Loading summary
A
You're listening to the Cyberwire Network powered by N2K.
B
If you are heading to Black Hat USA this year, make plans to visit the Spectre Ops Kennel Club. As the creators of Bloodhound, the Spectre Ops team will host talks, workshops and hands on sessions aimed at helping you understand AI accelerated attack paths, the latest identity tradecraft and how to build your own open graph collector. Visit SpectreOps IE to pre register and learn more. While you're at the Spectrops Kennel club, visit the N2K CyberWire podcast studio where we'll be capturing expert perspectives and conversations from across Black Hat. We'll see you there.
C
Foreign.
B
What's the one thing in business that's spreading as fast as AI? AI risk. Every new tool your team signs up for, every vendor that turns on AI features, every new integration. Each one is an opportunity for something to go wrong. And most security programs weren't built for AI's pace of growth. Enter Vanta. Vanta is the number one agentic trust platform used by over 16,000 and fast moving companies like Ramp, Cursor and Harvey to ensure they're always audit ready. And now Vanta is helping companies like yours watch for the risks that show up between audits across your vendors, your AI tools and your whole environment. How the Vanta agent works like a 24.7grc engineer in the background, finding issues, drafting fixes and cutting vendor assessment time by up to 50%. Whether you're a fast growing startup or a global enterprise, Vanta is here to help you augment, automate, your security and compliance and earn and prove trust. Get started today@vanta.com cyber that's V A N T A dot com cyber. The FBI disrupts a major residential proxy service. Attackers exploit Fortinet firewalls to target UK officials. European lawmakers call for a spyware investigation. A new macOS info stealer masquerades as a clipboard manager. Prompt injection campaigns targeting AI agents through malicious websites and SEO poisoning. Researchers trick Claude into remote code execution. AI's strain on the power grid is complicated. We got your Monday business briefing. Our guest is Gabby Reich, VP of Product Threat Intelligence and exposure management at BitSight with insights on how cybercriminal activity is shifting and anime and AI meet adolescent antics. It's Monday, july 6, 2020. Dave I'm dave buettner and this is your cyberwire intel briefing. Thanks for joining us here today. It is great as always to have you with us. The FBI and IRS Criminal investigation with support from Google Lumen's Black Lotus Labs and the Shadow Server foundation sees domains linked to Netnut disrupting a major residential proxy service. Netnut, owned by Israel based Alarm Technologies, provided residential proxies that routed Internet traffic through consumer devices, a service used for legitimate business purposes but also exploited by cybercriminals. Google said the network relied on at least 2 million devices, many of them Android, smart TVs and streaming boxes, some of which were enrolled through pre installed software or hidden software development kits. Researchers observed hundreds of threat clusters using Netnut infrastructure for password spraying, unauthorized access attempts and other malicious activity. Google disabled Netnut related infrastructure, shared threat intelligence and updated Play Protect to detect affected applications. Alarum said it would cooperate with investigators and warned investors that the disruption could significantly affect its business. Researchers have also linked Netnut infrastructure to several botnet operations. A large scale cyber campaign targeting Fortinet firewalls has exposed login credentials belonging to UK government officials, overseas Foreign Office staff, local authorities and organizations supporting critical infrastructure. Researchers say attackers used previously leaked credentials to bypass security controls and gain access to sensitive networks, with stolen accounts now reportedly being sold on dark Web forums. The UK's National Cybersecurity center confirmed an ongoing brute force campaign against Fortinet devices and urged organizations to audit systems on, isolate compromised devices and change reused passwords. While the attack has been linked to Russian speaking hackers based on technical evidence, officials say there's no evidence of direct Russian state involvement. Security experts warn the stolen credentials could enable ransomware attacks against healthcare, government and other essential services if organizations fail to secure affected systems. European lawmakers are calling for a new spyware investigation after researchers found that former European Parliament member Stelio Culoglau was infected with NSO Group's Pegasus spyware while serving on the parliament's PEGA committee, which was investigating spyware abuses. According to Citizen Lab, Kulaglau's iPhone was compromised in October 2022 and again in early 2023 using the pwn your home zero exploit. With the attacks occurring during key stages of the committee's work, researchers urged the European Parliament to launch an immediate investigation and expand spyware screening for members devices. Political groups across Parliament echoed those calls, arguing that recommendations issued by the Pega committee in 2023, including stronger oversight and tighter controls on commercial spyware, have not been fully implemented. JAMF Threat Labs has identified a new macOS info stealer dubbed Pam Stealer, disguised as the legitimate Maxi Clipboard Manager. Distributed as a compiled Apple script inside a disk image, the malware downloads a Rust based second stage payload that steals credentials, browser data clipboard contents and cryptocurrency wallet information while establishing persistence. Its standout feature is locally validating a victim's macOS password through the