Summary6 min read

CyberWire Daily – "The era of AI-powered attacks is here."

Date: May 14, 2026 | Host: Dave Bittner, N2K Networks

Episode Overview

This episode delves into the escalating sophistication of cyberthreats powered by AI, significant zero-day vulnerabilities, global threat actor activity, and the latest trends in ransomware—including an in-depth interview on the Akira ransomware group with Cynthia Kaiser (Halcyon). The show highlights the dual-edged role of AI in offense and defense, the increasing speed and professionalism of ransomware operations, government surveillance controversies, shifting information operations tactics, and the emergence of "Emotion AI" in workplace surveillance.

Key Discussion Points & Insights

1. AI-Powered Cybercrime Hits Industrial Scale

Google Threat Intelligence Group (GTIG) Findings ([00:43])
- Cybercriminals now use AI not just for experimentation but for widespread, industrial-scale attacks.
- Applications include vulnerability discovery, malware development, defense evasion, and info ops.
- Notably, researchers spotted what may be the first AI-developed zero-day exploit intended for mass exploitation.
- GTIG stresses AI's dual-use nature, aiding both attackers and defenders:
  - Google itself uses tools like Big Sleep and Codemender for automated vulnerability detection and fixes.

2. Windows Zero-Days Disclosed by ‘Nightmare Eclipse’ ([02:09])

Two new vulnerabilities: Yellow Key (BitLocker bypass using a prepared USB) and Green Plasma (potential system-level access)
Both pose risks including data exposure from stolen devices.
Follows previous high-impact leaks by the same researcher.
Security experts recommend immediate mitigation (e.g., BIOS passwords, BitLocker PINs).

3. Signal Threatens Exit from Canada Over Encryption Law ([04:04])

Bill C22 proposes mandatory surveillance capabilities for telecoms and encrypted service providers.
Signal warns it may leave Canada if forced to compromise encryption or store metadata.
Technology advocates criticize the bill, while officials claim it's “encryption neutral.”

4. US-Linked Influence Operations Shift to Paid Promotions ([05:40])

New Pentagon-affiliated campaigns move away from fake personas to paid amplification of quasi-news websites.
Multilingual sites target global audiences, using tailored content framing, reduced transparency, and ads on major platforms ([06:25]).
Researchers link the operation to General Dynamics Information Technology.

5. Linux Kernel Vulnerability ‘Fragnasia’ ([07:05])

High-severity local privilege escalation vulnerability, pre-May 13, 2026 kernels.
Attackers exploit a logic error to modify protected files and gain root access.
Proof-of-concept exploit already released—admins urged to patch immediately.

6. Famous Sparrow Targets Azerbaijan’s Energy Sector ([08:09])

Chinese APT group Famous Sparrow attacks Azerbaijani oil and gas company.
Multi-wave campaign using ProxyNotShell, Snappy Bee, and rootkit-enabled drivers.
Maintained persistence via repeated exploitation of unpatched Exchange vulnerabilities despite remediation ([08:45]).

7. Cisco Announces Layoffs Despite Record Revenue ([09:19])

Less than 4,000 jobs cut in pivot toward AI networking and strategic growth.
Employees receive severance, training, certification support.

8. Dream Market Admin Indicted for Crypto Laundering ([10:17])

O. Martin Andresen allegedly laundered >$2M via wallets linked to the Dream Market darknet platform.
Prosecutors outline proceeds converted to gold bars and elaborate tracing by law enforcement ([10:40]).

Featured Interview: Cynthia Kaiser, SVP of Ransomware Research at Halcyon – The Akira Ransomware Group

Akira's Threat Profile ([14:24])

Kaiser: “Akira's one of the most significant threats we're tracking. The FBI... listed it as the number one group.”
Professional, business-optimized, and volume-driven, Akira uses efficiency tactics to incentivize payment.

Attack Life Cycle & Lightning Speed ([14:58–16:10])

Akira’s Operational Tempo:
- Initial intrusion to full encryption can occur in under an hour—sometimes as quickly as four hours.
- Host Bittner: “That’s dinner with your family and then it’s done. I don’t know how any human really can keep up with that.” (15:09)

Attack Stages ([16:20])

Initial access often via SonicWall and other vulnerabilities.
Quickly escalate by:
- Harvesting credentials,
- Tooling with commonly present network software,
- Establishing persistence (e.g., AnyDesk),
- Targeting hypervisors to encrypt servers en masse—over a hundred at once possible.

