windscribe).
- Developers complained of poor communication; Microsoft cited missed verification requirements, now reviewing notification processes.

“Developers said they received no warning or clear explanation and were unable to reach human support.” – Host ([04:22])

John Deere Right to Repair Settlement:
- Farmers win $99M settlement, gain access to critical repair tools for 10 years.
- Could influence broader right-to-repair movements; FTC lawsuit still pending.
Adobe Reader Zero-Day:
- Researcher Hai Fei Li detects a likely zero-day exploit in Adobe Reader, actively abused with Russia-linked oil/gas lures.
- Exploit chain unconfirmed, but potential for remote code execution and sandbox escape.
- Adobe investigating.
Palo Alto Networks and Sonicwall Patch Severe Flaws:
- Patches address critical enterprise platform vulnerabilities.
- Urgent update advice; no active exploitation reported yet.
macOS Crypto Wallet Malware:
- “Not Null OS X” malware targets high-value crypto users with advanced social engineering.
- Tactics include fake Google Docs errors, Trojanized apps, and “replace app” attacks.

3. Social Engineering and DDoS Threats ([08:12]–[10:40])

UNC6783 Live Chat Social Engineering (Google TAG):
- Financially motivated group targets business process outsourcers and large companies via Help Desk and Live Chat.
- Techniques: Spoofed Okta login pages, clipboard MFA stealing, fake updates, extortion via ProtonMail.
- Defense advice: Use phishing-resistant MFA, monitor chat channels, audit new devices.
Majesu Botnet (Trellix):
- Persistent DDoS-for-hire botnet since 2023, targets diverse devices.
- Features: Attack volumes in hundreds of Gbps, updated C2 redundancy, avoids government IP blocks.

4. Federal Vulnerability Mandate – Ivanti Patch ([10:40]–[11:35])

CISA Mandate:
- Federal agencies must patch a critical Ivanti EndPoint Manager Mobile vulnerability within four days.
- Vulnerability allows unauthenticated remote code execution; nearly 950 exposed online instances remain.
- CISA adds the issue to its "Known Exploited Vulnerabilities" catalog.

“CISA added the issue to its known Exploited Vulnerabilities catalog and urged all organizations to prioritize patching immediately due to ongoing risk.” – Host ([11:18])

Feature Interview: Edgar Capdevieli, CEO of Nozomi Networks

Topic: Nation-State and AI Threats to OT Security
([13:43]–[23:32]; selected highlights)

Setting the Scene – OT Security in Geopolitical Crisis

Iranian and Regional Threats:
- Iran has a history as a sophisticated threat actor in industrial/critical infrastructure.
- Current conflicts have “heightened” activity across transportation, manufacturing, and energy.

“Iran has been a long time active threat actor... Now that the conflict is very, very active and very, very kinetic, the threat landscape has been... heightened really very much.” – Edgar Capdevieli ([14:12])

Parallels to Russian-Ukrainian Conflict:
- Early indicators of attacks echo initial stages of Russia-Ukraine cyber conflict.
- Focus on reconnaissance, credential theft, lateral movement.

“You see kind of the early MITRE activities like...credentials identity... beginnings of lateral movement. We're starting to see that now...” – Edgar Capdevieli ([15:29])

Attacker Persistence Despite Infrastructure Cuts:
- State-supported groups unaffected by civilian internet outages.

The Current State of Global Critical Infrastructure Security

Maturation of Industry:
- Security mindset evolved from nascent/innovative to mainstream; growing, but not infinite budgets.
- “Evildoers” (attackers) leverage AI faster than defenders, making average hackers more dangerous.

“A mediocre hacker with AI becomes a sophisticated hacker.” – Edgar Capdevieli ([18:58]) - AI enables IT hackers to swiftly become OT attackers, lowering the expertise barrier.