pluggable Authentication modules, or PAM framework before harvesting it, reducing detectable activity. PAM Stealer also masquerades as Finder, encrypts communications with its command and control server, and uses social engineering to prompt victims for full disk access. Researchers say the malware employs environment checks, regional exclusions, anti analysis techniques, and native macOS APIs to evade detection. Highlighting the continued evolution of stealthier macOS focused credential stealers, researchers at Zscaler identified two prompt injection campaigns targeting AI agents through malicious websites and search engine optimization poisoning. One campaign tricks AI agents into making cryptocurrency payments by embedding hidden instructions within fake API documentation, while another uses a typo squatted website to impersonate the debank cryptocurrency platform. Testing showed several leading large language models followed the malicious payment instructions or misidentified the fake site as legitimate. Zscaler warns that as AI agents become more capable of browsing and completing tasks, Web content itself is emerging as a significant new attack surface. Researchers at Pantera Labs demonstrated how compromising a developer's email account could allow attackers to hijack Anthropic's CLAUDE desktop and achieve remote code execution by modifying the victim's synchronized CLAUDE preferences with a hidden prompt. The the researchers caused the AI assistant to silently check for command execution tools and run attacker controlled commands if those tools were unavailable. CLAUDE instead displayed convincing fake error messages that tricked users into installing software that enabled code execution. Once compromised, the AI assistant effectively became a persistent command and control channel capable of executing commands and exfiltrating data. Anthropic said the attack requires an already compromised CLAUDE account and reflects intended functionality rather than a software vulnerability. While researchers urged organizations to treat AI desktop applications as privileged software and closely monitor their configurations. A new report from the IEEE Spectrum says the rapid growth of AI infrastructure is creating new challenges for electrical grids that extend beyond rising energy consumption. While attention has focused on the amount of electricity required by hyperscale data centers, researchers argue that AI workloads introduce highly dynamic and unpredictable demand patterns that differ from traditional industrial loads. AI training and inference can cause abrupt changes in power consumption, placing additional strain on grid balancing, frequency control, transmission systems, and local infrastructure. These effects are amplified in regions with dense concentrations of data centers, where synchronized compute and cooling demands can create localized reliability and power quality issues. Utilities and grid operators are exploring demand response programs, battery storage and updated planning modules, but electrical infrastructure expands far more slowly than AI computing capacity. The article concludes that future grid planning must account not only for total energy use, but also for demand volatility, workload, synchronization and geographic concentration as AI infrastructure continues to scale. Turning to our Monday business briefing, cybersecurity and AI companies announced several major funding rounds and acquisitions last week. Quantafind raised $200 million in growth funding, bringing its total funding to $320 million to expand its AI powered risk intelligence platform internationally. Agentic AI security Startup Stryker secured $64 million to accelerate product development, threat research and global expansion, while AI governance platform Runlayer raised $30 million to grow its engineering and go to market teams. Contextual security company Nebuloc closed a $25 million Series A, and security architecture automation startup Dawnguard added $3.3 million to support product development and international growth. On the acquisition front, F5 acquired AI governance firm Surepath AI to strengthen its enterprise AI security platform, identity verification company InCode acquired Identic to enhance fraud detection and Belgian IT firm Sejika acquired cybersecurity specialist three Point to expand its capabilities supporting defense, intelligence and critical infrastructure organizations. Be sure to check out our business briefing on the Cyberwire website that is part of Cyberwire Pro. Coming up after the break, my conversation with Gambit Reich from Bitsite. We're discussing how cybercriminal activity is shifting and anime and AI meet adolescent antics stick around. AI is making phishing attacks faster, more convincing and harder for people to spot, and traditional security awareness and phishing training weren't designed for this level of attack. HOX Hunt helps security teams prepare employees for the attacks they face every day with personalized phishing training that adapts to each employee and reduces risky behavior over time. For IT and security leaders looking to strengthen their human layer of defense without adding more manual work, visit hoxhunt.com cyberwire to learn more. That's H o x h u n t.com cyberwire. This episode is supported by Black Hat usa. If you follow the research, you know a lot of it breaks on Black Hat stages hundreds of peer reviewed briefings, more than 100 hands on trainings, and the largest business hall in Black Hat's history. Six days to learn the skills you'll need tomorrow, August 1st through the 6th, use code CYBERWIRE for $200 off your briefings pass@blackhat.com we'll see you in Vegas. Gabby Reich is VP for Product, Threat Intelligence and Exposure Management at BitSight. We recently got together to Discuss how cyber criminal activity is shifting the report.
