A

You're listening to the CyberWire network, powered by N2K. And now a word from our sponsor arcova. Formerly Morgan Franklin Cyber, arcova is a global cybersecurity and AI consulting firm built by practitioners who've been in the seat. They work directly with enterprise teams to solve complex security challenges or building secure by design programs that hold up as technology and threats evolve. From focused engagements to long term partnership, arcova delivers outcomes that endure because no one should navigate complexity alone. Learn why leading Global Enterprises Trust arcova@www.arcova.com that's a R C O V A.com.

B

Iran linked hackers claim a breach of the FBI Director's personal email Shiny Hunters hit The European Commission F5 and Citrix warn of actively exploited flaws A WordPress plugin exposes hundreds of thousands of sites Infinity stealer targets macOS users A Russian APT adopts a new iOS exploit kit treasury weighs a cyber insurance backstop DHS clears suspended CISA staff Our guest is Brian Long, CEO and co Founder of Adaptive Security, discussing deepfake job hires and the new identity attack surface and bureaucrats bless a black box behemoth. Foreign. It's Monday, march 30, 2026. I'm dave bittner and this is your cyberwire intel briefing. Thanks for joining us here today. It is great to be back home after an eventful RSAC conference. We are appreciative to everyone who stopped by to say hello while we were in San Francisco. We gathered up a ton of interviews and we will be sharing those with you over the next couple of weeks. Thanks for joining us. Iran linked hackers calling themselves Handela Hack Team claim they breached FBI Director Kash Patel's personal Gmail account and published photos and more than 300 emails online. The FBI confirmed the account was targeted, but said the material was historical and contained no government information. Reuters could not independently verify the emails, though the address matches one previously tied to Patel in earlier breaches. Handela, widely assessed by Western researchers as a front for Iranian cyber intelligence activity, has recently claimed additional attacks, including against medical device firm Stryker and alleged data exposure involving Lockheed Martin employees. Analysts say the Patel leak fits a broader Iranian strategy to embarrass U.S. officials and Signal reach during ongoing tensions with the United States and Israel. These sorts of intrusions into officials personal accounts are not unusual and resemble earlier incidents involving senior U.S. figures. Intelligence assessments suggest Iran may continue low level cyber operations as part of retaliatory pressure. The European Commission confirmed a data breach affecting its Europa EU web platform after an attack claimed by the Shiny Hunters extortion group. Investigators say at least one Amazon Web Services account tied to the platform was compromised, though internal Commission systems were not affected and public websites remained operational. Officials believe some data was taken and are notifying potentially impacted EU entities while continuing to assess the scope of the incident. Shiny Hunters claims it stole more than 350 gigabytes of data, including databases, mail server content contracts and other sensitive files, and has posted a 90gb archive on its leak site. The commission has not verified the full extent of these claims, but says it is monitoring the situation and strengthening security measures. F5 Networks has upgraded the severity of a vulnerability in its Big IP Access Policy Manager from a denial of service flaw to a critical remote code execution issue warning it is actively exploited to deploy web shells on unpatched systems. The bug allows unauthenticated attackers to execute code on affected devices configured with access policies on virtual servers. F5 says earlier patches still address the risk but urges organizations to review logs, disks and terminal histories for signs of compromise. CISA added the flaw to its catalog of actively exploited vulnerabilities and ordered federal agencies to secure systems immediately. With more than 240,000 Big IP instances exposed online, the vulnerability presents a significant enterprise risk. Security researchers have confirmed active exploitation of a critical vulnerability in Citrix, netscaler, ADC and netscaler Gateway that can allow unauthenticated attackers to leak sensitive memory data. The flaw affects only customer managed systems configured as SAML identity providers, honeypot Telemetry from Watchtower and defused observed attackers sending crafted SAML requests to trigger data exposure. Citrix and agencies, including the UK's National Cybersecurity Centre, urge immediate patching, warning that exploitation began within days of disclosure and is ongoing in the wild. A vulnerability in the Smart Slider 3 WordPress plugin installed on more than 800,000 websites, allows authenticated users with subscriber level access to read arbitrary files from affected servers. The flaw stems from missing capability and file validation checks in the plugin's Ajax export function, enabling access to sensitive files such as wpconfig php, which contains database credentials and cryptographic keys. Although rated medium severity because authentication is required, the issue poses significant risk for sites with user accounts. The bug affects multiple versions. Researchers estimate roughly half a million sites may still be vulnerable. No act of exploitation has been confirmed, but administrators are urged to update promptly. Infinity Stealer is a newly identified macOS information stealing malware delivered through a fake Cloudflare CAPTCHA using the ClickFix social engineering technique. Victims are prompted to paste a base64 encoded curl command into Terminal, which installs a python based payload compiled into a native macOS binary using the Nootka compiler. According to Malwarebytes, this marks the first observed campaign combining click fix delivery with a NUCA compiled macOS info stealer. Once installed, the malware performs anti analysis checks and steals browser credentials, macrosos keychain data, cryptocurrency, wallets, screenshots and developer secrets before exfiltrating them to command and control infrastructure. Researchers say the native binary format complicates detection and analysis, highlighting increasingly sophisticated threats targeting macOS users. Russian state linked threat group Star Blizzard has adopted the Dark Sword iOS exploit kit in a new campaign targeting Apple devices and iCloud accounts, according to Proofpoint. The activity observed March 26 uses Atlantic Council themed phishing emails sent from compromised accounts and marked a shift to link based delivery. Evidence suggests the group is using darksord for credential harvesting and intelligence collection. Targets included government, financial, legal, academic and think tank organizations indicating expanded operational scope. The US Treasury Department is seeking public comment on whether catastrophic cyber incidents should qualify for coverage on under the Terrorism Risk Insurance Program trip, signaling renewed debate over a possible federal cyber insurance backstop originally created after 9 11. TRIP supports insurers facing large terrorism related losses, but cyberattacks remain difficult to classify under the program due to challenges around attribution, intent and scale. Officials are examining whether this ambiguity leaves critical infrastructure operators exposed to to major cyber disruptions that private insurers may not be able to absorb. Researchers say discussions remain exploratory, with no immediate policy changes expected, even as cyber risks continue to grow. Experts warn that events such as large cloud outages or attacks on power grids could exceed current insurance limits. Insurers often structure policies to avoid correlated systemic losses, increasing concern that a severe cyber incident could create economic damage beyond what the private market can cover. The Department of Homeland Security has ended an investigation into seven cybersecurity and infrastructure security Agency staff members who were placed on leave after arranging a counterintelligence polygraph exam that former acting SISA Director Madhu Gadamukkala failed in July 2025, officials said. The probe was closed about a week ago and the staff were cleared of wrongdoing. At least five career employees and one contractor had their security clearances suspended following their involvement in scheduling or approving the exam, which was required for access to a sensitive intelligence program. Lawmakers on the House Homeland Security Committee welcomed the decision, calling the action a correction after employees were penalized for performing their duties. It remains unclear whether all affected staff will return, and CISA continues to operate without permanent leadership. Coming up after the break, my conversation with Brian Long, CEO and co founder of Adaptive Security. We're discussing deep fake job hires and the new identity attack surface and bureaucrats bless a black box behemoth. Stick around. Maybe that's an urgent message from your CEO. Or maybe it's a deep fake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more Doppel outpacing what's next in social engineering? Learn more@dopl.com that'S-O-P p e l.com. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. Brian Long is CEO and co Founder of Adaptive Security. I caught up with him Last week at RSAC 2026 for this sponsored Industry Insights conversation.