Proactive Security and Cultural Change

Cycle of Equipment and Security Response:
- Equipment upgrade cycles remain slow due to 20–30-year lifespans.
- The real shift: Improved collaboration between IT and OT roles, faster, more regular patching and security integration.
- Air-gapped facility myth is obsolete; frequent, timely upgrades now essential.

“The huge myth that my facilities are air gapped, that's no longer the case. That's a myth. That's a lie. Everybody knows that.” – Edgar Capdevieli ([20:45])

Cultural Evolution in Security Leadership:
- Traditional “stay out of my way” OT vs. “security first” IT divide is closing, with CISOs asserting more centralized control.
- Still, plant/operations managers retain primary decision power for specific industrial systems (Rockwell, Siemens, etc.), due to long asset lifespans and complexity.

“The CISO has centralized authority, centralized responsibility, and centralized budgeting... it's more in partnership because it is still the plan manager or the operations people or the production people that decide...” – Edgar Capdevieli ([22:17])

Memorable Quotes & Moments

“A mediocre hacker with AI becomes a sophisticated hacker.” – Edgar Capdevieli ([18:58])
“The huge myth that my facilities are air gapped, that's no longer the case. That's a myth. That's a lie. Everybody knows that.” – Edgar Capdevieli ([20:45])
“You can't just say, okay, I bought this plant and I decided that I don't like the vendor that they use. I'm just going to go change it. That is not in the cost structure of the plant.” – Edgar Capdevieli ([23:18])

Other Noteworthy Technical Finds

macOS 49-Day Bug ([24:27]):
- macOS freezes TCP networking after ~49.7 days uptime due to a 32-bit counter overflow; reboot is only fix.

“After exactly 49 days, 17 hours, 2 minutes and 47 seconds, a 32 bit counter in the XNU kernel quietly overflows and freezes the system's internal TCP clock.” – Host ([24:27])

Timestamps of Key Segments

Iranian hacker activity and warnings: [00:14]–[03:39]
Microsoft account suspension incident: [03:39]–[04:51]
Adobe Reader zero-day and other vulnerabilities: [05:38]–[08:12]
UNC6783 social engineering campaign: [08:12]–[09:25]
Majesu botnet tactics: [09:42]–[10:40]
CISA Ivanti mandate: [10:40]–[11:35]
Edgar Capdevieli on OT security: [13:43]–[23:32]
macOS 49-day networking bug: [24:27]–[25:17]

Conclusion

This episode delivers a dense snapshot of current and emerging cybersecurity threats with particular focus on nation-state tactics and escalating vulnerabilities in critical infrastructure. The expert perspective of Edgar Capdevieli offers unique insider views on attacker tradecraft, the role of AI, and the evolving industry culture around OT security—a must-listen (or read) for professionals facing these cross-sector cyber risks.

CyberWire Daily – "Hackers Ignore the Ceasefire"
Date: April 9, 2026
Host: Dave Bittner (N2K Networks)

Episode Overview

Key Discussion Points & Insights

1. Iran-Linked Hackers Persist After Ceasefire ([00:14]–[03:39])

Pro-Iranian Hacker Groups: Despite a fragile ceasefire among Iran, the US, and Israel, groups vow to continue cyber operations.
- Notably, group “Handela” pauses US-targeted attacks but continues targeting Israel and reserves right to resume US operations.
Critical Infrastructure at Risk:
- US authorities warn that Iran-linked threat actors have already infiltrated programmable logic controllers in essential sectors (ports, power plants, water systems).
- Agencies urge immediate defense upgrades.
Expert Warning: Ceasefires could trigger increased cyber activities as attackers shift to softer, commercial targets (defense contractors, data centers).
- Most attacks are symbolic but signal persistent, evolving cyber risks in modern conflicts.

“Experts caution that cyber activity may actually increase during a ceasefire as threat actors shift attention toward U.S. companies connected to the war effort.” – Host ([01:18])

2. Security Industry and Vulnerability News ([03:39]–[08:12])

Microsoft Suspends Open Source Developer Accounts:
- Temporary suspensions affected major projects (Wireguard, Veracrypt, Memtest86, Windscribe).
- Developers complained of poor communication; Microsoft cited missed verification requirements, now reviewing notification processes.

