Dave Bittner

You're listening to the Cyberwire Network powered

Jake Braun

by N2K

Home Depot Announcer

now at the Home Depot. Receive 12 months special financing and free basic installation on carpet projects with LifeProof LifeProof with PET proof technology Home Decorators collection and traffic Master carpets bring a new look to your floors or give them a durable surface that stands up to life's tough messes. Get 12 months special financing on installed carpet projects right now at the Home Depot offer Valley March 12 through March 29, 2026. Exclusions and additional charges may apply for licenses. See homedepot.com License numbers.

Narrator / Host

RSAC Spotlights Public Private partnership Gaps Dark sword leaks to GitHub the FCC blocks new foreign made routers Citrix patches a critical netscaler flaw the DOE rolls out an energy sector cyber canister worm spreads through NPM researchers flag suspected case SMA exploitation QualDURM reports a 3.1 million record breach a Russian access broker gets 81 months intern Kevin checks in from RSAC. Maria Ramazis speaks with Jake Braun, longtime DEF CON organizer and former White House official, about the Defcon 33 Hackers Almanac and Slow down, you vibe too fast. It's Tuesday, march 24, 2026. I'm dave buettner and this is your cyberwire intel brief. Foreign thanks for joining us here today as we come to you from RSAC 2026 here in beautiful San Francisco. It's great to have you with us. Yesterday at RSAC 2026, panelists highlighted persistent gaps in real time information sharing between government and private industry. Using the cybercrime group Scattered Spider as a case study, former FBI cyber official Dave Scott recalled that officials once proposed a joint coordination cell to exchange intelligence with private partners in real time, but legal and approval barriers prevented it. Years later, phone based social engineering has become the second most common initial access method and the leading tactic for cloud intrusions. Underscoring the missed opportunity, a panel originally focused on China's Volt and Salt typhoon campaigns proceeded without FBI or NSA participation, leaving an empty chair on stage and reinforcing concerns about public private coordination. Speakers stressed that private companies often detect activity first because attacks frequently target privately operated infrastructure. They argued that timely intelligence sharing, especially as AI accelerates threat activity, is increasingly crit. Still, the absence of government voices at a major security forum signaled lingering coordination challenges. A newer version of the iPhone hacking toolkit DarkSword spyware has been leaked to GitHub, raising concerns that attackers can easily target devices running outdated Apple operating systems. Researchers at Iverify warned the tool requires little technical expertise to deploy and can exfiltrate contacts, messages, changes, call history and keychain data from vulnerable devices. A security hobbyist reported successfully exploiting an iPad mini running iOS 18 using circulating samples. Apple said updated devices are not affected and issued emergency patches for older systems unable to run newer versions. Researchers estimate hundreds of millions of devices may remain exposed. The leak follows earlier reporting that Dark Sword infrastructure was linked to activity attributed to Russian government hackers targeting Ukrainian users. The Federal Communications Commission has added all foreign made consumer routers to its covered list under the Secure Networks act, citing national security risks tied to supply chain exposure. The move blocks approval of new models but does not affect existing authorized devices already in use or on the market. The decision follows an Executive branch assessment aligned with national security Strategy priorities to reduce dependence on foreign infrastructure components. Officials argue routers have been exploited in campaigns such as Volt Typhoon, Flax Typhoon and Salt Typhoon. Critics note most routers, including those from Cisco and Netgear, are manufactured abroad, leaving few domestic alternatives beyond Starlink WI FI router. The policy may pressure vendors to shift production to the United States, though exemptions remain available through National Security Review. Citrix has released patches for a critical NetScaler ADC and NetScaler Gateway flaw affecting deployments configured as security Assertion Markup language identity providers. The bug allows potential sensitive memory disclosure and could be exploited by unauthenticated attackers. A second issue may cause user session mix ups. No active exploitation is confirmed, but researchers warn attacks are likely once exploit code appears. Because SAML configurations are common in single sign on environments, organizations are urged to patch immediately. The US Department of Energy has released its first comprehensive five year strategy to strengthen cybersecurity across the nation's energy infrastructure, translating White House priorities into operational guidance. Developed by the Office of Cybersecurity, Energy Security and Emergency Response, the plan focuses on three advancing cybersecurity technologies for operational technology environments, hardening grid and supply chain infrastructure and improving incident response and recovery coordination. Officials say the strategy clarifies DOE's role as sector risk manager and emphasizes a resilience first approach. However, analysts warn execution risks remain, citing reduced funding and reliance on partners such as cisa, which has lost staffing capacity. The plan promotes voluntary security practices and highlights persistent capability gaps among smaller utilities. A malware campaign dubbed Canister Worm is rapidly spreading through developer ecosystems after attackers seeded malicious code into more than 45 npm packages. Researchers at Aikido Security link the activity to stolen credentials from an earlier compromise of Aqua Security's Trivey scanner, enabling attackers to hijack maintainer accounts and publish infected updates within minutes. The worm steals authentication tokens and SSH keys to propagate across systems and distribute additional malicious packages. The campaign uses a decentralized command system hosted on the ICP blockchain, complicating disruption efforts. Behavior varies by environment. On Kubernetes networks in Iran, it deploys destructive wiping malware, while elsewhere it installs a backdoor. Researchers warn the attack demonstrates rapid supply chain propagation and unusually resilient command infrastructure. Arctic Wolf observed suspected exploitation of a vulnerability in publicly exposed Quest Software Kace systems management appliance instances beginning March 9. The critical authentication bypass flaw enables attackers to impersonate users and gain full administrative control. Observed activity included remote command execution, credential harvesting with mimikats, creation of admin accounts, and lateral movement into backup systems and domain controllers. No public proof of concept is known. Defenders are urged to patch affected versions and and remove Internet exposure of SMA appliances. Healthcare management firm Qualm Partners is notifying more than 3.1 million individuals that personal, medical and insurance data was stolen during a December 2025 network intrusion lasting two days. Exposed information includes names, contact details, medical records, diagnoses, insurance data and in some cases, government ID numbers. The incident was reported to the U.S. department of Health and Human Services breach portal the company says it contained the activity notified authorities and is offering 12 months of identity theft and credit monitoring services while its investigation continues. Alexei Volkov, a Russian initial access broker linked to the Yanlang ransomware gang, has been sentenced to 81 months in prison for helping breach US organizations and enable ransomware attacks. Prosecutors said Volkov identified network vulnerabilities and sold access to co conspirators who deployed ransomware against banks, telecommunications providers and engineering firms across multiple states. The campaign caused more than $9 million in losses and involved ransom demands exceeding $24 million. Volkov was arrested in Rome and extradited to the United States, where he pleaded guilty in federal cases in Indiana and Pennsylvania. Investigators also found he communicated with members of the Lockbit ransomware Group. As part of sentencing, he agreed to pay restitution and forfeit equipment used in the attacks. Kevin McGee is global director of cybersecurity startups at Microsoft, but this week at rsac, he's better known as Intern Kevin.