How Akira Achieves Such Speed ([17:56–19:28])

Heavy use of network hypervisors accelerates file encryption.
Partial File Encryption: Encrypts only 1% of large files to render them unusable but save time.
More repetition and efficient playbooks than advanced automation/AI.
Kaiser: “It really is a lot more just about repetition, having a playbook, being more deliberate... using some of these tools... to speed it up even further.” ([18:09])

Investment in Recovery – Why Akira Wants You to Get Your Files Back ([19:28])

Unlike many ransomware groups, Akira invests in functional decryptors.
Kaiser:
- “They really are trying to influence... the broad spectrum of how a victim experiences a ransomware attack to try to maximize their financial gains.” ([19:43])
- Incident responders report Akira’s decryptors usually work, increasing perceived value in negotiating.

Professionalism—A Double-Edged Sword ([21:06])

Kaiser: “It makes it scary to talk about professionalism among ransomware actors...” ([21:15])
Their impunity leads to advanced, almost corporate approaches to attacks.

Defensive Recommendations ([21:30])

Patch exposed VPNs, legacy credentials, MFA gaps.
Monitor and restrict remote services.
Prioritize automated tools for detection, containment, and ejection of attackers—manual human responses are too slow:
- “You really have to focus in on automated tools that detect, contain and kick off threat actors before even some of our teams can get to answer their phones.” ([21:40])

Notable Quotes & Memorable Moments

GTIG on AI Threats:
- “Researchers identified what they believe is the first AI developed zero day exploit potentially intended for mass exploitation.” ([00:56])
Akira Attack Speed:
- “Akira has taken... their ability to rapidly operationalize certain vulnerabilities and then move incredibly quickly... to be able to go from initial access to full encryption in sometimes under an hour.”– Cynthia Kaiser ([15:09])
Ransomware Group Philosophy:
- “I almost want to tell people that got encrypted by Akira, like, congratulations, you’re probably going to get your files back a lot more.”– Cynthia Kaiser ([19:43])
On Automation vs. Playbook:
- “It’s really tempting to say, oh, it must be AI... but it really is... more just about repetition, having a playbook, being more deliberate...”– Cynthia Kaiser ([18:09])
On Defending Against Rapid Attacks:
- “If Akira can go from initial access to full encryption in one hour, humans can’t necessarily intervene in that amount of time.”– Cynthia Kaiser ([21:40])

Other Key Segments & Emerging Trends

“Emotion AI” in Workplace Surveillance ([25:13])

Software now analyzes workers’ facial expressions, tone, emails, and chats to “score” emotions and productivity.
Tools used for monitoring everything from call centers to job interviews; privacy advocates warn of inaccuracy and bias.
Memorable Moment: “Patty” — a fast-food headset “emotion AI” assistant, illustrating the shift from measuring what employees do to how “pleasantly” they appear to do it.

Important Segment Timestamps

00:43 – AI-powered cybercrime reaches industrial scale
02:09 – New Windows zero-day vulnerabilities
04:04 – Signal threatens exit from Canada over Bill C22
05:40 – Pentagon influence ops evolve with paid promotion
07:05 – Linux Fragnasia privilege escalation flaw
08:09 – Famous Sparrow targets Azerbaijan oil and gas
09:19 – Cisco layoffs announced
10:17 – Dream Market administrator indicted
14:24–23:11 – Cynthia Kaiser interview: Akira ransomware
25:13 – “Emotion AI” workplace surveillance

Summary

This episode underscores a pivotal moment: AI is now a weapon for both defenders and attackers, shifting the threat landscape toward rapid, large-scale, and increasingly professionalized attacks. The rise of industrial-scale malware, state-aligned influence campaigns, and lightning-fast ransomware groups like Akira reveals urgent new challenges for security professionals. At the same time, contentious debates over privacy, surveillance, and workplace analytics illustrate the wide impact of technology in shaping both risk and resilience in our digital lives.