C
It's an annual report that we generate which is based on our ability to cover a lot of insights and lots of intelligence that we're collecting from multiple sources, especially sources related to the dark web. And what we've done in this report is we've collect, we're collecting insights and information related to trends that we're seeing year over year as related to threat actor activity related to ransomware trends, different cyber attacks, for example, hacktivism, what we're seeing in the world of vulnerabilities, the emergence of AI and how AI is contributing to the threat landscape and others like that.
B
Well, one of the provocative things that you presented in the report is this notion that the threat landscape isn't getting quieter, it's reorganizing. What does that mean in practical terms?
C
Yeah, so I think that what's interesting is that threat actors, what we're seeing from the report, are becoming more specialized maybe and more geopolitically aligned. When we say specialized these days you can identify specific trends where specific threat actors are focused on specific interest rates and sectors and the same thing related to geopolitical. So if in the past threat actors were very opportunistic, spray and pray and activities, these days it's a lot more deliberate targeting based on industry geography and strategic value that will gain on that. So the landscape may be more fragmented, more geopolitically driven, more harder to track on one hand. But on the other side, we also see specific trends as related to specialization. And the last thing here that I'm sure that we'll talk a lot about is also AI coming into the threat landscape also.
B
Well, before we get to that, one of the things that the report highlights is what you all have been tracking when it comes to ransomware. Can you share some of that information with us?
C
Ransomware, the market dynamics to some extent have shifted. What I think is different, it's that it's more distributed, as I said. I also said before, it's more geopolitically motivated. It's sometimes less about the payment, it's more about the leverage. So there's a couple of things that we've seen. There are about top five groups that are accounting for over 40% of all attacks. Many of them are Russian linked or Russian speaking. We see that there are different numbers, but the median payment has jumped to about by almost more than 300% today. Where it's interesting, on one hand, many times victims are getting better at refusing to pay. But on other hand, what we're seeing is that attackers are, I would like to say, calibrating their operational ways of actually getting more leverage in what they're doing. Another thing that maybe is worth mentioning basically to ransomware, what we're seeing is that there's a shift on the threat actors. They're shifting the pressure from ransomware demands to payment related to operational disruption, reputational damage and legal leverage. So the shift is, on one hand, payments are questionable sometimes we saw that the total payments fell to about 60 and 66%, which tells that victims are pushing back. But the operational disruption pressure is growing with new ways of, new mechanics that the threat actors are looking at.
B
Well, AI has become part of nearly every cybersecurity conversation these days. What are some of the issues that you and your colleagues are tracking when it comes to that?
C
I think that the way we look at AI is that AI is not theoretical anymore when looking at the threats. Mainstream AI tools. So it's not about novel AI related attacks, but the main aspect that we're seeing is that mainstream AI tools, everything from Cursor to ChatGPT, Claude, whatever, are used and becoming embedded in underground conversations tied to malware development, planning, attacks, reconnaissance. So what we're seeing is that the threat actors are using the most traditional classic AI tools that each one of us using, but they're using it for malicious activities, as I mentioned before, from development to planning. We see in the report, we mentioned that the underground forums are flooded with AI rated discussions on how to use different tools. We gave some numbers. There's about 5.1 million Gemini, mentions of usage of Gemini and so on and so on. And it's just one example. So this adoption pattern is interesting. So attackers are not using AI to write novel malware. They're using it to everything around the actual attack and they're using it for the research to understanding technology stacks, to analyze vulnerabilities. And this is a super interesting aspect there. The main thing that I would like to say about that is that the AI technology isn't just about scaling the attackers and helping the attackers. It should also be scaling us, the defenders. I strongly believe, and many like me in the industry believe that this is a fight that we can win and with the technology. So the usage of the AI technology is not only in the hands of the attackers, it's also in the hands of defenders, and we should be using the same tools and better to be able to defend ourselves, protect ourselves against it.
B
Well, broadly speaking, based on the information that you and your colleagues have gathered, what are Your recommendations for the defenders in our audience.
