Transcript
A (0:02)
You're listening to the Cyberwire Network, powered by N2K.
B (0:14)
Most security conferences talk about Zero Trust Zero Trust World puts you inside this is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert led sessions, practical case studies and technical deep dives focused on real world implementation. Whether you're blue team, red team, or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits, connect with peers across the industry and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now@ZTW.com and take your Zero Trust strategy from theory to execution. French police raid X's Paris offices the feds take over $400 million from a dark web cryptocurrency mixer. The NSA says zero trust goes beyond authentication. Researchers warn of a multi stage phishing campaign targeting Dropbox credentials. A new glass worn campaign targets macOS developers. Critical Zero day vulnerabilities and Avanti endpoint Manager Mobile are under active exploitation. Researchers disclose a major data exposure in multiple a social network built for AI agents. States bridge the gap in election security. Nitrogen ransomware has a fatal flaw that permanently destroys data. On today's Threat Vector segment, David Moulton speaks with Aaron Isaacson, AI research and engineering lead at Palo Alto Networks. And supersize your passwords. You want fries with that? Foreign February 3, 2026 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. French police raided X's Paris offices as part of a criminal investigation into whether the platform allowed foreign powers to manipulate its algorithm. The probe, announced by the Parquet de Paris, began in January 2025 following complaints from a French lawmaker and a senior public official. Prosecutors are examining allegations of organized interference with automated data systems and and fraudulent data extraction. The investigation later expanded to include X's Grok chatbot, accused of spreading Holocaust denial and sexually explicit deepfakes. Because the case involves organized crime allegations, police have enhanced surveillance powers. Authorities have summoned Elon Musk and former CEO Linda Vaccarino for voluntary interviews in April of this year. X has criticized the probe as a politically motivated attack on free speech. The US government has taken ownership of more than $400 million in assets tied to Helix, a dark web cryptocurrency mixer used to launder illicit funds. Helix operated from 2014 to 2017 and processed more than 350,000 bitcoins, primarily for online drug markets. Its creator, Larry Dean Harmon, pleaded guilty in 2021. The final forfeiture order caps a multinational investigation and highlights growing law enforcement focus on asset seizure and restitution, According to the US Department of Justice, the National Security Agency has released updated zero trust guidance urging U.S. government agencies to adopt continuous behavior driven security models. And as cyberattacks increasingly bypass traditional defenses, the recommendations outline multiple phases toward what the Department of Defense calls target level Zero Trust maturity. Rather than treating authentication as a one time gate, the NSA frames Zero Trust as an operating model that persists throughout a user or system session. The guidance emphasizes continuous evaluation based on user behavior, privilege use and resource access, addressing gaps between stated Zero Trust strategies and real world enforcement. Analysts say the focus reflects the reality that many successful attacks now occur after credentials are compromised. While aimed at national security systems, the guidance was released publicly to align expectations across civilian agencies and industry. Researchers at Forcepoint XLabs are warning of a multi stage phishing campaign designed to evade security controls and steal corporate credentials for Dropbox. The campaign uses brief professional looking emails tied to procurement or business requests urging recipients to open a PDF attachment. Those PDFs contain hidden acroform links that are difficult for security tools to scan. Victims are redirected through legitimate cloud infrastructure to a convincing fake Dropbox login page, according to forcepoint. This approach bypasses reputation based defenses and reduces suspicion. Stolen credentials are sent to attacker controlled channels on Telegram, enabling account takeover and potential follow on attacks. Researchers note the campaign reflects a broader surge in credential theft and identity based intrusions that can lead to deeper network compromise. Researchers are warning of a new Glass Worm campaign that spreads through compromised extensions on OpenVs targeting macOS developers. Attackers hijacked a legitimate developer account and pushed malicious updates to four popular extensions downloaded roughly 22,000 times. The malware hides code using invisible Unicode characters and steals browser data, Crypto wallet information, Developer secrets and macOS keychain data while also enabling remote access, according to report from Socket. The