C

And what these Personas can do is they're not just your voice and likeness, they also know who you are. They know where you work in the company, they know the org chart, they know your coworker's names, they know your job. They can get all this information from LinkedIn, from other data brokers, public sources, and they can have a very coherent conversation with you that really, you know, gets to the point and can get past a lot of your typical controls when you when you are ascertaining whether or not it's actually the individual. So I think that's what's changed. And that's available to everyone now, right? Anyone from an 8 year old to an 80 year old can do it. And it's really cheap now too. It used to be very expensive, but now it's super cheap.

D

And we are back on the show floor at RSAC 2026 and it is my pleasure to be joined by Brian Long. He is the CEO and co founder of Adaptive Security. Brian, thanks so much for joining us.

C

Hey, thanks for having me.

D

So we are going to talk today about this problem that I think is relatively new in the industry, which is these folks trying to scam their way into becoming employees at our companies.

C

Yes.

D

Can we start off, just rewind a little bit and get a little bit of the history of how this even became a thing?

C

Yeah, yeah. Well, you know, we've been worrying about insider risk for a few years now and AI has made insider risk really redefined to be a risk around deepfakes and impersonation job applicants and ultimately people applying to jobs and getting jobs who may not exist at all. Right. So we've seen a huge increase in the volume of job applicants that are actually not real people. They'll find someone's LinkedIn profile, they'll find their picture, their background and they'll pretend to be them and they'll get a job at the company. And now because the vast majority of companies actually employ remote employees, they never meet the person. Right. So it's growing at an astonishing rate.

D

Tell us about that process. You know, I'm an HR person. I'm working with my team to try to onboard a new hire. What does this look like to me? Does it look normal? Like where, where do my red flags start going up?

C

Yeah, look, HR people under a lot of pressure to find great applicants, particularly for maybe an engineering type of role or something that's highly sought after. So sometimes applicants can be a little quirky and you know, an applicant might go through the process and say, you know, oh no, I can't do it on site. You know, I, I just want to finish the process remotely. But hey, they did amazing. Their profile is amazing. We really need this hire. Let's just hire them. Most companies do not have controls in place that force someone to do an in person meeting for a remote based role. Right. It also costs money for the company. You know, they're going to fly the person in, they got to spend a bunch of time, put them in a hotel, etc. So it's a lot easier for companies to just hire remotely. But what's kind of crazy is that Gartner estimates that by 2028, one in four job applicants will be Impersonation applicants. So isn't that crazy? So almost 25% of applicants will not be real people. And you can see, once they get the job, they get access to all the systems, Then they can cause all sorts of havoc.

