A

You're listening to the Cyberwire Network, powered by N2K. Looking to understand the cybersecurity risks emerging beyond Earth's atmosphere? In the weekly Signals in Space newsletter, T Minus host Maria Vermazes and producer Ethan Cook connect the dots between terrestrial infrastructure and the growing attack surface in space. Each week you'll get the latest space cyber headlines, direct access to the week's T Minus podcast conversation, plus expert insights and resources to help security professionals better understand this rapidly evolving domain. Space systems are becoming critical. Infrastructure Signals in Space helps you stay ahead of the threats shaping the next frontier. Subscribe now to the Signals in Space newsletter.

B

The 2026 Chevy Equinox is more than an SUV. It's your Sunday tailgate and your parking lot snack bar. Your lucky jersey, your chairs and your big cooler fit perfectly in your even bigger cargo space. And when it's go time, your 11.3-inch diagonal touchscreen's got the playbook, the playlist, and the tech to stay a step ahead. It's more than an suv. It's your Equino Chevrolet. Together, let's drive.

A

International law enforcement disrupts the SAC golesh botnet the UK's cyber chief, says cybersecurity is a contest, not a risk register Ukraine joins the EU's cyber reserve the Gentleman gang sharpens its ransomware toolkit a WordPress supply chain attack spreads malware critical patches land from F5 Atlassian and Splunk agent jacking targets AI coding assistance Kodak confirms a breach claimed by Shiny Hunters. Our guest is Ben Yellen from the University of Maryland center for Cyber Health and Hazard Strategies on the failure of FISA section 702 to reauthorize and Criminal Coders face automation anxiety. It's Thursday, june 18, 2026. I'm dave bittner and this is your cyberwire intel briefing. Thanks for joining us here today. It's great as always to have you with us. International law enforcement agencies have disrupted a major malware distribution network linked to the Soc Golish botnet and the Russian cybercrime group Evil Corps. As part of Operation Endgame, authorities from the Netherlands, Canada, the US and Germany cleaned malware infections from nearly 15,000 compromised WordPress websites and and took down 106 servers and domains. Soc Golish, also known as Fake Updates, infects legitimate websites and tricks visitors into downloading malware disguised as browser updates. Once installed, it gives attackers access to victims systems and can deliver additional malware, including ransomware and banking trojans. Officials say the operation not only removed active infections but also reduced the risk of compromised systems being used in future cyber attacks. Authorities describe the takedown as the first step in a broader campaign targeting the infrastructure and operators behind Soc Golish and related criminal activity. Three quarters of cyber incidents affecting UK critical infrastructure over the past year were linked to hostile nation state actors, according to NCSC CEO Richard Horn. Speaking at the Royal United Services Institute's annual security lecture on Horn said the agency handled around 200 significant incidents between June 2025 and May 2026, with threats largely attributed to countries such as Russia, China and Iran. Horne argued that cybersecurity should be viewed as a continuous contest rather than a risk that can be fully managed. He outlined threats across three the far space, where governments disrupt adversaries through intelligence and law enforcement the mid space, where attackers exploit cloud platforms, open source software and emerging AI capabilities and the near space, where organizations must focus on understanding exposure, defending systems and responding effectively. He warned that artificial intelligence is accelerating attackers ability to identify and exploit long standing vulnerabilities, particularly in legacy systems. The NCSC assesses that AI enabled attacks against critical infrastructure vulnerabilities are highly likely by 2028. Horn also cautioned that adversaries are already pre positioning inside critical infrastructure networks, citing the Chinese linked Volt Typhoon campaign as an example. Industry experts echoed his message, stressing that organizations must move beyond compliance checklists, address unsupported legacy technology and close knowledge gaps between IT and operational technology environments. Horn's central message was cyber defense requires continuous investment and improvement because vulnerabilities tolerated today could become strategic liabilities in future conflicts. Ukraine has been granted access to the European Union's Cybersecurity Reserve, enabling Kyiv to request emergency assistance from EU approved cybersecurity experts during major cyberattacks that overwhelm its own response capabilities. Managed by enisa, the Reserve provides incident response, digital forensics, technical expertise, recovery support and threat intelligence sharing. The move carries both practical and political significance. Ukrainian officials say it integrates the country into the EU's collective cyber defense framework ahead of formal EU membership and reflects deepening security cooperation between Brussels and Kyiv. Ukraine, which has faced sustained cyber attacks since Russia's invasion in 2022, will be able to draw on specialized expertise from across Europe during large scale incidents. Officials also emphasize that the relationship will be reciprocal. Ukraine already shares intelligence on Russian cyber tactics with European partners and hopes its cybersecurity firms may eventually contribute to the Reserve as trusted service providers. Researchers at ESET say the Gentleman Ransomware as a service gang maintains a mature suite of tools designed to disable Endpoint