Loading summary
Maria Varmazas
You're listening to the Cyberwire Network powered by N2K.
Sponsor/Advertisement Voice
AI is making phishing attacks faster, more convincing and harder for people to spot, and traditional security awareness and phishing training weren't designed for this level of attack. HOX Hunt helps security teams prepare employees for the attacks they face every day with personalized phishing training that adapts to each employee and reduces risky behavior over time for IT and security leaders looking to strengthen their human layer of defense without adding more manual work. Visit hoxhunt.com cyberwire to learn more. That's H o x h u n t.com cyberwire.
Maria Varmazas
LastPass says clue breach affected customer information, but passwords remain secure Attackers begin exploiting Cisco Unified CM vulnerability CISA flags actively exploited Ubiquiti and Lantronics flaws urges rapid patching Diffitap flaws could expose private AI conversations across tenants, researchers find. AI plugin registry let unofficial tools masquerade as trusted software exploiters launches leaksight signaling shift towards full service cyber extortion ransomware Somewhere attack hits Indian auto giant Bajaj Auto US Presses Meta to submit AI models for national security reviews Alleged criminal marketplace administrator extradited to the U.S. the United States expands sanctions against Cambodian scam network tied to cyber fraud operations on today's Industry Voices segment, we are joined by Mike Machuli, Managing Director of Migration Products and Services at semperis, discussing RC4 and AD migration, the break scenarios, hiding in your source domain and a lesson in access control. Today is Wednesday, June 24, 2026. I'm Maria Varmazas in for Dave Bittner and this is your Cyberwire Intel Brief.
Mike Machuli
Foreign.
Maria Varmazas
Thank you for joining me today. Let's get into it. The Password Manager Provider LastPass has disclosed that the Clue supply chain attack breached personal information and customer support case records belonging to LastPass customers. According to a report from TechCrunch, the company stressed that LastPass products, services and infrastructure were not impacted in any way and customer vaults remain secure. The breach involved business contact information from the company's Salesforce environment, including customer names, phone numbers, email addresses, physical addresses and support case information. Meanwhile, Clue has shared additional details surrounding the breach, during which attackers stole OAuth tokens and gained access to a number of Clue's corporate customers. Clue stated, our investigation determined that an attacker gained access through a compromised legacy credential associated with an integration service. The attacker used that Access to obtain OAuth tokens used to connect clue with certain third party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments a clue spokesperson told TechCrunch that the compromised legacy credential was originally provided to a third party in 2022 for a limited pilot. Attackers are now exploiting a high severity flaw in Cisco Unified Communications Manager server that was patched on June 3, according to a report from Bleeping Computer. The vulnerability can allow an unauthenticated remote attacker to conduct server side request forgery attacks through an affected device and later use this access to elevate privileges to root CISA has added four vulnerabilities affecting Ubiquiti, Unifi OS and Lantronics EDS 5000 devices to its known Exploited Vulnerabilities catalog, indicating that they are being actively abused in real world attacks. The flaws include authentication, bypass path traversal, command injection and code injection vulnerabilities that could allow attackers to gain unauthorized access or execute commands with elevated privileges. Federal agencies have been ordered to remediate the issues on an accelerated timeline, while private sector organizations are also being urged to patch affected systems immediately and review networks for signs of compromise. Researchers at Zafran have disclosed four vulnerabilities collectively dubbed DiffyTap, affecting Diffie, a popular open source AI application platform used to build more than 1 million AI powered apps. Two of the flaws are rated critical and several could allow attackers to access private AI conversations, preview documents belonging to other customers and make unauthorized cross tenant API calls. Some attacks require no authentication at all. Diffie has released patches for most of the vulnerabilities and is working on fixes for the remainder. Researchers at Manifold Security discovered 23 AI agent plugins on the clawhub registry that appeared to come from official OpenClaw and clawhub organizations, but were actually published by unrelated accounts. This issue is known as scope squatting and exploited weak enforcement of namespace ownership rules, allowing plugins to inherit the credibility of trusted brands. While investigators found no malicious code in the affected plugins, many had the ability to Execute code access APIs and perform privileged actions on behalf of AI agents. Following disclosure, Clawhub unlisted the plugins and introduced stronger namespace controls. Dataminer is warning that the financially motivated cybercrime group called Exploiters and has launched a dedicated data leak site, marking a significant evolution in its operations. The group claims access to more than a dozen billion dollar