Kevin McGee

Well, it's that time of year again. It's RSA conference week. I'm Kevin McGee and most of the time I'm the global director of cybersecurity at Microsoft for startups. But during RSA I get to live my dream and become a real media influencer. Or at the very least, I get to be the intern to one Mr. David Bittner. Now, the intern budget is not really all that great, so I understand. I had to make four stops on my flight here, but I have no idea why two of them had to be at the same airport. But it's all worth it to be here and part of the show. All week, I'll be covering the stories that don't make the mainstream. I'll be walking the floor, or at least the places my intern badge will allow me access to. I'll be interviewing those unsung heroes that work the SOC and keep us safe and trying to find some of the latest and coolest technology being developed right now. So that's what I'll be doing all week. Well, at least as soon as I'm finished ironing Mr. Bittner's hoodies.

Narrator / Host

Our thanks to Kevin McGee from Microsoft for serving as intern Kevin this week here at RSAC conference. Kevin, I like my shirts with extra starch. Keep that ironing going.

Jake Braun

Thank you, sir.

Narrator / Host

Coming up after the break, maria vermazes speaks with jake braun, longtime def con organizer and former white house official, about defcon 33 hackers almanac. And slow down. You vibe too fast. Stick around.

Vanta Advertiser

No, it's not your imagination. Risk and regulation really are ramping up. And these days customers expect proof of security before they'll even do business. That's where Vanta comes in. VANTA automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. So whether you're getting ready for a SoC2 or managing an enterprise governance, risk and compliance program, VANTA helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That means less time chasing paperwork and more time focused on growth.