C
Yeah, so another, when talking about AI and to your question, there's all kinds of new AI models that are helping us on one hand, but also bringing a lot of concern with these frontier AI models. And the question what's changing right now in the vulnerabilities and exploitation of these vulnerabilities is the velocity and the skills and the scale, sorry of these attacks and what it means to us. I think the key thing to me is, and for any security leader that is listening to us, I think to this conversation, to any security leader listening to the conversation is that prioritization, threat informed prioritization is the most important thing right now. It's not about having a good vulnerability management program. It's about more than that. It's having good intelligence, good insights and to be able to prioritize what matters. It's not about having the better tools, it's not having more people, faster patching cycles. And I will repeat again, it's about prioritization and here's why. Because in the world of AI, with the velocity of AI and the scales of AI driven attacks, you can't patch everything, you can't monitor everything, you can't block everything. The volume is just too large. So what you can do is understand what are the vulnerabilities that matter most to your organization. Which threat actors are actually could target you, which vendors that you're working with in your supply chain have the more exposure that could cascade to you. And as a result of that, how do you take the action on the issues that matter? When talking about risk, it's about what should I decide that I want to fix and what are the things that I am accepting as risk. Okay, I'll give you just one example. Klopp ransomware group decided to attack specific organizations a year ago. And Clop as a ransomware group didn't breach organizations for the sake of breaching specific organizations. What they did was they leveraged a specific software MoveIt and what they did was they went through a shared platform. Once you're exposed, they were cascading the impact. So my point is that you need to be able to prioritize what is important to you. And every organization is different. Understanding your threat context, what sector, what industry you're in, what are your geopolitical risks, how does your attack surface look? What are the places in your organization from an attack surface which is more important to your business? And based on that, taking the right decisions and understanding how to prioritize accordingly,
B
That's Gabby Reich, VP of Product, Threat Intelligence and Exposure Management at BitSight. As organizations grow, so does complexity. New applications are deployed, vendors are granted temporary access, and remote support tools are installed. Many of them never go away. In my recent conversation at RSAC 2026 with Rob Allen, Chief Product Officer at ThreatLocker, he explains how these forgotten tools create hidden pathways into enterprise environments and why attackers increasingly exploit what's already inside the network instead of trying to break through the perimeter. Learn how to reduce lingering access, shrink your attack surface, and implement zero trust more effectively by listening to the full conversation at explore.thecyberwire.com threatlocker
D
Heat up your Fourth of July at the Home Depot with our wide variety of grills under $300 and make every gathering one to remember. Give your outdoor space a glow up, whatever your budget is, with savings on seasonal plants starting at $5. With the grill fired up and your backyard set to perfection, you'll be able to invite friends and family over to kick off the party. Start celebrating, with low prices guaranteed at the Home Depot. Prices may vary by store. Exclusions apply. See homedepot.com Pricematch for details.
A
This episode is brought to you by Google Chrome. You think you know a browser, but Gemini and Chrome? That's new. It can help you with practically anything on the web, like restoring a vintage motorcycle from a 50 page restoration block. Or finally break down that long article you've had open for weeks. Gemini and Chrome is here for it, ready to make anything online make sense. There's no place like Chrome. Check responses, Setup required compatibility and availability various 18.
B
And finally a 15 year old student from Japan's Saitama Prefecture has been arrested for allegedly launching a cyber attack that disrupted Bandai Channel, an anime streaming service operated by Bandai Namco Filmworks. Police say the teenager used a program he developed, with assistance from ChatGPT, to exploit a vulnerability in the company's systems, sending false data that led to the unauthorized cancellation of over 46,000 subscription accounts. The attack temporarily disrupted operations, with full service not restored until months later. Investigators believe the student uncovered the flaw himself and used it to access account information. He reportedly admitted to the incident, explaining that he had been teaching himself computers since elementary school and bore no ill will toward the company. It's a reminder that just because you've watched every episode of Ghost in the Shell doesn't mean you're supposed to recreate the plot. Sometimes the most powerful move is logging off before your origin story turns into a police report. And that's the cyberwire for links to all of today's stories. Check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwarner wire@n2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ivan. Peter Kilpie is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
A
Your package says delivered, but delivered where, exactly? The hallway? The lobby? Your neighbor's apartment? Instead of playing detective with your deliveries, get a mailbox at the UPS store will sign for your packages, text you when they arrive, and keep your deliveries low key under lock and key. Get 3 months free mailbox services with a new annual agreement at the UPS store. For full details and to get your Coupon, visit the upsstore.com offer.