companies and is advertising the sale of compromised corporate networks through encrypted channels. Researchers say that the move consolidates the group's access, brokering and extortion activities into a single platform, potentially accelerating the public exposure of victims. In a follow on to yesterday's coverage of Tata Electronics. Indian motorcycle and vehicle manufacturer Bajaj Auto has also disclosed a ransomware attack that affected systems at both the company and its subsidiary Bajaj Auto Technology. The company says it immediately activated incident response protocols and has brought in cybersecurity experts to contain the threat. According to Bajaj, mitigation efforts have so far been successful and it has not reported any major operational disruptions. The Trump administration is reportedly pressing Meta to join a voluntary government program that reviews advanced AI models for national security risks before public release. Meta is currently the only major USAI developer that has not signed such an agreement. OpenAI, Anthropic, Google, DeepMind, Microsoft and XAI already participate in the review process, which evaluates risks ranging from cyber attacks to to potential military misuse. An Algerian national who was arrested in Spain has been extradited to the US to face charges related to his alleged operation of two cybercriminal marketplaces, according to a report from Security Week. 26 year old Abdullah Belmily is accused of running the market Zero day and Spoxy criminal markets as well as developing phishing kits that targeted major American banks, the US Justice Department said in a press release. During the course of the conspiracy, Bell Milli is accused of defrauding multiple institutions including American Express, bank of America, JPMorgan Chase and Wells Fargo, as well as financial institutions in the United Kingdom. Between January 2020 and January 2023, approximately US$900,000 was deposited into an account controlled by Bell Millie. The investigation has also identified approximately 5,600 U.S. and international victims. Bill Milley is facing a maximum of 30 years in prison for conspiracy to commit bank fraud. The United States has imposed new sanctions on nine individuals and 26 entities linked to Cambodian's Prince Group, which U.S. officials accuse of operating large scale cyber fraud and scam compounds targeting Americans. The action builds on previous sanctions against the organization, which authorities say used online investment scams, cyber enabled fraud, money laundering and human trafficking to generate billions of dollars in illicit proceeds, The Treasury Department said. The latest measures target key leaders, investors and front companies connected to the network as part of an ongoing effort to disrupt transnational cybercrime operations originating in Southeast Asia. And this week's executive order does have major implications for space cybersecurity. With more on that, here's T Minus producer Ethan Cook
Ethan Cook
Thanks Maria. Earlier this week, President Trump signed a new executive order focused on quantum computing. In the Executive Order Ushering in the Next Frontier for Quantum Innovation, the White House is looking to prepare the nation for quantum computing by maintaining its tactical advantage in quantum technologies while also creating a trusted quantum ecosystem. Within Section 5, the White House directed the Administrator of NASA to create a five year plan for developing and extending civilian quantum sensing and networking for space applications. Alongside this effort In Section 4, the White House directed the Assistant to the President for Science Technology to work with NASA, the NSA and other relevant agencies to identify additional actions that would enhance the quantum computer for application development and discovery science effort. For the T minus Space Cyber Briefing, this is producer Ethan Cook. Back to you Maria.
Maria Varmazas
Stay with us after the break Break Mike Maschuli, Managing Director of Migration Products and Services at semperis, is discussing RC4 and AD migration, the break scenarios hiding in your source domain, and a lesson in access control.
Sponsor/Advertisement Voice
When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. What's the one thing in business that's spreading as fast as AI? AI risk. Every new tool your team signs up for. Every vendor that turns on AI features, every new integration. Each one creates another opportunity for something to go wrong. And most security programs just weren't built for AI's pace of growth. Enter Vanta. Vanta is the number one agentic trust platform used by more than 16,000 fast moving companies like Ramp, Cursor and Harvey to help ensure they're always audit ready. And now Vanta is helping companies watch for the risks that show up between audits across vendors, AI tools and their entire environment. The Vanta agent works like a 24.7grc engineer in the background, finding issues, drafting fixes and cutting vendor assessment time by up to 50%. Whether you're a fast growing startup or a global enterprise, Vanta is here to help you automate your security and compliance and earn and prove trust. Get started today@vanta.com cyber that's V A N T A dot com cyber.
Maria Varmazas
On today's Industry Voices segment, host Dave Bittner sits down with Mike Masculi, Managing Director of Migration Products and Services at semperis, discussing RC4 and AD migration, the break scenarios hiding in your source domain. Here's their conversation.