Narrator / Host

For me, it comes down to over

Vanta Advertiser

10,000 companies from startups to large enterprises trust Vanta to help prove their security. Get started@vanta.com cyber.

Jake Braun

Marvel Television's Wonder man, an eight episode series now streaming on Disney plus a superhero remake.

Home Depot Announcer

Not exactly what we'd expect from an Oscar winning director.

Jake Braun

Action Simon Williams audition for Wonder Man.

Narrator / Host

I'm gonna need you to sign this.

Jake Braun

Assuming you don't have superpowers, I'll never work again. If anyone found out monolips are sealed.

Home Depot Announcer

Marvel Television's Wonder man all eight episodes

Jake Braun

now streaming only on Disney plus.

Narrator / Host

Rn2k contributing host Maria Vermazes recently sat down with Jake Braun, longtime DEFCON organizer and former White House official to discuss the DEFCON 33 Hackers Almanac.

Dave Bittner

It's a fascinating read, Jake, honestly. So I have the PDF right in front of me, and I've read through it a few times, and I know we were chatting about space cyber, given that that's sort of my area of special interest. It does certainly cover a lot of different areas. And I found it especially fascinating coming from a point of view myself, not as a policy person, but recognizing that there is such a. I don't know if animosity is the right word, but especially from a lot in the hacker community of, I feel justified skepticism about, I think, the Hill in general and just folks in D.C. not understanding a lot of the technologies and then potentially creating harmful legislation in the direction of the hacking community. And there's a gap there of understanding in both directions that I think folks like you are working hard to bridge. And that's quite a challenge.

Jake Braun

Oh, my God. Yes, it's really amazing when we put these report together, and in fact, we have a lot of folks on the hacker side who are like, oh, but what about this particular hack? It's so cool, and it's amazing that this person pulled it off the way they did everything. And often we're like, yeah, but does that have a public policy implication or. What often happens is we're trying to explain the research folks have done. You know, we're constantly sitting there going, okay, imagine that you're a congressman who can, you know, who can turn on a computer. But after that, like, aside from something that's about what their expertise level is, you know, or even a senior policymaker in the executive branch, we're like, you know, you have to kind of really explain this stuff in a way that these folks who, you know, look, I mean, they didn't train to be cyber professionals, they haven't taken IT or cyber courses in school. Have they ever had to hack a router or mess with a Raspberry PI or any of these things. So, you know, I don't fault them for not knowing these things, but that's kind of the big challenge is how do we explain these things so that policymakers understand it and understand the relevance?

Dave Bittner

Yeah, I think people in infosec really should give it a read just so they can see sort of how their work is being understood by a different audience, just to think about things through a different lens, to recontextualize that work. It's a fascinating exercise, honestly. And I know when I was going through it, I found myself surprised in a bunch of good ways of like, oh, these questions are really interesting. I don't know if I've thought of them before. And there are also some areas within the almanac that I'd love to hear you walk me through. Just in general, that category I hadn't thought of. And one of them that I'm thinking of actually was about power down with despots. And that made me go, what? Tell me more about that. It was so fascinating.