detection and Response or EDR products before attacks. The group's in house framework named Gentle Killer by Eset, includes at least eight variants that abuse vulnerable or malicious drivers and impersonate legitimate security tools through fake version data, copied certificates and matching icons, Eset says. Gentlemen also integrates third party EDR killers including Hex Killer, Throttle Blood and Havok Killer into a standardized tool set for affiliates. The gang can reportedly adapt newly disclosed bring your own vulnerability driver proof of concept code within days. Gentleman lowers the barrier for ransomware affiliates and complicates attribution. Eset says defenders should focus on incident level analysis to identify the group's tooling and anticipate future EDR killing variants. A supply chain attack compromised three paid WordPress plugins from shaped plugin, distributing malware through the company's official update system to customers. According to wordfence, attackers injected malicious code into product Slider Pro, Real Testimonials Pro, and Smart Post Show Pro. Beginning May 21, the malware installed hidden fake WooCommerce plugins that could steal WordPress credentials, two factor authentication secrets, database credentials, administrator details, and recent WooCommerce order data. It also provided attackers with remote file writing capabilities. Researchers believe the breach originated in shaped plugin's build pipeline rather than WordPress.org, whose hosted versions remained clean. Shaped Plugin acknowledged the incident and released patched versions of the affected plugins. Administrators who installed the compromised updates are advised to remove any fake WooCommerce plugins, reset passwords, regenerate two FA secrets, and review user accounts for unauthorized additions. F5 has issued emergency security updates for multiple NGINX products to fix two critical vulnerabilities. The flaws affect specific non default configurations and could allow unauthenticated attackers to trigger denial of service conditions or potentially execute code through memory corruption vulnerabilities. F5 also patched two high severity flaws in NGINX Gateway fabric. While there's no evidence of active exploitation, administrators are urged to apply updates promptly or implement available mitigations. Given F5 products history as targets for both cybercriminal and nation state attackers, Atlassian and Splunk have released security updates addressing multiple vulnerabilities, including a critical flaw in Splunk AI toolkit. The vulnerability could allow unauthenticated administrators to execute arbitrary operating system commands due to unsafe shell command handling. Splunk also fixed an information disclosure issue that could enable data exfiltration through outbound requests. Atlassian published 100 security bulletins covering vulnerabilities across products including Jira, Confluence, BitBucket, Bamboo and Crowd. Most flaws stem from third party dependencies, including critical issues in Axios, Apache, Tomcat and neti. Both vendors urge customers to apply updates promptly to reduce exposure. Tenet Threat Labs has demonstrated agent jacking, an attack technique that exploits AI coding assistance by injecting malicious instructions into fake sentry error reports. Researchers showed that attackers could use publicly exposed sentry project identifiers to submit crafted error reports containing hidden instructions. When AI coding agents such as Claude code cursor or OpenAI codecs analyze those reports through sentry integrations, they may treat attacker controlled text as trusted guidance and execute commands on a developer's machine. Tenet's Proof of Concept used a harmless validation package but warned the technique could be used to steal credentials or execute malicious code. During testing, AI assistants at more than 100 organizations executed the validation code. Researchers say traditional security tools may struggle to detect the attack because all actions appear authorized. Tenet has released a mitigation tool called Agent Jackstop. Kodak has confirmed a data breach after the Shiny Hunters cybercrime group claimed it stole data from the company's systems. The hackers allege they obtained more than 2.2 million customer and corporate records and threatened to publish the information unless a ransom is paid. Kodak said an unauthorized third party accessed a limited amount of company data but stated the incident has been contained and poses no threat to its systems or operations. The company is investigating with external cybersecurity experts and has notified law enforcement. Coming up after the break, my conversation with Ben Yellen, my caveat co host. We're discussing the failure of FISA section 702 to reauthorize and criminal coders face automation anxieties. Stay with us. What's the one thing in business that's spreading as fast as AI? AI risk. Every new tool your team signs up for. Every vendor that turns on AI features, every new integration, each one creates another opportunity for something to go wrong. And most security programs just weren't built for AI's pace of growth. Enter Vanta. Vanta is the number one agentic trust platform used by more than 16,000 fast moving companies like Ramp, Cursor and Harvey to help ensure they're always audit ready. And now Vanta is helping companies watch for the risks that show up between audits across vendors, AI tools and their entire environment. The Vanta agent works like a 24.7grc engineer in the background, finding issues, drafting fixes and cutting vendor assessment time by up to 50%. Whether you're a fast growing startup or a global enterprise. Vanta is here to help you automate your security and compliance and earn and prove trust. Get started today@vanta.com cyber that's V A N T A dot com cyber.