Loading summary

Transcript17 lines

[00:02]
A
You're listening to the Cyberwire Network powered by N2K. Maybe that's an urgent message from your CEO. Or maybe it's a deepfake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more Doppel outpacing what's next in social engineering. Learn more@doppel.com that's D O P E L dot com. Google says AI powered cybercrime has gone industrial scale Two new Windows zero days emerge Signal threatens to leave Canada over lawful access legislation. A Pentagon linked influence operation shifts to paid ads Linux admins scramble to patch a new route level flaw Famous Sparrow targets Azerbaijan's energy sector Cisco announces layoffs despite record revenue. An alleged dream market administrator faces cryptocurrency money laundering charges. Our guest is Cynthia Kaiser, SVP of the Ransomware Research center at Halcyon, with the latest on the Akira Ransomware group and the surveillance will continue until employee sentiment improves. It's Thursday, may 14, 2026. I'm dave bittner and this is your cyberwire intel brief. Thanks for joining us here today. It's great as always to have you with us. Google Threat Intelligence Group reports that AI driven cyber threats have evolved from experimental use into industrial scale operations. According to gtig, threat actors are now using generative AI for vulnerability, discovery, malware development, defense evasion and large scale information operations. Researchers identified what they believe is the first AI developed zero day exploit potentially intended for mass exploitation. AI enabled malware such as Prompt Spy demonstrates increasingly autonomous attack behavior while adversaries linked to China, North Korea and Russia are integrating AI into offensive workflows. Attackers are also targeting AI supply chains and using anonymized infrastructure to abuse large language models at scale. GTIG says AI remains a dual use technology serving both attackers and defenders. Google reports it's using AI tools like Big Sleep and Codemender to identify vulnerabilities, automate fixes and strengthen defenses against evolving threats. An anonymous researcher known as Nightmare Eclipse, also called Chaotic Eclipse, has disclosed two additional Windows Zero Day vulnerabilities following Microsoft's latest Patch Tuesday update. The flaws, dubbed Yellow Key and Green plasma, reportedly enable BitLocker bypass and privilege escalation attacks. According to the Register. Yellow Key requires physical access and a specially prepared USB drive to gain shell access to BitLocker protected systems, raising concerns about stolen devices and data exposure. Security experts said organizations can partially mitigate the threat using BitLocker pins and bios passwords. Green Plasma includes partial exploit code that could eventually enable system level access or although researchers noted it still triggers user account control prompts in default configurations. These disclosures follow earlier leaks from Nightmare Eclipse, including Blue Hammer, Red sun and Undefend. Some previously linked exploits were reportedly adopted quickly in real world attacks, raising concerns about additional future disclosures. Secure messaging platform Signal says it could withdraw from Canada if Bill C22 forces changes that weaken user privacy or encryption protections. Signal's vice president said the company has serious concerns about Ottawa's proposed lawful access regime, which would require telecom and electronic service providers to support surveillance capabilities for law enforcement and the Canadian Security Intelligence service. Signal warned that mandated system changes could introduce exploitable vulnerabilities and make encrypted platforms attractive targets for foreign adversaries and cybercriminals. The bill could also require certain providers to retain metadata for up to a year. Privacy advocates and technology companies argue the legislation could fundamentally weaken end to end encryption and require permanent structural changes to secure communication systems. Canadian officials maintain the bill is encryption neutral. A new analysis suggests Pentagon linked online influence operations have shifted away from fake social media Personas and toward paid promotion of quasi news websites targeting audiences across the Middle East, Latin America, Russia and Asia. The report identifies a network of multilingual sites tied through shared infrastructure advertising activity and code patterns. Unlike earlier covert campaigns that relied on coordinated inauthentic behavior, the newer network appears to amplify mostly factual, selectively framed content through advertising on X Meta and Google platforms. Researchers linked the sites to contractor General Dynamics Information Technology, which reportedly ran ads promoting the outlets. The operation reflects an evolution in state backed influence tactics instead of fabricated engagement or bot farms. The newer model appears designed to shape narratives through targeted distribution, selective framing and reduced transparency around sponsorship. Linux distributions are deploying patches for a newly disclosed high severity privilege escalation vulnerability that allows local attackers to gain root access on vulnerable systems. Nicknamed Fragnasia, the flaw affects Linux kernels released before May 13, 2026. Researcher William Bolling of Zelix said the bug stems from a logic error in a Linux subsystem. According to Bolling, attackers can exploit the flaw to write arbitrary bytes into the kernel page cache of read only files, enabling modification of protected binaries to obtain root shells. A proof of concept exploit has already been released publicly. Fragnasia belongs to the broader dirty frag class of Linux privilege escalation vulnerabilities, which security researchers say can undermine core system protections. Administrators are being urged to patch immediately or disable affected kernel modules where possible, researchers at Bitdefender Labs say. The China aligned threat group Famous Sparrow targeted an Azerbaijani oil and gas company in a multi wave intrusion campaign spanning late 2025 through early 2026, according to the report. The attackers exploited the proxy, not Shell vulnerability to compromise a Microsoft Exchange server and employ the snappy Bee or Deed rat backdoor