B
What happens when AI agents gain access to the same systems, applications and credentials as your employees? According to Arvind Nithra Kashayap, CTO and co founder of Rubrik, that reality is already here. As AI agents proliferate across enterprise environments, organizations face a growing how do you govern systems that operate at machine speed? To learn more about AI sprawl, the risk it creates, and how organizations can Prepare, visit explorer thecyberwire.com Rubrik to hear the full conversation.
Podcast: CyberWire Daily
Host: Dave Bittner, N2K Networks
Date: July 6, 2026
This episode delivers a comprehensive update on significant cybersecurity events and trends, with a focus on the FBI and IRS’s disruption of the NetNut residential proxy service, attacks on Fortinet firewalls affecting UK officials, spyware concerns in European institutions, and evolving threats involving AI and malware. The special feature includes an in-depth interview with Gabby Reich, VP of Product Threat Intelligence and Exposure Management at BitSight, who discusses shifting cybercriminal tactics, the impact of AI on the threat landscape, and strategic recommendations for defenders.
“Researchers observed hundreds of threat clusters using NetNut infrastructure for password spraying, unauthorized access attempts, and other malicious activity.” (03:31)
“The UK’s National Cybersecurity Center confirmed an ongoing brute force campaign against Fortinet devices… security experts warn the stolen credentials could enable ransomware attacks against healthcare, government, and other essential services.” (06:22)
“…Kulaglou’s iPhone was compromised… using the pwn your home zero exploit. With the attacks occurring during key stages of the committee’s work, researchers urged the European Parliament to launch an immediate investigation…” (08:00)
“Future grid planning must account not only for total energy use, but also for demand volatility, workload synchronization and geographic concentration as AI infrastructure continues to scale.” (13:59)
(Begins at 15:34)
“We’re collecting insights and information related to trends that we’re seeing year over year as related to threat actor activity… the emergence of AI and how AI is contributing to the threat landscape…”
– Gabby Reich [15:42]
“So if in the past threat actors were very opportunistic, spray and pray… these days it’s a lot more deliberate targeting based on industry, geography, and strategic value…”
– Gabby Reich [16:46]
“The median payment has jumped by almost more than 300% today… attackers are calibrating their operational ways of actually getting more leverage…”
– Gabby Reich [18:29]
“Mainstream AI tools… used and becoming embedded in underground conversations tied to malware development… The main thing… is that the AI technology isn’t just about scaling the attackers… it should also be scaling us, the defenders.”
– Gabby Reich [21:26]
“It’s not about having the better tools, it’s not having more people, faster patching cycles… it’s about prioritization and here’s why. Because in the world of AI… you can’t patch everything… The volume is just too large.”
– Gabby Reich [22:52]
On the evolving threat actor ecosystem:
“The landscape may be more fragmented, more geopolitically driven, more harder to track… but we also see specific trends as related to specialization.” – Gabby Reich [16:52]
On AI in underground forums:
“There’s about 5.1 million Gemini… mentions of usage… it’s just one example.” – Gabby Reich [20:38]
On defender strategy:
“The key thing… to any security leader listening to the conversation, is that prioritization, threat-informed prioritization, is the most important thing right now.” – Gabby Reich [22:22]
“It’s a reminder that just because you’ve watched every episode of Ghost in the Shell doesn’t mean you’re supposed to recreate the plot.” – Dave Bittner [29:04]
| Segment | Timestamp | |---------------------------------------------------------------|------------| | NetNut Proxy Service Crackdown | 02:45 | | Fortinet Firewall Attacks in UK | 05:05 | | Pegasus Spyware in European Parliament | 07:15 | | macOS “PAM Stealer” Malware | 09:05 | | Prompt Injection & AI Agent Threats | 10:10 | | Pentera’s “Claude” Exploit Demonstration | 11:05 | | AI and the Electrical Grid | 13:00 | | Monday Business Cybersecurity Funding & M&A | 14:20 | | Interview: Gabby Reich, BitSight (beginning of segment) | 15:34 | | Key: Threat specialization, ransomware, AI in cybercrime | 16:24-22:07| | Recommendations for defenders | 22:07-25:27| | Adolescent Attack on Anime Platform | 27:39 |
This episode covers a broad but focused spectrum of the week’s most important cybersecurity issues—from international botnet crackdowns and government credential exposures to the newest macOS malware and the fast-growing role of AI in cyber offense and defense. The expert interview spotlights the way professional cybercriminals are specializing, the evolving economics and motivations of ransomware, and how AI is reshaping both threat and defense paradigms. Practical emphasis: defenders should pivot from “defense everywhere” to smart, intelligence-driven prioritization.
Recommended for listeners who need: