CyberWire Daily: "MFA meets its match."
Date: February 19, 2026
Host: Dave Bittner (N2K Networks)
Guest: Tim Starks (CyberScoop, Senior Reporter)
Episode Overview
This episode delivers the latest in cybersecurity news, focusing on a critical escalation in phishing techniques that undermines Multi-Factor Authentication (MFA). The show covers a spectrum of pressing topics: a major phishing toolkit called Starkiller, significant data breaches, vulnerabilities in development tools, global law enforcement actions, regulatory debates in the US, and policy shifts in European military cybersecurity. The episode features an in-depth interview with Tim Starks about upcoming CISA town hall meetings regarding Industrial Control System (ICS) cyber incident reporting regulations.
Key Discussion Points & Insights
1. Starkiller: New Phishing Toolkit Threatens MFA
- Main Insight: Starkiller, a new phishing toolkit uncovered by Abnormal Security, marks a significant step forward in phishing infrastructure sophistication.
- How it works:
- Operates as a proxy, serving genuine login pages through attacker infrastructure rather than static clones.
- Launches a headless Chrome browser, letting victims interact with real sites in real time.
- Forwards MFA codes or session tokens to legitimate services instantly, enabling MFA bypass.
- Supports impersonation of major brands (Google, Microsoft, financial institutions) and offers real-time session monitoring/keylogging.
- Subscription model: Sold on the dark web with ongoing updates and support.
- Quote:
- "Because users interact with the live site, any multi factor authentication codes or session tokens are forwarded to the legitimate service instantly, enabling attackers to bypass MFA." (A, 02:32)
- Timestamp: 00:45–02:55
2. Major Blockchain Lender Data Breach
- Incident: Figure Technology Solutions, a Nasdaq-listed blockchain lender, suffered a breach impacting nearly 1 million users.
- Details:
- The breach stemmed from an employee who fell for social engineering.
- "Shiny Hunters" group claimed responsibility; published 2.4 GB of data.
- Exposed info: Names and contact details (approx. 967,000 records).
- Linked to a broader vishing (voice phishing) campaign, including Okta SSO accounts.
- Timestamp: 03:00–03:50
3. IoT Botnet 'Kimwolf' Overwhelms Privacy Network
- Botnet Impact: Kimwolf botnet attempted to use the i2P privacy network with 700,000 infected devices.
- Effect:
- Flooded and disrupted i2P, normally hosting 15,000–55,000 nodes.
- Demonstrates Sybil attack – destabilizing peer-to-peer systems.
- Researchers note botnets are experimenting with resilient C2 infrastructure (i2P and Tor).
- Quote:
- "Operators later acknowledged...they had tried to connect roughly 700,000 infected devices to i2P, overwhelming a network that typically supports between 15,000 and 55,000 nodes." (A, 04:15)
- Timestamp: 03:51–04:40
4. Visual Studio Code Extensions Vulnerabilities
- Discovery: OX Security found four severe vulnerabilities in VS Code extensions.
- Impact:
- Over 128 million combined downloads: Live Server, Markdown Preview Enhanced, Code Runner affected.
- Severe vulnerabilities: Remote file exfiltration, arbitrary JavaScript execution, local network scanning, and RCE via social engineering.
- Quote:
- "Aux Security said the flaws expose a critical blind spot in developer environments and warned that a single compromised extension could enable broader organizational breaches." (A, 05:30)
- Timestamp: 04:41–05:40
5. DEFCON Bans Linked to Epstein Files
- Development: DEFCON banned three tech figures with documented contacts with Jeffrey Epstein.
- Note:
- No criminal accusations, but bans based on professional interactions.
- DEFCON rarely publicizes bans; this move signals heightened scrutiny on affiliations.
- Timestamp: 05:41–06:15
6. Texas Sues TP Link Over Supply Chain & Security
- Allegations:
- Misleading consumers about security, mislabeling components' origin.
- Highlighted risks: Chinese law compelling data sharing, firmware vulnerabilities exploited by state-backed attackers.
- TP Link denies allegations, asserts US user data stays domestic.
- Timestamp: 06:16–07:30
7. Venezuela Power Outage: Cyber or Kinetic?
- Debate:
- Recent Caracas outage labelled a cyber operation, but physical evidence points to direct sabotage.
- Experts argue: Kinetic damage sufficient; cyber framing may distort policy responses.
- Quote:
- "How the incident is characterized matters—a cyber only framing could distort policy decisions, overstating digital capabilities while underestimating physical grid vulnerabilities..." (A, 08:20)
- Timestamp: 07:31–08:45
8. African Law Enforcement’s Major Anti-Cybercrime Sweep
- Operation: INTERPOL's "Red Card 2.0"
- 651 arrests, $4.3M recovered across 16 countries.
- Tackled scams: Investment fraud, mobile money, fake loan schemes.
- Over 2,300 devices seized; 1,400+ malicious sites/servers dismantled.
- Notable case: Nigerian sentenced in US for hacking tax firms, fraudulent refunds.
- Timestamp: 08:46–09:45
In-Depth Interview: Tim Starks on CISA’s ICS Cyber Reporting Regulation
(Timestamps: 13:36–20:56)
Legislative & Policy Background
- Key Law: Cyber Incident Reporting for Critical Infrastructure Act (2022)
- Requirements:
- Critical infrastructure operators must report major cyber incidents to CISA within 72 hours; ransomware payments within 24 hours.
- Quote:
- "The law at its core says if you're a critical infrastructure owner/operator, you have to notify CISA within 72 hours if they suffer a major cyber attack." – Tim Starks (13:36)
- Current Status:
- Regulation drafting prolonged; initial deadline missed.
- CISA turning to virtual town halls for greater industry engagement.
Points of Contention
- Key issues:
- Industry claims definitions of ‘covered entity’ are too broad/burdensome.
- Skepticism about whether more listening sessions will address industry concerns.
- Quote:
- "Another session where they just give feedback isn't what some in industry are looking for. They want more details...a two way dialogue about how we're going to get this done." – Tim Starks (17:05)
CISA’s Organizational Pressures
- Morale:
- Staff morale reportedly low; organization facing uncertainty.
- Threats of shutdowns, reorganization, and political pressure reducing federal service appeal.
- Quote:
- "Government service becomes a lot less appealing if you're working without pay or if you're furloughed and...if it just happens every year, it's not a real appealing thing for people who want any kind of stability in their life." – Tim Starks (18:51)
- "I'm reminded of Russell Vought saying that their goal was to traumatize federal employees. It's not a real recruitment ad for working in the government, is it?" – Tim Starks (20:14)
- Host Reacts:
- Dave Bittner: "It's really hard to not be cynical these days. But we will do our best, Tim." (20:40)
- Tim Starks: "I've given up. I'm going to stay simple." (20:50)
9. Poland Bans Recording-Capable Cars from Military Facilities
- Policy:
- Ban on Chinese-made and other vehicles with data-gathering tech at sensitive sites.
- Prevents plug-in of work phones to infotainment systems.
- Security vetting process and NATO alignment cited.
- Quote:
- "If your car might be listening, it can wait at the gate." (A, 21:12)
- Timestamp: 21:04–21:20
Notable Quotes
- "Because users interact with the live site, any multi factor authentication codes or session tokens are forwarded to the legitimate service instantly, enabling attackers to bypass mfa." (A, 02:32)
- "Operators later acknowledged...they had tried to connect roughly 700,000 infected devices to i2P, overwhelming a network that typically supports between 15,000 and 55,000 nodes." (A, 04:15)
- "Aux Security said the flaws expose a critical blind spot in developer environments and warned that a single compromised extension could enable broader organizational breaches." (A, 05:30)
- "The law at its core says if you're a critical infrastructure owner/operator, you have to notify CISA within 72 hours if they suffer a major cyber attack." (Tim Starks, 13:36)
- "Government service becomes a lot less appealing if you're working without pay or if you're furloughed and...if it just happens every year, it's not a real appealing thing for people who want any kind of stability in their life." (Tim Starks, 18:51)
- "I'm reminded of Russell Vought saying that their goal was to traumatize federal employees. It's not a real recruitment ad for working in the government, is it?" (Tim Starks, 20:14)
- "If your car might be listening, it can wait at the gate." (A, 21:12)
Additional Noteworthy Segments
- Industry Trends: Continued rise in sophisticated phishing (AI-powered).
- Global Policy: Increasing legislative and enforcement responses to supply chain and espionage concerns (US, Europe, Africa).
- Workforce Concerns: Recruitment and retention of cybersecurity talent in government threatened by instability and morale issues.
This episode paints a fast-changing cybersecurity landscape, where technical innovations in attack vectors (such as Starkiller), vulnerabilities in ubiquitous development tools, and organizational/political challenges interweave. The tone balances urgency and skepticism, especially regarding regulatory effectiveness and governmental workforce morale.
Listeners come away with an enhanced understanding of both today’s threats and tomorrow’s policy struggles in cybersecurity.