Jake Braun

One of the things that we believe, and I think a lot of people who've thought about this would agree is likely to be one of the biggest developments in human history is that pretty soon in our lifetime every human on the planet is going to be connected to the Internet one way or the other. We're in the process of connecting basically the last 2 billion people on the planet to the Internet. And you know, those 2 billion are the last 2 billion for a reason, right? Either they're in a country that has purposely kept them from plugging into the modern world, both literally and figuratively, so think like in North Korea, or they're the most underprivileged and oppressed people in modern societies who for whatever reason, you know, don't have, you know, access to the Internet and modern technology either. And what is clear is that the, the despots of the world, you know, whether it be folks dealing with the Ukraine war, whether it be a potential invasion of Taiwan, whether it be migrant communities around, around the world that are being preyed upon, trying to figure out what are the things that we can do to help these people protect their culture. In the case of like, let's say the Uyghur population in China who, who is having cultural genocide committed against them, or to potentially a group of folks in Taiwan or Ukraine who are trying to fight for their right to self determination and democracy and so on and so forth. And so just two examples of that in Ukraine, and we almost didn't include this one because it's so kind of simple technically, but this is my point about it. Maybe it was simple technically, but it's incredibly important from a policy perspective. So, you know, if all information is basically kept on the Internet and all the information about your culture may wind up having the only place it lives on the Internet, then if the government wipes your culture from the Internet like they're doing to the Uyghurs in China, then in 200 years, is your culture even going to exist? I mean, I don't know. If you don't know the stories and the history and all those things, I don't know. And so, in an effort to ensure this doesn't happen to the Ukrainian population, a group of hackers who presented at DEFCON went in right after the war and started digitally, not physically, but digitally, backing up all the artwork in the museums across Ukraine, so that in the event that they get blown up or whatever, or the art gets stolen, that there'll be a record of it for the Ukrainian people so that they can protect their culture and history from digital genocide, or the real or the physical genocide that that's being perpetrated and perpetrated against them. And so that's one example of folks being able to protect their culture and identity from digital genocide. The other thing is just being able to keep fighting. And so one of the things that Jeff Moss actually really encouraged us to take a hard look at was these mesh networks. And for your listeners who maybe don't know about it, although people who listen to your podcast probably do, but still, these are network devices that exist on really low frequency radio waves. So if, like, if the undersea cables in Taiwan are cut, and if what's worked in Ukraine with satellites keeping communication going doesn't work in Taiwan because the Chinese are far more capable and well resourced than the Russians are, then how are they going to keep fighting? How are they going to their resistance going until hopefully the Chinese give up or more folks can come help?

Dave Bittner

So these are like meshtastic, Is that that's one of the protocols? Meshtastic?

Jake Braun

Yep. And so meshtastic was something we tested, and in great hacker tradition, they found some bugs. But, you know, kudos to the meshtastic people. They fixed them or whatever they couldn't fix at the conference. They agreed to fix later, and I believe they did. And so these are an ability for folks to, to communicate where kind of devices connect to devices based on whose device you're connected to. But you can't basically stop it by knocking out the satellites or cutting the undersea cables, which would mean if the Taiwanese population was in the mountains of around Taipei fighting for, you know, years or longer, that they'd be able to communicate. So that was just two examples of technologies or research that's been done by the DEFCON community that we thought was highly relevant for protecting these last 2 billion as they come online and also trying to thwart the advances of despots and warlords who constantly are oppressing the least empowered among us.

Dave Bittner

Yeah, and honestly, this speaks to, I think, the core of so much of hacker culture, of what motivates so many is just kind of the spirit of keeping fighting a power, but also keeping these important subcultures alive. Gosh, I'm thinking back to the 90s on some of this stuff and just sort of that ethos that seemed to have waned a little bit, but it's coming right back and it's kind of awesome to see, to be honest with you. So we've been talking sort of on the policy side, but for folks who are more on the, I'm thinking of security practitioner side, you know, the average DEF con attendee, I suppose, what would you want them to know about the work that you've been doing here?

Jake Braun

Okay, so the one thing I want to talk about, just because I think it's so important, is one of the youth hackers. So this particular person was in high school, the handle that he used was Nix. And there was somebody else involved named Reynaldo Buho. But anyway, they were, yeah, good for them. But anyway, they found that a vape tracking device in the school bathroom that the schools had put in and that schools use all over the country, maybe all over the world, had the capability for listening devices in it. Which of course, once this industrious young hacker figured out, was asked a very good question, which is why would anybody who is trying to prevent the vaping need to listen to what people are talking about in the bathroom and pointed out things like, pointed out things like, you know, look, if, if you were maybe a young women woman who was talking about an abortion in one of the states that, you know, since the Roe decision have made it illegal, you know, are you or the school or whatever now in jeopardy because, you know, you were having conversation like that and in, in the bathroom with one of your friends, you know, I mean, it's just, I mean, yeah, it's, it's unbelievable,

Dave Bittner

but it's a sacred space, the bathroom. Honestly, you just don't expect surveillance in the bathroom. It's just the absolute last thing anyone wants to. So.

Jake Braun

Yeah, exactly. And so anyway, I wanted to highlight that because it was very clever work that these two high schoolers, high schoolers did. And also just because I think DC next gen is so important and this next generation of hackers coming up, if you look at the folks who started this whole thing back in 92 or 93, they're getting a little, they've got some gray hair and they're getting a little long in the tooth at this point. We need this next generation to step up. One of the other things, though, that I thought was like, like, fascinating was research that somebody did. Now, this is theoretical, of course. I don't think they were able to actually do this in practice yet. But theoretically, one of the researchers found that you could store information in human DNA and then use that to get key information that you'd want out of a dictatorship or something like that, whether you're in North Korea or Russia or China or whatever. Yeah, I mean, storing. Yeah, exactly. Tell me about it. Storing information in human DNA is about as cool and cutting edge as it gets.