campaign pulls commands from Solana transaction memos and avoids Russian Locale Systems. OpenVSX Operator Eclipse foundation removed the malicious releases and revoked access. Affected developers are advised to clean systems and rotate all credentials. Researchers at Watchtower are warning of active exploitation of a critical zero day vulnerability in Ivanti endpoint Manager Mobile a tool widely used to manage corporate mobile devices. Avanti disclosed two severe code injection flaws that allowed unauthenticated remote code execution on on premise deployments. Watchtower says attackers have already exploited the bugs as zero days, establishing backdoors and potentially erasing logs. Ivanti has issued a temporary RPM based patch, but it must be reapplied after updates and is not a permanent fix. A full update is expected later in early 2026. Researchers warn organizations with exposed systems should assume compromise, begin incident response and consider rebuilding affected infrastructure. Security researchers at Wiz disclosed a major data exposure on Multbook, a social network built for AI agents. The issue stemmed from an exposed Supabase API key embedded in client side code, which lacked row level security controls and granted full read and write access to the production database. Wiz researchers were able to access 1.5 million API tokens, 30,000 email addresses and private agent messages and could impersonate any account. The platform's creator, Matt Schlicht, has since fixed the flaw. Wiz warned the incident highlights the risks of vibe coding, where rapid development outpaces secure configuration and human security review. State and local election officials say the Trump administration's second term has sharply reduced federal support for election security, forcing states to fend for themselves, cyberscoop reports. While President Donald Trump previously backed the creation of the Cybersecurity and Infrastructure Security Agency and major election security grants, officials now report staff cuts, reduced services and diminished communication from cisa. Congressional Democrats including Senator Alex Padilla warned states are losing critical partnerships and funding with federal grants from the Election Assistance Commission averaging less than $1 million per state. States like Arizona and West Virginia are turning to legislatures and local coordination to cover gaps. Officials such as Adrian Fontes dispute White House claims that federal support remains unchanged, saying election security assistance has clearly declined. Researchers say nitrogen ransomware's ESXi variant contains a fatal cryptographic flaw that permanently destroys data, even for the attackers themselves. The malware is derived from leaked Conti2 builder code and uses public key cryptography to encrypt files. However, a coding error overwrites four bytes of the per file public key in memory before encryption. As a result, files are encrypted using a corrupted public key that has no corresponding private key. This breaks the normal key exchange process and makes decryption mathematically impossible. Paying a ransom will not help, since the attacker's decryption tools cannot recover the data either. Victims without reliable backups have no recovery path, analysts warn. Organizations hit by nitrogen on ESXI systems to carefully assess encrypted files alongside the specific malware sample, as recovery outcomes depend entirely on whether backups exist. Coming up after the break in our Threat Vector segment, David Moulton sits down with Dr. Aaron Isaacson to explore why engineering excellence must be Precede ethical AI debates and super size your passwords. You want fries with that? Stick around. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling, or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. If securing your network feels harder than it should be, you're not imagining it. Modern businesses need strong protection, but they don't always have the time, staff or patience for complex setups. That's where Nordlayer comes in. Nordlayer is a toggle ready network security platform built for businesses. It brings VPN access control and threat protection together in one place. No hardware, no complicated configuration. You can deploy it in minutes and be up and running in less than 10. It's built on zero trust principles so only the right people can get access to the right resources. It works across all major platforms, scales easily as your teams grow and integrates with what you already use. And now Nordlayer goes even further through its partnership with CrowdStrike, combining NordLayer's network security with Falcon endpoint protection for small and mid sized businesses. Enterprise grade security made manageable Try Nordlayer risk free and get up to 22% off yearly plans plus an extra 10% with the code CYBERWIRE10. Visit nordlayer.com cyberwire daily to learn more. On our latest segment from the Threat Vector. Podcast host David Moulton sits down with Dr. Aaron Isaacson to explore why engineering excellence must precede ethical AI debates.