Summary6 min read

CyberWire Daily — "Million-dollar hacks and a manhunt."

Date: January 20, 2026
Host: Dave Bittner (N2K Networks)
Guest: Tim Starks (CyberScoop)

Overview

This episode of CyberWire Daily provides a sweeping tour through the latest, most pressing cybersecurity threats and developments: a law enforcement crackdown on a major ransomware group, the launch of a national anti-fraud service in the UK, fresh research on evolving malware campaigns, a notable ransomware-related data breach, and insight on how access brokers fuel cybercrime. The show closes with a lively interview with Tim Starks of CyberScoop, covering the politics and security ironies surrounding high-level US cybersecurity appointments, plus a look at vulnerabilities in government-offered tools and the surprising cyber risks facing the funeral industry.

Key News Stories and Insights

1. Authorities Pursue Black Basta Ransomware Group

00:55–03:02

Who: Ukrainian and German authorities identify two Ukrainians as members, and put alleged Russian leader Oleg Nefedov on an international wanted list.
What: Hundreds of organizations extorted globally, with damages in the hundreds of millions. The two suspects focused on breaching networks and cracking stolen password hashes.
How: Digital devices and crypto seized; ongoing analysis. Structure and ties to Conti and Ryuk ransomware networks exposed by prior leaks.
Quote:

"Black Basta has operated since at least 2022, extorting hundreds of organizations worldwide and causing hundreds of millions of dollars in damage." – Dave Bittner (01:22)

2. UK’s ‘Report Fraud’ Service Targets Cybercrime

03:03–04:27

What’s new: City of London Police launch Report Fraud, replacing the criticized Action Fraud system.
Key features:
- National reporting portal
- Updates for victims whose reports contribute to investigations
- Real-time analytics for actionable intelligence
Why it matters: Fraud now makes up about half of UK crime and costs billions.
Quote:

"Report Fraud provides a single national reporting portal, promises follow up updates when reports contribute to investigations, and uses real time analytics to generate actionable intelligence." – Dave Bittner (03:37)

3. Targeted Malware via LinkedIn Private Messages

04:28–05:47

Findings (ReliaQuest): Sophisticated phishing campaign uses LinkedIn DMs, targeting execs and IT admins.
Method:
- Winrar SFX archive drops both PDF reader & malicious DLL (through DLL sideloading)
- Remote access trojan established using open-source penetration testing tools
Commentary: Calls for organizations to treat LinkedIn like email—train users for social media phishing.
Quote:

"The campaign highlights how social media remains an overlooked attack surface and urges organizations to apply email-level scrutiny training and controls to platforms like LinkedIn." – Dave Bittner (05:35)

4. NexShield: Malicious Browser Extension Crash Campaign

05:48–07:08

Discovery (Huntress): Extension masquerades as privacy ad blocker for Chrome/Edge, actually executes a 'crashfix' attack, causing persistent browser DoS.
Attack chain:
- On restart, prompts user to run faux security commands, triggering PowerShell infection
- Deploys Modelo Rat (Python RAT: recon, persistence, payloads)
- Attribution: Threat actor 'Kong Tuk'
Significance: Shows growing attacker interest in enterprise browser environments.

5. Ingram Micro Ransomware & Data Breach

07:09–08:03

Incident: Ransomware breach impacted 42,000 individuals (July 2025), affecting employment and applicant data.
Response: Notifications, credit monitoring, federal notifications.
Culprit: SafePay group claims (unverified) 3.5TB in stolen data.

6. Access Broker Sentenced for Corporate Credentials Sales

08:04–09:00

Subject: Jordanian national Faras Khali Ahmad Abashiti ("Riz") sold access to at least 50 organizations (May 2023).
Details: Credentials sold for cryptocurrency on cybercrime forum to undercover law enforcement.
Significance: Illustrates the crucial role of 'access brokers' in broader cybercrime.
Outcome: Sentencing set for May 2026.

7. Cybersecurity Investment & M&A Highlights

09:01–10:51

Investments: Seven deals, $350M+ total.
- Notables:
  - Torc (Israeli SOC/AI secops) — $140M Series D ($1.2B valuation)
  - Novi (AI pen-testing) — $51.5M total across seed, Series A, and debt rounds
Acquisitions:
- CrowdStrike acquires Seraphic (browser security, Israel) & Signal (US IAM provider) for $1.1B combined
Takeaway: Intense VC and strategic interest in AI-enhanced security and browser/IAM protection.