“Developers said they received no warning or clear explanation and were unable to reach human support.” – Host ([04:22])

John Deere Right to Repair Settlement:
- Farmers win $99M settlement, gain access to critical repair tools for 10 years.
- Could influence broader right-to-repair movements; FTC lawsuit still pending.
Adobe Reader Zero-Day:
- Researcher Hai Fei Li detects a likely zero-day exploit in Adobe Reader, actively abused with Russia-linked oil/gas lures.
- Exploit chain unconfirmed, but potential for remote code execution and sandbox escape.
- Adobe investigating.
Palo Alto Networks and Sonicwall Patch Severe Flaws:
- Patches address critical enterprise platform vulnerabilities.
- Urgent update advice; no active exploitation reported yet.
macOS Crypto Wallet Malware:
- “Not Null OS X” malware targets high-value crypto users with advanced social engineering.
- Tactics include fake Google Docs errors, Trojanized apps, and “replace app” attacks.

3. Social Engineering and DDoS Threats ([08:12]–[10:40])

UNC6783 Live Chat Social Engineering (Google TAG):
- Financially motivated group targets business process outsourcers and large companies via Help Desk and Live Chat.
- Techniques: Spoofed Okta login pages, clipboard MFA stealing, fake updates, extortion via ProtonMail.
- Defense advice: Use phishing-resistant MFA, monitor chat channels, audit new devices.
Majesu Botnet (Trellix):
- Persistent DDoS-for-hire botnet since 2023, targets diverse devices.
- Features: Attack volumes in hundreds of Gbps, updated C2 redundancy, avoids government IP blocks.

4. Federal Vulnerability Mandate – Ivanti Patch ([10:40]–[11:35])

CISA Mandate:
- Federal agencies must patch a critical Ivanti EndPoint Manager Mobile vulnerability within four days.
- Vulnerability allows unauthenticated remote code execution; nearly 950 exposed online instances remain.
- CISA adds the issue to its "Known Exploited Vulnerabilities" catalog.

“CISA added the issue to its known Exploited Vulnerabilities catalog and urged all organizations to prioritize patching immediately due to ongoing risk.” – Host ([11:18])

Feature Interview: Edgar Capdevieli, CEO of Nozomi Networks

Topic: Nation-State and AI Threats to OT Security
([13:43]–[23:32]; selected highlights)

Setting the Scene – OT Security in Geopolitical Crisis

Iranian and Regional Threats:
- Iran has a history as a sophisticated threat actor in industrial/critical infrastructure.
- Current conflicts have “heightened” activity across transportation, manufacturing, and energy.

“Iran has been a long time active threat actor... Now that the conflict is very, very active and very, very kinetic, the threat landscape has been... heightened really very much.” – Edgar Capdevieli ([14:12])

Parallels to Russian-Ukrainian Conflict:
- Early indicators of attacks echo initial stages of Russia-Ukraine cyber conflict.
- Focus on reconnaissance, credential theft, lateral movement.

“You see kind of the early MITRE activities like...credentials identity... beginnings of lateral movement. We're starting to see that now...” – Edgar Capdevieli ([15:29])

Attacker Persistence Despite Infrastructure Cuts:
- State-supported groups unaffected by civilian internet outages.

The Current State of Global Critical Infrastructure Security

Maturation of Industry:
- Security mindset evolved from nascent/innovative to mainstream; growing, but not infinite budgets.
- “Evildoers” (attackers) leverage AI faster than defenders, making average hackers more dangerous.

“A mediocre hacker with AI becomes a sophisticated hacker.” – Edgar Capdevieli ([18:58]) - AI enables IT hackers to swiftly become OT attackers, lowering the expertise barrier.