B

This episode is brought to you by Google Chrome. You think you know a browser, but Gemini and Chrome? That's new. It can help you with practically anything on the web like restoring a vintage motorcycle from a 50 page restoration block. Or finally break down that long article you've had open for weeks. Gemini and Chrome is here for it, ready to make anything online make sense. There's no place like Chrome. Check Responses, setup required compatibility and availability various 18.

A

It is always my pleasure to welcome back to the show Ben Yellen. He is from the University of Maryland center for Cyber Health and Hazard Strategies and also my co host over on the Caveat podcast. Ben, welcome back.

C

Thanks. Good to be with you again, Dave.

A

So we've got some interesting developments with section 702. What's the latest here?

C

Ben so as of this recording, section 702 as a statute has expired for the first time since it was authorized in 2008. Section 702 is the authority for the government to surveil non US persons reasonably believed to be outside of the United States for foreign intelligence purposes. The controversial aspect of it is the fact that there's incidental collection of US Persons, communications. Those go into a database that can be searched without a warrant in many different contexts. So there have been some significant fights on reauthorization. There are members of both political parties who are adamantly opposed to section 702 in the absence of a robust warrant requirement for querying of that database. But when push comes to shove, Congress has always reauthorized section 702 when it's been set to expire.

A

Right?

C

They reauthorized it easily in 2012. There was a minimal fight in January 2018 for the next reauthorization in the late Biden years. In 2024, again, there was a pretty robust debate in Congress on reauthorization. They considered a warrant requirement for querying the database. Ultimately, that warrant requirement was very narrowly rejected. Program was reauthorized. It appeared as if we would go through the same process here. There would be a significant legislative battle, lots of different amendments, maybe some modicum of reforms, but ultimately no robust warrant requirement and the program would be reauthorized. But that ultimately did not happen. And one of the main reasons is that the Director of the Office of National Intelligence, Tulsi Gabbard is leaving her position. And President Trump put this guy named Bill Pulte, who only has experience working in the housing sector and for the Federal Housing Administration, he put him in the role of acting Director of the Office of Director of National Intelligence. And so the Democrats position became, we are not going to grant this administration section 702 surveillance authority if this guy is in charge. This political hack is in charge of the Office of the Director of National Intelligence.

A

Am I correct? There is a statutory requirement that this director have national have intelligence experience?

C

Yes, there is. Ultimately, that's hard to enforce. I mean, what does Congress really going to do about it? They don't. An acting position is not subject to Senate confirmation, for example.

A

Right.

C

And those types of requirements, you know, I see it in the emergency management context. The Director of FEMA is supposed to have emergency management experience. And when we're talking about acting appointments, very frequently in the recent past, those acting directors of FEMA had no emergency management experience. So it's kind of more of a suggestion than an actual mandate. At least that's how it works in practice. But, yes, this is only intended to be a temporary appointment. President Trump made that clear after the House of Representatives rejected a reauthorization bill of section 702 and skipped out of town for two weeks. Finally, then, President Trump did nominate somebody, Jay Clayton, who seems to be quite qualified and respected on both sides of the aisle, to be the permanent head of the Office of the Director of National Intelligence. But that came too late for Congress to really do anything about it to reauthorize Section 702. So at least for the time being, Section 702 is not in effect, but

A

it may be business as usual because there's some opinions that it can continue.