Interview: Tim Starks (CyberScoop)

8. Politics and Paradoxes in US Cyber Leadership

13:35–17:46

Sean Planky's Troubled CISA Nomination

Context:
- Planky is surprisingly renominated as CISA director after his initial nomination was stalled in the Senate.
- Main obstacles: Not his record, but Senate holds linked to disaster aid and Coast Guard contractor issues.
Key Quotes:

"It's a little surprising to me too, because pretty much his nomination was left for dead by basically everybody I knew." – Tim Starks (14:01)
"The White House has said...they are committed to him. Obviously renominating him suggests that." – Tim Starks (14:10) "The Republicans from North Carolina are holding him up over disaster aid... Rick Scott from Florida... held up his nomination over a Coast Guard contract for a contractor in his state that got partially canceled." – Tim Starks (15:09)
Planky's position: Planky says it’s outside his control:

"His response was kind of like not up to me. It's up to the White House." – Tim Starks (16:31)
Analysis: The process is gridlocked due to unrelated political fights, not candidate fitness.

Vulnerability Irony in CISA's Secure Software Tool

17:46–20:20

Story: Security researcher Jeff Williams found a trivial XSS vulnerability on CISA's secure software procurement tool.
Timeline: Vulnerability existed for months (September–December 2025) before patch.
Irony: Tool’s purpose is to guide secure software acquisition.
Quote:

“This was something that could have been fixed in five minutes and that it demonstrated that they had really nobody doing the kind of work they needed... just basic website stuff.” – Tim Starks (18:35)
CISA response: Non-critical, fixed eventually. Said process worked; researcher feels it showed lack of diligence.
Humor:

“Everything’s perfect, as we know. All is well and it’s going to stay well.” – Tim Starks (20:14)

9. Cybercrime Hits Korean Funeral Sector—A Wake-Up Call

21:32–22:49

Incident: Ransomware attack hits Kyowon Group affiliates; exposes security vacuum in Korea's funeral industry.
Key Points:
- Firms aren’t required to get information security certification
- Industry holds personal data on ~10M subscribers
- Lawmakers flag need for regulation, as sector is highly vulnerable
Takeaway: Even “traditional” sectors with substantial data and funds are prime cybercrime targets.
Comment:

"The funeral industry's security posture appears to be built more on tradition than on modern safeguards." – Dave Bittner (21:40)

Memorable Quotes & Moments

On political wrangling:

"Why renominate him if you’re not going to do everything you can to get him through?" – Tim Starks (17:41)
On basic security failings:

“This was something that could have been fixed in five minutes... that they had really nobody doing the kind of work they needed... just basic website stuff.” – Tim Starks (18:35)
On industry vulnerabilities:

"Ransomware groups favor exactly this combination: steady cash flow, sensitive data, and thin defenses." – Dave Bittner (22:21)

Timestamps

00:55 — Black Basta ransomware manhunt
03:03 — Launch of 'Report Fraud' in the UK
04:28 — LinkedIn RAT phishing campaign
05:48 — Malicious browser extension (NexShield) campaign
07:09 — Ingram Micro ransomware and breach
08:04 — Access broker conviction
09:01 — VC funding and M&A headlines
13:35 — Tim Starks interview begins
14:01 — The mystery of Sean Planky’s renomination
18:00 — CISA tool’s ironic vulnerability
21:32 — Ransomware in the funeral industry

Tone and Style

The episode blends concise newsworthiness with wry emphasis on the paradoxes and paradoxical ironies of cybersecurity—both in government bungles and overlooked industry targets. Accessible yet sharply insightful, with both technical and strategic dimensions.

For full details and continuing coverage, visit thecyberwire.com.