through DLL sideloading in later stages. The group introduced turn door malware and a rootkit enabled driver to gain deeper system control, steal administrator credentials and move laterally across the network using Remote Desktop Protocol and impact tools, researchers said. The attackers repeatedly regained access through the same unpatched exchange vulnerabilities despite remediation efforts. The campaign highlights how advanced threat actors maintain persistence by repeatedly exploiting unresolved entry points while adapting malware and evasion techniques over time. Cisco says it will cut fewer than 4,000 jobs as part of a broader restructuring tied to its push into AI networking and other strategic growth areas. In a memo titled Our Path Forward, CEO Chuck Robbins praised employees for delivering record quarterly revenue of $15.8 billion and double digit growth even amid supply chain pressures and intensifying competition. The company said the restructuring is intended to realign resources around AI infrastructure and future investments. Cisco also said affected employees will receive severance support and one year of access to Cisco training and certification programs for workers impacted by the cuts. The announcement lands amid strong financial performance, underscoring the uncertainty many technology employees face as companies redirect spending toward AI focused priorities and operational restructuring. US Prosecutors have indicted O. Martin Andresen, a German national accused of serving as the primary administrator of the now defunct Dream Market Darkplace marketplace and laundering millions in criminal proceeds. According to the indictment, Andresen allegedly controlled cryptocurrency wallets tied to Dream Market after the platform shut down in 2019. Under law enforcement pressure, investigators say he moved funds from dormant marketplace wallets into consolidated accounts beginning in 2022, then used cryptocurrency to purchase gold bars shipped to Germany. Authorities allege he laundered more than $2 million between 2023 and 2025 during coordinated searches in Germany. Investigators reportedly seized roughly $1.7 million in gold bars and identified additional bank accounts and cryptocurrency holdings. The case highlights how law enforcement agencies continue tracing cryptocurrency transactions years after darknet marketplaces disappeared, targeting the financial infrastructure that supports transnational cybercrime and narcotics trafficking. Coming up after the break, my conversation with Cynthia Kaiser from Halcyon. She brings us the latest from Akira Ransomware and the surveillance will continue until Imperial employee sentiment improves. Stay with us. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com foreign. No, it's not your imagination. Risk and regulation are ramping up and customers expect proof of security just to do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. Whether you're preparing for a SoC2 or managing an enterprise GRC program, Vanta helps keep you secure and your deals moving. Companies like Ramp and RYTR report spending 82% less time on audits. That's not just faster compliance, that's more time to focus on growth. When I look around the industry, I see over 10,000 companies, from startups to big enterprises trusting Vanta. Get started@vanta.com cyber. Cynthia Kaiser is senior Vice President of Ransomware Research at Halcyon. I recently caught up with her to discuss their recent report Akira Ransomware Attacks in Under an Hour Akira's one of
[14:25]
B
the most significant threats we're tracking. FBI actually last week put out their Internet crime report for 2025 and listed it as the number one group. But what I would say about it is it's really one of the most professional, business optimized groups. We follow. They're volume driven, they're trying to make a lot of decisions and so that it incentivizes victims to pay. And not all of those are really dastardly. Some of them are just more efficient.
[14:59]
A
One of the things your research highlights here is the speed at which Akira can do the things that they're up to. Can you take us through that? I mean some, some of these can happen in under an hour.
[15:10]
B
That's crazy, right? Like think of that. A few years ago we used to believe, right? We used to believe, hey, an actor gets on the network and they're going to kind of look around, move laterally, find what's useful. And defenders assumed they had weeks of dwell time to really identify these threat actors. But Akira has taken kind of their experience, their ability to rapidly operationalize certain vulnerabilities and then move incredibly quickly using a playbook across a network to be able to go from initial access to full encryption in sometimes under an hour. But I would even say most often about four hours. That's so fast. I mean, that's dinner with your family and then it's done. I don't know how any human really can keep up with that.
[16:10]
A
Well, you talk about the full attack life cycle, what happens during that window between initial access to encryption.
[16:21]
B
So Akira typically is able to get onto networks through the exploitation of certain vulnerabilities. One of those really is the sonicwall vulnerabilities that we've been able, that we've seen several actors start to use. But they're getting on, they're establishing that initial foothold, starting to develop and identify credentials, and then they rapidly cascade into a full domain compromise. So they'll commonly use tools when they go across your network that are often found already there. They're using impact, like data staging tools. They are developing persistence through things like AnyDesk and then using just other items, which we've seen across other attack cycles. But what makes it really fast and what makes a lot of the groups nowadays much faster is as they're going through and looking across the network, they're really targeting hypervisors, and that's the hearts of a network that allow for the virtualization across it. All right, we're all connected more, we all have more connected devices than we did in the past. If a group like Akira is able to stage there, they can try to encrypt over a hundred servers at once. And that can be just really impactful very quickly.
[17:56]
A