Proactive Security and Cultural Change

Cycle of Equipment and Security Response:
- Equipment upgrade cycles remain slow due to 20–30-year lifespans.
- The real shift: Improved collaboration between IT and OT roles, faster, more regular patching and security integration.
- Air-gapped facility myth is obsolete; frequent, timely upgrades now essential.

“The huge myth that my facilities are air gapped, that's no longer the case. That's a myth. That's a lie. Everybody knows that.” – Edgar Capdevieli ([20:45])

Cultural Evolution in Security Leadership:
- Traditional “stay out of my way” OT vs. “security first” IT divide is closing, with CISOs asserting more centralized control.
- Still, plant/operations managers retain primary decision power for specific industrial systems (Rockwell, Siemens, etc.), due to long asset lifespans and complexity.

“The CISO has centralized authority, centralized responsibility, and centralized budgeting... it's more in partnership because it is still the plan manager or the operations people or the production people that decide...” – Edgar Capdevieli ([22:17])

Memorable Quotes & Moments

“A mediocre hacker with AI becomes a sophisticated hacker.” – Edgar Capdevieli ([18:58])
“The huge myth that my facilities are air gapped, that's no longer the case. That's a myth. That's a lie. Everybody knows that.” – Edgar Capdevieli ([20:45])
“You can't just say, okay, I bought this plant and I decided that I don't like the vendor that they use. I'm just going to go change it. That is not in the cost structure of the plant.” – Edgar Capdevieli ([23:18])

Other Noteworthy Technical Finds

macOS 49-Day Bug ([24:27]):
- macOS freezes TCP networking after ~49.7 days uptime due to a 32-bit counter overflow; reboot is only fix.

“After exactly 49 days, 17 hours, 2 minutes and 47 seconds, a 32 bit counter in the XNU kernel quietly overflows and freezes the system's internal TCP clock.” – Host ([24:27])

Timestamps of Key Segments

Iranian hacker activity and warnings: [00:14]–[03:39]
Microsoft account suspension incident: [03:39]–[04:51]
Adobe Reader zero-day and other vulnerabilities: [05:38]–[08:12]
UNC6783 social engineering campaign: [08:12]–[09:25]
Majesu botnet tactics: [09:42]–[10:40]
CISA Ivanti mandate: [10:40]–[11:35]
Edgar Capdevieli on OT security: [13:43]–[23:32]
macOS 49-day networking bug: [24:27]–[25:17]

wavePod

Summary

Episode Overview

Key Discussion Points & Insights

1. Iran-Linked Hackers Persist After Ceasefire ([00:14]–[03:39])

2. Security Industry and Vulnerability News ([03:39]–[08:12])

3. Social Engineering and DDoS Threats ([08:12]–[10:40])

4. Federal Vulnerability Mandate – Ivanti Patch ([10:40]–[11:35])

Feature Interview: Edgar Capdevieli, CEO of Nozomi Networks

Setting the Scene – OT Security in Geopolitical Crisis

The Current State of Global Critical Infrastructure Security

Proactive Security and Cultural Change

Memorable Quotes & Moments

Other Noteworthy Technical Finds

Timestamps of Key Segments

Conclusion

Summary

Episode Overview

Key Discussion Points & Insights

1. Iran-Linked Hackers Persist After Ceasefire ([00:14]–[03:39])

2. Security Industry and Vulnerability News ([03:39]–[08:12])

3. Social Engineering and DDoS Threats ([08:12]–[10:40])

4. Federal Vulnerability Mandate – Ivanti Patch ([10:40]–[11:35])

Feature Interview: Edgar Capdevieli, CEO of Nozomi Networks

Setting the Scene – OT Security in Geopolitical Crisis

The Current State of Global Critical Infrastructure Security

Proactive Security and Cultural Change

Memorable Quotes & Moments

Other Noteworthy Technical Finds

Timestamps of Key Segments

Conclusion