Loading summary

Transcript29 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire Network, powered by N2K. Most security conferences talk about Zero Trust Zero Trust World puts you inside this is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert led sessions, practical case studies and technical deep dives focused on real world implementation. Whether you're Blue team, red team or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits, connect with peers across the industry and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now at ztw.com and take your zero trust strategy from Theory to execution. Authorities pursue Black Busta British authorities launch a new national service to fight fraud and cybercrime. LinkedIn private messages get infected with rats PDF Cider is a stealthy backdoor targeting Fortune 100 companies. Researchers uncover a new malicious extension that intentionally crashes the browser. Ingram Micro discloses a ransomware related data breach A Jordanian man pleads guilty to selling stolen access to corporate networks. We got our business breakdown. Tim Starks from cyberscoop discusses Sean Planky's renomination to lead CISA and grave oversight in the funeral biz. It's Tuesday, January 20th, 2026. I'm Dave Bittner and this is your Cyberwire Intel Brief. Thanks for joining us here today. It's great to have you with us as always. Ukrainian and German authorities have identified two Ukrainian nationals suspected of working for the Russia linked ransomware group Black Basta and have placed the group's alleged Russian leader on an international wanted list. Officials say Black Basta has operated since at least 2022, extorting hundreds of organizations worldwide and causing hundreds of millions of dollars in damage. The two suspects, operating from western Ukraine, allegedly focused on breaching networks and cracking stolen password hashes to enable ransomware attacks. Investigators seize digital devices and cryptocurrency during searches and analysis is ongoing. Germany identified the suspected ringleader as 36 year old Russian national Oleg Nefedov, accused of leading the group's operations and ransom negotiations. Authorities believe he is in Russia. Leaked internal chats previously exposed blkbasta's structure and possible ties to the Conti and Ryuk ransomware networks. British authorities have formally launched Report Fraud, a new national service designed to transform how victims of fraud and cybercrime report incidents and how police act on that information. Led by the City of London Police, the system replaces Action Fraud, which faced years of criticism for poor outcomes and lack of victim feedback. Report Fraud provides a single national reporting portal, promises follow up updates when reports contribute to investigations, and uses real time analytics to generate actionable intelligence. Officials say fraud now accounts for roughly half of all recorded crime in the UK and costs the economy billions annually. A national awareness campaign aims to drive reporting at scale, while new analytics and closer cooperation with technology and telecoms firms are expected to help disrupt criminal operations more effectively. A phishing campaign delivering malware through private messages on LinkedIn is abusing legitimate open source tools to infect victims with a remote access Trojan, according to researchers at ReliaQuest. Analysts say the operation targets high value individuals, including executives and IT administrators using industry themed lures to build trust. Victims receive a malicious link leading to a Winrar self extracting archive that installs a legitimate PDF reader alongside a disguised malicious dll. That DLL is loaded through DLL sideloading, helping the malware evade detection. Attackers then use an open source penetration testing tool to maintain persistence, steal data, escalate privileges and move laterally, ReliaQuest warns. The campaign highlights how social media remains an overlooked attack surface and urges organizations to apply email level scrutiny training and controls to platforms like LinkedIn. A malvertising campaign has been caught distributing a fake browser extension called NexShield, posing as a privacy focused ad blocker for Chrome and Edge to deliver malware through a new click fix variant dubbed crashfix. Researchers at Huntress say the extension deliberately crashes the browser by exhausting system resources, creating a real denial of service condition. When users restart their browser, NextShield displays a fake security warning that instructs them to run copied commands in Windows command prompt. That action triggers a powershell based infection chain in corporate domain joined environments. The attack deploys Modelo Rat, a python based remote access tool capable of reconnaissance, command execution, persistence and payload delivery. Huntress attributes the activity to a threat actor known as Kong Tuk and warns the campaign signals growing interest in enterprise networks. IT distributor Ingram Micro disclosed a ransomware related data breach affecting over 42,000 individuals after detecting a cyber intrusion in early July of last year. The company said attackers accessed internal file repositories and stole employment and applicant records containing personal and government issued identification data. Ingram Micro notified authorities, alerted affected individuals and offered two years of credit monitoring. While the company did not name the attackers, the ransomware group SafePay later claimed responsibility, alleging it stole 3.5 terabytes of data, claims that remain unverified. A Jordanian national has pleaded guilty in U.S. federal court to selling stolen access