C

That's exactly right. So section 702 is reviewed annually by the Foreign Intelligence Surveillance Court. And the way the process works is the government applies for annual authorization to conduct surveillance pursuant to section 702. The government had gotten that annual approval just a couple of months ago. And presumably, even though that opinion hasn't been declassified yet, presumably that authority runs through the beginning of 2027. Most legal scholars believe that because of the FISA court's decision granting the government authority to conduct these searches through early 2027, because of that decision, Section 702 can kind of continue on autopilot through that time period without any significant changes. That's what most legal scholars think.

A

So might that take the pressure off of Congress to do anything?

C

I think it definitely does. I think it definitely does. I think there are members of both parties who think that because we have this fallback here with the judicial authorization, there isn't as much urgency to reauthorize Section 702. Now, there are risks. There's always the chance that companies could refuse directives to turn over communications because they are concerned about legal liability without section 702 being in place as a statute. That's always a possibility, even though that's something that legal scholars wouldn't agree with as a proposition. But yes, I think that is taking away some of the urgency of reauthorization.

A

So where do you think we're headed here? Are we in a holding pattern?

C

For the moment we are. I mean, we got another wrench that was thrown in over the weekend because President Trump said that he wouldn't support a FISA reauthorization unless it also included the Save Amendment America act, which is a bill on voting procedures. That's a bill that Democrats are never going to support. And Republicans cannot reauthorize section 702 on their own with their majorities in Congress. There are too many Republican opponents to it. So they need Democratic votes. And if the Save America act is a condition, they are not going to get Democratic votes. And we will continue to be in a holding pattern until one side budges or we have an election and circumstances change.

A

All right. Well, 702 continues to be a bit of a political football, doesn't it?

C

The news story that never ends.

A

That's right. That's right. Ben Yellen is from the University of Maryland center for Cyber Health and Hazard Strategies and also my co host on the Caveat podcast. Ben, thanks so much for joining us.

C

Thank you.

A

And finally, it turns out cybercriminals may have more in common with office workers than they'd care to admit. They're worried AI could take their jobs. Researchers at Sophos found growing debate across underground forums and dark web marketplaces as AI powered hacking tools become more common. Criminals are already using generative AI to create phishing campaigns, overcome language barriers, generate deepfake Personas for fraud, and even assist with malware development. Not everyone is celebrating. Some forum users worry AI tools could undercut manual malware developers, drive down earnings and flood the market with lower quality code. Others remain skeptical, arguing the hype around advanced models like Claude Mythos is overblown. Still, discussions about AI's impact on the cybercrime economy continue to grow. Meanwhile, Sophos advises defenders to focus on fundamentals such as patching, multi factor authentication and visibility because Regardless of who writes the malware, attacks still need a way in, And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com a quick program note we are not publishing our daily Cyberwire Briefing tomorrow. On Friday, June 19th, in honor of the Juneteenth Federal Holiday, we will be placing one of our retrospective 10th anniversary celebration podcasts in your feed. So please do enjoy that. Be sure to check out this weekend's Research Saturday and my conversation with Tom Kellerman, VP of AI Security and Threat Research at Trend Micro. The research we're discussing is titled Inside Shadow Water 063's Banana Rat from Build Server to Banking Fraud. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes were mixed by Trey Hester with original music and sound design by Elliot Peltier. Our contributing host is Maria Vermazis. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.

D

You can't reason with the sun. Trust us, we've tried. This summer, it's time to put that angry ball of fire on mute. Columbia's Omnishade technology is engineered to protect you from the sun's harsh rays that can burn and damage your skin. The sun is relentless, but so is our gear. Level up your summer@columbia.com to spend more time outside and less time slathering on aloe lotion. You're welcome, Columbia Engineered for whatever.