D

Well, so let's dig into that aspect of it. What are they after here? Why. Why all this effort to pull one over? The HR staff?

C

Yeah, well, look, once you're an employee at the company, a lot of companies do provide significant access to almost every employee, to all systems. Right? So, you know, sometimes if it's a very large company, maybe they're a bit smarter about that. But we've even seen in our own large, you know, sensitive government documents for a while that folks had access to everything, right? Like, one analyst would have access to, like, every wire that the US Government sends. So this. This issue of least privileged access is one that I think we're going to see grow greater and greater because we need to ensure that not every employee has that access. Some people are going to get these jobs regardless. And number two, we have to change the controls so that folks can't just get a job without meeting someone. What I'm worried about is that for that final step, they pay an actor to go in, you know, pretend to be the person, whatever, and they're not the person. Yeah, yeah.

D

Is the fake person doing the work that's. That's required of them?

C

Well, you know, look, they don't have to be in the job very long in order to get everything that they need. You know, plant ransomware, pull a bunch of confidential data and download it and grab it. You know, whatever they might want to do. They only need to be employed for like a day to do it. Now, there may be sleeper agents that keep the job for months or years and just slowly pull data out. I think that's happening right now at a lot of organizations as well. But that's probably more like a state actor who would do something like that rather than someone who is doing it for pure financial motives.

D

Okay.

C

Yeah.

D

Well, let's talk about solutions. Putting those access controls in place. What is. What should the standard be these days? How do organizations protect themselves?

C

Look, I would simplify it down to two core things, right? Number one is awareness. So most people, you know, we live in a bit of a tech bubble, right? We all live and breathe this every day. So this doesn't sound crazy to you and I, but the average person finds this to be totally insane. The idea that someone's going to impersonate someone else to get a job and get a remote job at their company sounds insane. So I think first getting that message out to everyone so they understand how big of a problem this is today is number one. Number two is controls. You should not be hiring someone if you have not met them in real life. And when you meet them in real life, you should verify it's really them. You know, talk to them about, you know, what they did. Do they actually have that information? Does it match the picture, the full background, et cetera, and make sure that indeed that is who they're pretending to be.

D

Where do you suppose we're headed with this then? I mean, it seems to me like this is kind of a recalibration of almost where HR sits within the organization. Is that accurate?

C

It is a recalibration, but I think the other reality is that now we're beginning to talk about digital co workers, right? We're talking about agents doing jobs. So I think it's not dissimilar from some of the controls that are needed to deal with access controls for agents and people. Those also need to account for these new type of threat situations that are happening with, you know, real hires as well. So a lot is changing very quickly and the modern workforce is going to have to adjust. Frankly, the workforce I'm most worried about is mid market to large mid market companies because I think that large businesses, tens of thousands of people, you know, particularly in areas like finance or tech, you know, they're going to be on top of this, they're going to deal with these changes quickly because they understand the threat and frankly, they have a much bigger security budgets. Right. So they can buy a bunch of the leading cutting edge security tools that are finding these issues and taking care of them. It's, you know, the millions of companies globally that have anywhere from 100 people to 10,000 people that are not ready for this at all and that we need to educate and put controls and also give access to reasonably priced cybersecurity software to protect them.

D

What are your recommendations for organizations who feel as though they want to start this journey? Maybe they're feeling a little intimidated by the process. What's the best way to begin?

C

Yeah, look, I think the best way to begin the journey is just to start to learn the basics. And if you do go to adaptivesecurity.com we do have a lot of free materials that you can access within our white papers. Also available at free adaptivesecurity.com is a bunch of free trainings that you can take targeted for older adults or for children and parents to teach them on the basics. And then if you want to roll things out customize to your organization, you can sign up to get a demo@adaptivesecurity.com all right.

D

Brian Law Brian Long is the CEO and co founder of Adaptive Security. Brian, thanks so much for taking the time.

C

Hey, thanks for having me. Appreciate it.

B

There's a lot more to this conversation than we have time to share here, so please check out the full unedited interview. You can find a link to that in our show. Notes. Foreign. Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With ring Fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfiguration configurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. And finally, in late 2024, federal cybersecurity reviewers examined Microsoft's Government Community Cloud high and came away with what might politely be called concerns, and less politely, something closer to despair. According to ProPublica. After years of requesting basic documentation about how sensitive data moves and is encrypted inside the system, reviewers still lacked enough visibility to judge its security posture with confidence. Unfortunately for everyone involved, the product was already widely deployed across agencies like justice and Energy, making rejection awkwardly impractical. So Fedramp authorized it anyway, attaching what amounted to a proceed with caution label and hoping for the best. The decision followed years of incomplete diagrams, stalled reviews, and mounting pressure from agencies already committed to the platform. Critics now warn the process looks less like rigorous oversight and more like paperwork theater, especially as staffing cuts leave fewer people around to verify what exactly was approved in the first place. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.