to corporate networks, underscoring the central role access brokers play in cybercrime operations, the Department of Justice said. Faras Khali Ahmad Abashiti, also known as Riz, admitted selling unauthorized login credentials tied to at least 50 victim organizations while operating from Georgia, according to prosecutors. Al Bashidi stole the credentials for cryptocurrency on a CyberCrime forum in May 2023. The buyer was an undercover law enforcement officer. Investigators say the access provided direct entry into compromised corporate systems and exceeded the legal value threshold under federal fraud statutes. The case was led by the FBI, with extradition support coordinated by the Department of Justice. Sentencing is scheduled for May 2026. Turning to our business breakdown, we are highlighting over $350 million raised across seven investments alongside five acquisitions. On the investment front, Israeli AI security operations company Torc raised $140 million in a Series D round, now being valued at $1.2 billion. Torc plans to use these new funds to continue expanding the capabilities of its SOC platform and grow its market presence. Additional novi emerged from Stealth after raising $51.5 million across three funding rounds. After raising $8.5 million in a seed round in May of last year, $33 million in a Series A round in September, and $10 million in debt financing in December, the Israeli offensive security company is looking to scale AI penetration testing for acquisitions. CrowdStrike completed two separate acquisitions for a total of $1.1 billion. With these moves, CrowdStrike has acquired both Seraphic, an Israeli browser runtime security provider, and Signal, a US based IAM provider. CrowdStrike intends to use both acquisitions to further support its Falcon platform by incorporating new AI and next gen capabilities. That wraps up this week's business breakdown for deeper analysis on major business moves shaping the cybersecurity landscape. Subscribe to N2K Pro and check out TheCyberWire.com every Wednesday for the latest updates. Coming up after the break, Tim Starks from cyberscoop discusses Sean Planky's renomination to lead cisa. And there's grave oversight in the funeral biz. Stick around. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result fast, reliable and secure connectivity without the constant patching, vendor juggling, or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. What's your 2am Security worry? Is it do I have the right controls in place? Maybe Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber. Tim Starks is senior reporter at cyberscoop, and it is always my pleasure to welcome back to the show. Tim hello there, sir.
[13:35]
Tim Starks
Hello there, sir.
[13:37]
Dave Bittner
So first of all, Happy New year. Welcome to 2026 in all of its glory.
[13:43]
Tim Starks
It's amazing so far. Right, Right, right.
[13:46]
Dave Bittner
I want to start off with, I guess, what I can only describe as a surprising story to me, which is that Sean Planky is back in the mix to head cisa. You reported on this. What's going on here? Tim?
[14:02]
Tim Starks
It's a little surprising to me too, because pretty much his nomination was left four dead by basically everybody I knew.
[14:09]
Dave Bittner
Yeah.
[14:10]
Tim Starks
So it's a little confusing. It's a little mystifying where this leads us next. But the White House has said to me that they are committed to him. Obviously, renominating him suggests that that's the case. It does leave a pretty big question about how in the world does he get this job with what had been going on in the Senate and.
[14:34]
Dave Bittner
Well, I mean, let's recap here. My understanding is that his nomination getting struck down, let's say, wasn't so much about Him. But about senators holding it up for other reasons, is that an accurate description?
[14:50]
Tim Starks
It's mostly accurate. You know, I think to the extent. Then in one of the cases, the North Carolina Senate delegation, both Republicans, by the way, all Republicans holding him up for the most part. There are Democrats, there's a Democrat that's holding up for another reason, but that seems less important.
[15:09]
Dave Bittner
Right now.
[15:10]
Tim Starks
The Republicans from North Carolina are holding him up over disaster aid. They're holding up all DHS nominees. They're saying that they need Kristi Noem to come testify to Senate Judiciary. That's an example. I think the bigger one that everyone had identified for me is that Rick Scott, Senator Rick Scott from Florida, also a Republican, had held up his nomination over Coast Guard contract for a, for a contractor in his state that got partially canceled. Worth, worth many billions of dollars. And that doesn't seem to be tractable right now. Is that a right word? Because it's intractable? Yeah, it doesn't seem tractable right now. And I guess the reason that he's connected to that in any way, shape or form is that he's been serving as a special adviser to the Coast Guard. Sean Plenty is an old Coastie, so that is a connection, the work he has been doing. But this was Kristi Nam's decision, you know, not his. So how much can you blame him for it? I don't know. So it's not exactly unconnected, but it's not very connected either.
[16:09]
Dave Bittner
Yeah. What kind of timeline do you suppose we're on here for this going one way or another?
[16:16]
Tim Starks