So talking about the speed here, is this mostly the result of automation? Are they pre positioning themselves before encryption? How do they achieve this?
[18:09]
B
So in a few ways, one is the hypervisors that I talked about. Those have really just rapidly increased the speed across most ransomware groups, because it allows speed across your own network. It allows speed for when the ransom reactors are trying to do a lot of things at once. But Akira's taken this, I think, to a different level. As they're encrypting files, they're actually not encrypting 100% of the file. In certain large files, they're only encrypting 1% of that file because they know that still makes it inaccessible to you. But it also speeds up their operations significantly in going through and being able to encrypt files rapidly. Now, I think it's really tempting to say, oh, it must be AI, right? That's why these actors have been able to go so fast. And I mean, yeah, I'm sure groups like Akira have been able to incorporate great same ways we all do business efficiency on our end. But it really is a lot more just about repetition, having a playbook, being more deliberate in executing your operations via that playbook, and then using some of these tools like hypervisors, like encryption of only a small percentage of the file to speed it up even further.
[19:28]
A
Yeah. One of the things that really surprised me in your research was how much Akira invests in making sure that victims can actually recover their files after paying. Why is it important for them to prioritize that?
[19:44]
B
Well, it's interesting, right, because most ransomware groups we see, they put a lot more effort into breaking things than they do fixing things. But because Akira is. It sees itself as a business and it believes its operational success is predicated on creating efficiencies, being able to do volume, making sure people pay, they've spent much more significant time developing decryptors that actually work. I actually talked to an incident responder who told me once, like, I almost want to tell people that got encrypted by Akira, like, congratulations, you're probably going to get your files back a lot more. And that's not an advertisement for them. Right. It just shows, shows that they really are trying to influence not just the victims who may or may not know that aspect, but the incident responders, the negotiators, everybody who's involved in an incident response when they have the knowledge that, well, this decryptor works more than this decryptor, or hey, if you pay, maybe you're, you're going to be able to get more of your files back. I mean, that matters. And it should shows how Akira really is thinking about the broad spectrum of how a victim experiences a ransomware attack to try to maximize their financial gains.
[21:06]
A
Yeah, it really, I guess, reflects the level of professionalism that we have with a high level group like Akira.
[21:15]
B
Well, it makes it scary to talk about professionalism among ransomware actors because it means they've been allowed to operate with such impunity that they've been able to develop that repetition, they've been able to develop those playbooks and develop that professionalization. It makes me kind of mad.
[21:31]
A
So what are your recommendations here based on all the information that you've put together in this research? How should defenders best position themselves to protect themselves here?
[21:41]
B
Overall, organizations that have not yet addressed exposed VPN appliances, legacy credentials and gaps in multi factor authentication and enforcement really are the most at risk and to Akira attack. So ensuring that you are patching the vulnerabilities that are exploited specifically by Akira, monitoring and restricting remote services, the misuse of valid accounts, ensuring that you can reduce your exposure from trusted relationships, third party pathways. A lot of that is going to sound very familiar to everyone, but here's what I'd emphasize. If a CURA can go from initial access to full encryption in one hour, humans can't necessarily intervene in that amount of time. You really have to focus in on automated tools that detect, contain and kick off threat actors before even some of our teams can get to answer their phones. Because if we're doing that process, it's too late. So really getting into that automation, assuming you could be breached, so what happens? How do I quickly address it? What tools can I put in place to quickly address it? That's the most important thing when you're looking at such a speedy type of attack.
[23:12]
A
That's Cynthia Kaiser, senior vice president of the Ransomware Research center at Halcyon. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allowlisting, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today,
[24:38]
C
Study and play come together on a Windows 11 PC and for a limited time, college students. Students get the best of both worlds. Get the unreal college deal, everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft 365 Premium and a year of Xbox game. Pass ultimate with a custom color Xbox wireless controller. Learn more@windows.com studentoffer while supplies last ends June 30th terms at aka mscollegepc.
[25:14]
A
And finally, a growing industry known as Emotion AI promises employers something managers have apparently dreamed of for centuries. Not just productive workers, but cheerful, agreeable ones, too. In a sweeping look at workforce surveillance, the Atlantic's Ellen Cushing describes software that analyzes faces, voices, emails and chat messages to measure emotions like attentiveness, positivity and frustration. Some systems monitor call center tone, truck driver fatigue or employee friendliness, while others score job candidates during interviews. One fast food headset assistant is even named Patty because nothing says human connection quite like being emotionally evaluated by a branded chatbot during the lunch rush. Researchers and privacy advocates warn the technology often rests on shaky science and can misread context, culture, disability or simple concentration as negativity. Still, companies continue adopting these tools as workplace analytics expand from measuring what employees do to measuring how pleasantly they appear to do it. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpie is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.