Dave Bittner

That is the kind of thing we love out of DEF con. Honestly, when we hear about stuff like that.

Jake Braun

Yes, it's pretty great. I know. So this guy, Dr. James Utley, is the one who did it. And it's funny, he talks about bio cryptography is how he refers to it. So really, really fascinating work. And, you know, there's. I could go on for hours about all the cool stuff. I'll tell you one of my most enjoyable things I do for this is after DEF con, since I don't really have a lot of time to go see the talks when I'm there, because I'm running around to different things. I listen to, I don't know, 40 or 50 talks after DEF CON while I'm like, you know, out running or whatever to try and think about what makes sense to be in the almanac. And it's just some of the most fascinating information you'll listen to in any given year is these talks.

Dave Bittner

But yeah, and I know we're coming up close on time, but I wanted to make sure. I also asked you about DEFCON Franklin itself. I know you wanted to mention a bit about the work that you all do. So can you tell me a bit about that?

Jake Braun

Sure. So one of the things we do is the almanac. So obviously we talked about that. Bunch of folks, including some of my grad students who run around and compile, you know, chronicle what happens there and then, and then turn into this. I want to give a huge shout out to. To Adam Szostak and Paul Chang, who helped so much with this. And then separately, we recruit folks to support underserved water utilities around the country. This is largely because of our critical infrastructure like power and finance and so on and so forth. Water seems to be both newly a top priority for big adversaries like nation states and ransomware groups, but also one of the least protected. So whereas finance or energy has been improving their defenses for a decade or more now, water's really kind of just starting to get in the cyber game. And so we recruit volunteers to support these local water utilities that but for volunteers would have zero cyber support. It's not like it's us or hiring someone or us or they bring in a contractor. It's us or nothing. And so we've had a whole host of folks from DEF CON step up for this. We've deployed a good amount of folks so far. We're hoping to deploy a lot more. By the way, one thing I would really ask anybody on this call is if you work for a small municipality or or have close ties with one and you think your water utility might be in need of these types of service, please reach out to us. You can go to our Just Google us at DEFCON Franklin and we'll come up with all our contact information because we're all getting the word out to the 50 plus thousand water utilities out there, none of whom thought cyber was in their job jar even a couple years ago is one of our biggest challenges. So really would welcome folks who are interested in this and in particular if you are in a community that you think would benefit from the support and could connect us in with Those folks,

Narrator / Host

that's N2K's Maria Vermazes speaking with Jake Braun.

Venmo Advertiser

Get in the game with the College Branded Venmo Debit Card Wreck your team with every tap and earn up to 5% cash back with Venmo Stash, a new rewards program from Venmo. No monthly fee, no minimum balance, just school pride and spending power. Get in the game and sign up for the Venmo debit card@venmo.com collegecard the Venmo MasterCard is issued by the Vanccorp Bank NA Select Schools available Venmo Stash terms and exclusions apply at venmo me stashterms max $100 cashb per month.

Indeed Advertiser

This episode is brought to you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed sponsored Jobs to find the right people with the right skills fast. It's a simple way to make sure your listing is the first candidate. C According to Indeed data, Sponsored Jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

Narrator / Host

And finally, artist Sam Levine has devised a modestly malicious solution for anyone worried that friends, students or co workers are outsourcing their inner lives to chatbots. Make the bots unbearably slow. According to 404 Media, his tool Slow LLM quietly stretches response times from systems like ChatGPT and Claude by tampering with a browser data retrieval function, creating the impression that the machines themselves have suddenly lost enthusiasm for helping. Levine says the idea came after watching people rely on generative tools for tasks once handled by their own brains. The project can run as a browser extension or, more boldly, as a network wide DNS tweak that spreads the gift of patience to entire households or offices. He frames the effort as restoring friction to learning and creativity, though he admits using Claude to help write the code, at least until his own tools slowed it down. The goal is not prohibition, but reflection, preferably after a long wait. And that's the Cyberwire for links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insight that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.