That's a really good question, Dave. I, you know, I, one of my colleagues, you know, with our story, we caught up with Sean Blanke. He was out in an event, he was representing the Coast Guard for an event. And we caught up to him and he, we asked him what, you know, what, what are you going to do to lift these holes to convince senators to support you? And Sean's response was kind of like not up to me. It's up to the White House. The White House shows that they're invested, then you know, I can probably move forward. So it seems like he's at his wits end, or at least it sounded that way to us about what, what, what can happen, what might happen next with him and that it's out of his control is the way he seems to feel.
[17:01]
Dave Bittner
Yeah, well, I mean, you think if the White House renominates him, then they're certainly literally doubling down on their belief in him, right?
[17:11]
Tim Starks
Yeah. And you know, the, the President's hold on the Republican Party has been pretty remarkable even by the standards of what we expected it to be coming in, I think. And, and so it's surprising in the sense that, you know, here we have multiple Republicans holding up a nomination. And I'm of the mind maybe that, you know, if they did wanted to exert some more pressure, they could and would, but maybe they decided not to spend their political capital on this. But, you know, why renominate him if you're not going to do everything you can to get him through?
[17:46]
Dave Bittner
Right, right. Well, shifting gears here, you had a story just a few days ago about some software that CISA was offering that had its own vulnerabilities. What's going on with this one, Tim?
[18:00]
Tim Starks
Yeah, this was an interesting one. There was a researcher who found a, a vulnerability that was in a rather, I want to say ironic place. It was a high profile place. Yeah, there's a tool that, that CISA has on its website that helps government, government agency folk purchase secure software. And when you go to the website and poke around on there, as this researcher did, that that website, that that tool itself had a vulnerability. Cross site scripting it's called, and XSS is what a lot of people call it. The vulnerability might have allowed the people who would have planted an attack on that site to attack others. It might have led to the website being defaced. The other thing that stands out about this, you know, beyond the irony, if you will, is the fact that, you know, this researcher told me, his name's Jeff Williams, he told me that this was something that could have been fixed in five minutes and that it demonstrated that they had really nobody doing the kind of work they needed to be doing. Just sort of basic website stuff that is pretty easy to fix. They had nobody really doing that. And then it took months for them to fix it. It took from September to December for it to get fixed.
[19:19]
Dave Bittner
Any word from CISA as to why it took so long?
[19:23]
Tim Starks
Yeah, they didn't say why it took so long. I mean, I think he had a good answer at least on part of this. Jeff Williams said about, about the fact that this, that September timeframe, that's when the government was about to shut down. So that makes a certain amount of sense. Although, you know, he said this is probably could have been a five minute fix. I mean there was a. They have a bug bounty program. There's a bug bounty program through bugcrowd. Bug crowd says this wasn't a critical enough vulnerability for them to pay out over it. And then you know, once he got the attention of cisa, maybe they just decided it was low priority. But once the shutdown happened, well, all bets were off. I mean, cisa CISA did tell me that they appreciated the researcher contact them, they got it fixed. That actually helped them fix and be aware for some other risks and that this was an example of the process working essentially.
[20:12]
Dave Bittner
Okay. All is well that ends well, right?
[20:15]
Tim Starks
Everything's perfect, as we know. All is well and it's going to stay well.
[20:19]
Dave Bittner
There you go.
[20:20]
Tim Starks
There you go.
[20:21]
Dave Bittner
All right. With Tim Starks, the senior reporter at cyberscoop. Tim, thanks so much for joining us.
[20:25]
Tim Starks
Thank you, Dan.
[20:26]
Dave Bittner
Foreign. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. The world moves fast. Your workday even faster. Pitching products, drafting reports, analyzing Microsoft 365.
[21:30]
Tim Starks
Copilot is your AI assistant for work.
[21:33]
Dave Bittner
Built into Word, Excel, PowerPoint and other Microsoft 365 apps you use, helping you quickly write, analyze, create and summarize so you can cut through clutter and clear a path to your best work. Learn more@Microsoft.com M365 copilot. And finally, in Korea, eight affiliates of the Kyowon Group are now under government investigation after a ransomware attack reminded everyone that even the funeral business is not immune to cybercrime. The incident exposed a quieter problem. The funeral industry's security posture appears to be built more on tradition than on modern safeguards. Data from the Korea Internet and Security Agency shows that none of the country's top funeral service providers have have obtained the government's Information Security Management System certification not because they failed, but because they're not required to try. Funeral companies sit in a regulatory gap, handling Data on nearly 10 million subscribers and trillions in prepaid funds while remaining outside rules applied to banks, platforms or e commerce firms. Experts say ransomware groups favor exactly this combination steady cash flow, sensitive data and thin defenses. Lawmakers now argue it may be time for the industry to plan not just for final arrangements, but for basic cybersecurity hygiene, too. And that's the CyberWire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign. If you only attend one cyber security conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco.