Transcript
Dave Bittner (0:02)
You're listening to the Cyberwire Network, powered by N2K. Most security conferences talk about Zero Trust Zero Trust World puts you inside this is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert led sessions, practical case studies and technical deep dives focused on real world implementation. Whether you're Blue team, red team or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits, connect with peers across the industry and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now at ztw.com and take your zero trust strategy from Theory to execution. Authorities pursue Black Busta British authorities launch a new national service to fight fraud and cybercrime. LinkedIn private messages get infected with rats PDF Cider is a stealthy backdoor targeting Fortune 100 companies. Researchers uncover a new malicious extension that intentionally crashes the browser. Ingram Micro discloses a ransomware related data breach A Jordanian man pleads guilty to selling stolen access to corporate networks. We got our business breakdown. Tim Starks from cyberscoop discusses Sean Planky's renomination to lead CISA and grave oversight in the funeral biz. It's Tuesday, January 20th, 2026. I'm Dave Bittner and this is your Cyberwire Intel Brief. Thanks for joining us here today. It's great to have you with us as always. Ukrainian and German authorities have identified two Ukrainian nationals suspected of working for the Russia linked ransomware group Black Basta and have placed the group's alleged Russian leader on an international wanted list. Officials say Black Basta has operated since at least 2022, extorting hundreds of organizations worldwide and causing hundreds of millions of dollars in damage. The two suspects, operating from western Ukraine, allegedly focused on breaching networks and cracking stolen password hashes to enable ransomware attacks. Investigators seize digital devices and cryptocurrency during searches and analysis is ongoing. Germany identified the suspected ringleader as 36 year old Russian national Oleg Nefedov, accused of leading the group's operations and ransom negotiations. Authorities believe he is in Russia. Leaked internal chats previously exposed blkbasta's structure and possible ties to the Conti and Ryuk ransomware networks. British authorities have formally launched Report Fraud, a new national service designed to transform how victims of fraud and cybercrime report incidents and how police act on that information. Led by the City of London Police, the system replaces Action Fraud, which faced years of criticism for poor outcomes and lack of victim feedback. Report Fraud provides a single national reporting portal, promises follow up updates when reports contribute to investigations, and uses real time analytics to generate actionable intelligence. Officials say fraud now accounts for roughly half of all recorded crime in the UK and costs the economy billions annually. A national awareness campaign aims to drive reporting at scale, while new analytics and closer cooperation with technology and telecoms firms are expected to help disrupt criminal operations more effectively. A phishing campaign delivering malware through private messages on LinkedIn is abusing legitimate open source tools to infect victims with a remote access Trojan, according to researchers at ReliaQuest. Analysts say the operation targets high value individuals, including executives and IT administrators using industry themed lures to build trust. Victims receive a malicious link leading to a Winrar self extracting archive that installs a legitimate PDF reader alongside a disguised malicious dll. That DLL is loaded through DLL sideloading, helping the malware evade detection. Attackers then use an open source penetration testing tool to maintain persistence, steal data, escalate privileges and move laterally, ReliaQuest warns. The campaign highlights how social media remains an overlooked attack surface and urges organizations to apply email level scrutiny training and controls to platforms like LinkedIn. A malvertising campaign has been caught distributing a fake browser extension called NexShield, posing as a privacy focused ad blocker for Chrome and Edge to deliver malware through a new click fix variant dubbed crashfix. Researchers at Huntress say the extension deliberately crashes the browser by exhausting system resources, creating a real denial of service condition. When users restart their browser, NextShield displays a fake security warning that instructs them to run copied commands in Windows command prompt. That action triggers a powershell based infection chain in corporate domain joined environments. The attack deploys Modelo Rat, a python based remote access tool capable of reconnaissance, command execution, persistence and payload delivery. Huntress attributes the activity to a threat actor known as Kong Tuk and warns the campaign signals growing interest in enterprise networks. IT distributor Ingram Micro disclosed a ransomware related data breach affecting over 42,000 individuals after detecting a cyber intrusion in early July of last year. The company said attackers accessed internal file repositories and stole employment and applicant records containing personal and government issued identification data. Ingram Micro notified authorities, alerted affected individuals and offered two years of credit monitoring. While the company did not name the attackers, the ransomware group SafePay later claimed responsibility, alleging it stole 3.5 terabytes of data, claims that remain unverified. A Jordanian national has pleaded guilty in U.S. federal court to selling stolen access to corporate networks, underscoring the central role access brokers play in cybercrime operations, the Department of Justice said. Faras Khali Ahmad Abashiti, also known as Riz, admitted selling unauthorized login credentials tied to at least 50 victim organizations while operating from Georgia, according to prosecutors. Al Bashidi stole the credentials for cryptocurrency on a CyberCrime forum in May 2023. The buyer was an undercover law enforcement officer. Investigators say the access provided direct entry into compromised corporate systems and exceeded the legal value threshold under federal fraud statutes. The case was led by the FBI, with extradition support coordinated by the Department of Justice. Sentencing is scheduled for May 2026. Turning to our business breakdown, we are highlighting over $350 million raised across seven investments alongside five acquisitions. On the investment front, Israeli AI security operations company Torc raised $140 million in a Series D round, now being valued at $1.2 billion. Torc plans to use these new funds to continue expanding the capabilities of its SOC platform and grow its market presence. Additional novi emerged from Stealth after raising $51.5 million across three funding rounds. After raising $8.5 million in a seed round in May of last year, $33 million in a Series A round in September, and $10 million in debt financing in December, the Israeli offensive security company is looking to scale AI penetration testing for acquisitions. CrowdStrike completed two separate acquisitions for a total of $1.1 billion. With these moves, CrowdStrike has acquired both Seraphic, an Israeli browser runtime security provider, and Signal, a US based IAM provider. CrowdStrike intends to use both acquisitions to further support its Falcon platform by incorporating new AI and next gen capabilities. That wraps up this week's business breakdown for deeper analysis on major business moves shaping the cybersecurity landscape. Subscribe to N2K Pro and check out TheCyberWire.com every Wednesday for the latest updates. Coming up after the break, Tim Starks from cyberscoop discusses Sean Planky's renomination to lead cisa. And there's grave oversight in the funeral biz. Stick around. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result fast, reliable and secure connectivity without the constant patching, vendor juggling, or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. What's your 2am Security worry? Is it do I have the right controls in place? Maybe Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber. Tim Starks is senior reporter at cyberscoop, and it is always my pleasure to welcome back to the show. Tim hello there, sir.