Mike Machuli
Most enterprises have known that they should get off of RC4 for over a Decade. And the reason that they haven't done it isn't technical. There's really no forcing function around RC4 deprecation. And RC4 specifically, you know, is a legacy encryption algorithm that's being used today to do a variety of things. Microsoft's been deprecating it slowly and there was no specific moment that demanded action. And then In July, the July 2026, specifically enforcement is that moment. So for organizations running migrations through that window, the migration itself becomes the moment of cleanup. And you're already touching every service account, every key tab, every trust. You might as well fix the encryption story while you're in there.
Sponsor/Advertisement Voice
Most of the coverage that I've seen of RC4 deprecation has been focused on auditing existing environments. Why do you think migration projects have been missing from the conversation?
Mike Machuli
Well, that's a really good point. So Most of the RC4 coverage out there focuses on what's happening to running environments. Auditing the accounts, finding the dependencies, hardening the configuration when almost nobody's covered is what happens when you take an account that's authenticating find today, and then you move it to a new domain during the migration. So standard migration tooling moves NTLM hashes, but not AES keys. The receiving domain tries the AES keys, it can't find the keys, and the authentication fails silently. The first time anybody's noticing this is usually during that cutover and the failures, they look like app errors, not encryption errors. And that's the gap. So it's getting people in trouble. And that's what we've been working on.
Sponsor/Advertisement Voice
Is this one of those situations where somebody starts getting phone calls in the middle of the night that, hey, stuff's not working?
Mike Machuli
Absolutely. And that's what we're trying to advocate for, is doing the preparation tasks that lessen the dependencies. Right. So if we can get in there proactively and lessen those dependencies, we have less surprises and more repeatable and successful migrations.
Sponsor/Advertisement Voice
What is it that makes an RC4 related migration problem look like an application issue instead of an encryption issue?
Mike Machuli
It's the way that it's coming through. It's the way that it's presenting itself. So the AD attribute actually lies and the key tells the truth. So the account's MSDS support and encryption types can advertise AES support, while the underlying key itself, the key material is rc4 only because the password predates the domain functional level of 2008 upgrade and the AES keys were never generated. The KDC trusts the attribute tries AES, finds no key and then the authentication fails. So you can't catch this by reading attributes, you can catch it by correlating accounts where AD says AES keys. But the 4768 and 4769 Kerberos event logs show RC4 tickets actually being issued in steady state. They work on cash tickets. Cutover invalidates every cash ticket. And that's the moment that the issue surfaces.
Sponsor/Advertisement Voice
And what do organizations see in terms of operational impact here?
Mike Machuli
Well, the operational impact is going to be anything that's associated with the account. So the mileage is going to vary. And that's specifically in environments where they haven't done, you know, some of the best practice things around rotating passwords and things of that nature. The at risk population by environment varies too. And again, we're not saying that the sky is falling right, but we're saying that there are things that you can do proactively to get in front of it. When you look at the at risk population in a Greenfield Environment After 2010, you may see a couple of accounts, maybe up to 10. If you're looking at a mid to large enterprise, a decade plus of active directory use and history, you may see, you know, counts in accounts around 20 to 200. And then in more modern or MA built environments with no subsequent identity consolidation, you can see several hundred to low thousands.
Sponsor/Advertisement Voice
So you mentioned that Microsoft has this July 2026 enforcement milestone that's coming up quickly. What's going to happen between now and then? What should organizations be focused on?
Mike Machuli
Organizations should be focused on a variety of things to proactively identify the issue. Specifically, I would follow the four discovery steps. So what we did when we saw kind of the gap in coverage, you know, what we were seeing in industry was we put together a couple of different pieces of information, a few blog posts and things around preparatory tasks. And what we would recommend, and these are well documented in those posts, is to first document and make sure that the domain functional level of every domain inside of the environment or environments is updated in the source and target. And then look for or verify that the Kerberos auditing is enabled on all the DCs. Then you can run an event log correlation so you can find the AES configured accounts that are getting RC4 tickets issued. And that's that 4768 and 4.7 entry. And this is the step that surfaces the attributes. They're essentially lying to you. And then schedule application owner conversations for every Linux, Java and network appliance host. Using AD based Kerberos, because those dependencies you're going to have to get an inventory of. Microsoft is doing the deprecation run in three phases across 2026. In January, they started with the audit in the initial phase, right. So they tied the January Change specific to CVE2026 20833 and they use that security update as the entry point to begin the deprecation. In April, they're pushing a default shift to AES. So the default Kerberos ticket issuance behavior is changing to AES SHA1. So SHA1 for accounts without explicit encryption settings. So RC4 can still be used or it's enabled, but again you have to have it specifically enabled. And then in July they're reporting final enforcement. But as we know, Microsoft doesn't always go ahead and do those configurations that have the potential to break environments. Sometimes they advocate for the changes that are necessary to remove the dependency and then they soft roll it.
Sponsor/Advertisement Voice
So am I correct in my understanding that there's kind of a hidden architecture element here? One of the points you make in your research is that every migration is going to need a plain text password material to generate these new AES keys. Why is that an important concept for organizations to understand?
Mike Machuli
So the most secure migration would be creating the accounts in the target and then regenerating the passwords in the target and not synchronizing the passwords between the source and the target. If you need to do it another way. We used to be able to copy the hashes, or specifically the hash of a hash, to synchronize that password over to the target environment. And that would essentially precede or salt in the target environment the hash which would enable the user to log in with the same password that's not available to us anymore with the addition of the AES key. The only way to be able to proactively generate an AES key in the target would be to capture plain text password information, presumably in the source environment, because that's where it lives, and then set it in the target environment for that user account. Now, in order to do that, you have to put a filter on all the domain controllers inside of the source environment. And at the same time, you have to go ahead and generate a password change event inside of that source environment and then ensure everybody that's in scope for migration hits one of those domain controllers. And then you have to take that information over in a secure manner to the target environment and essentially inject it programmatically into that target active directory environment in order to keep that usability. Now we can do all that, right? And that's what some people are doing in industry, or we can take a new approach or a different approach and we can say in today's new world, the Internet being as volatile as it is, we're going to need to force a password reset. And if we're going to do a password reset, we should probably fix it forward and do it in that target environment so that we know that we land in the most secure environment that's available to us based on today's standards.
Sponsor/Advertisement Voice
What's your guidance for the various stakeholders here? I mean, you've got the executives in the organization, you've got the folks who are tasked with the migration, you've got the security team. What sort of collaborations or conversations should they be making as they're or should they be having as they're prioritizing their actions over the next few months?
Mike Machuli
Have the conversations internally with your infrastructure teams. Try to understand the genesis of your source active directory environments. If there's any gaps in that knowledge, try to build them out as best as you possibly can and then run the process. So four things in order. Document the patch, state and domain functional level of all the domains in the environment. Verify the Kerberos auditing that it's enabled on all DCs, run an event log correlation looking for AES configured accounts, getting those RC4 tickets issued. 4. Schedule conversations with the app owners. Again, understand that application infrastructure and that's for every Linux, Java and network appliance host that's using AD Base Kerberos. Those first steps surface most of the actual break list.
Sponsor/Advertisement Voice
What's your advice for organizations that are headed down this path? What can they do to put themselves in a position where they're most likely to see success here?
Mike Machuli
I mean, today they can go out. Today they can read the blog post that Semper has put up and we can start by doing the documentation steps inside of that blog post. And it's a pretty well detailed process that you can run through to see exactly what exposure you have. At the same time, if they don't have staff internally or they don't have the appetite to do it internally, they can reach out to a service provider or even separate professional services, and we can assist in that way as well.
Maria Varmazas
That was Mike Machiuli, Managing Director of Migration Migration Products and Services at Semperis, sitting down with host Dave Bittner discussing RC4 and AD migration. The break scenarios Hiding in your source domain.
Sponsor/Advertisement Voice
Most environments trust far more than they should and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allowlisting, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with threatlocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. Its powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today.
Maria Varmazas
When you need to build up your team to handle the growing chaos at work, use Indeed Sponsored Jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit@ Indeed.com podcast. That's Indeed.com podcast. Terms and conditions apply. Need a hiring hero? This is a job for Indeed Sponsored Jobs. And finally, Meta has paused a controversial employee monitoring program after an internal security issue exposed data collected from workers laptops to people across the company. The program was designed to help train AI models and collect information, including keystrokes, mouse clicks, screen content, prompts, and transcriptions. What could possibly go wrong? Well, according to an internal security notice reviewed by wired data across 45,000 internal tables was left accessible because of misconfigured access controls. Yeah, the incident comes after months of employee concerns about the program. More than 1,600 workers had already signed a petition warning that collecting this kind of data could create security and privacy risks.
Mike Machuli
And?
Maria Varmazas
Well, Meta says it has no indication that the data was improperly accessed and has paused the program while it investigates. It is the kind of story that cybersecurity professionals hear all the time. A project built to collect massive amounts of data runs into trouble because that massive amount of data now needs protecting. Or as some Meta employees might put it, the AI training exercise unexpectedly became a security awareness exercise. And that's the Cyberwire Daily, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity if you like our show, please share a rating and review in your podcast app. He's also filming the survey in the show Notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We are mixed by Trey Hester with original music and sound design by Elliot Piltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Maria Varmazas in for host Dave Buettner this week. Thank you for listening. We'll see you tomorrow. This episode is brought to you by Google Chrome. You think you know a browser, but Gemini and Chrome?
Ethan Cook
That's new.
Maria Varmazas
It can help you with practically anything on the web like restoring a vintage motorcycle from a 50 page restoration block or finally break down that long article you've had open for weeks. Gemini and Chrome is here for it, ready to make anything online make sense. There's no place like Chrome. Check responses, setup required compatibility and availability various 18.
Date: June 24, 2026
Host: Maria Varmazas (in for Dave Bittner), N2K Networks
Featured Guest: Mike Machuli, Managing Director of Migration Products and Services, Semperis
This episode delivers a comprehensive breakdown of the day’s biggest cybersecurity news, with a major focus on recent data breaches, newly exposed vulnerabilities, and policy developments in both the public and private sectors. The central "Industry Voices" segment features a deep-dive interview with Mike Machuli on the pitfalls and critical considerations of RC4 deprecation and Active Directory (AD) migration—a highly timely topic given Microsoft’s July 2026 enforcement milestone. The episode also covers international law enforcement activity, US government policy on AI and quantum computing, and a notable story about internal data exposure at Meta.
(Timestamps: 02:46 – 10:46)
(Timestamps: 09:48 – 10:46)
Deep-Dive Interview: Mike Machuli, Semperis
(Timestamps: 13:21 – 24:34)
(Timestamps: 26:07 – 27:28)
On RC4 deprecation:
“Most enterprises have known that they should get off of RC4 for over a decade... And then in July, the July 2026, specifically enforcement is that moment.”
— Mike Machuli ([13:36])
On migration risks:
“Standard migration tooling moves NTLM hashes, but not AES keys... The authentication fails silently. The first time anybody’s noticing this is usually during that cutover and the failures, they look like app errors, not encryption errors. And that's the gap.”
— Mike Machuli ([14:37])
On troubleshooting and detection:
“The account’s MSDS support and encryption types can advertise AES support, while the underlying key itself, the key material is RC4 only... You can’t catch this by reading attributes, you can catch it by correlating accounts... looking at Kerberos event logs show RC4 tickets actually being issued.”
— Mike Machuli ([15:56])
On password management in migration:
“The only way to proactively generate an AES key in the target would be to capture plain text password information... Now, in order to do that, you have to put a filter on all the domain controllers inside of the source environment... Or we can take a different approach and force a password reset.”
— Mike Machuli ([20:49])
Meta’s data exposure lesson:
“What could possibly go wrong? Well...data across 45,000 internal tables was left accessible because of misconfigured access controls.”
— Maria Varmazas ([27:28])
| Timestamp | Segment/Topic | |------------|-------------------------------------------------| | 02:46 | LastPass/Clue breach, supply chain vulnerabilities| | 04:20 | Cisco, Ubiquiti, Lantronics vulnerabilities | | 05:20 | DiffyTap—the AI conversation exposure flaws | | 06:10 | AI plugin registry (scope squatting) | | 07:10 | Exploiters leak site, Bajaj Auto ransomware | | 08:20 | Meta position on AI security reviews, extradition| | 09:48 | White House quantum computing executive order | | 13:21–24:34| RC4 & AD migration interview with Mike Machuli | | 26:07 | Meta’s internal employee-monitoring data leak |
This edition of CyberWire Daily offers a rich blend of breaking cybersecurity news and actionable, expert advice for enterprise professionals navigating critical infrastructure decisions. Highlights include practical migration guidance ahead of RC4’s forced retirement, fresh insights into emerging attack vectors, and reminders of the persistent risks in managing data privacy—even inside the most tech-savvy organizations.