A

You're listening to the Cyberwire Network powered by N2K.

B

No, it's not your imagination. Risk and regulation are ramping up and customers expect proof of security just to do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together along with on one AI powered platform. Whether you're preparing for a SoC2 or managing an enterprise GRC program, Vanta helps keep you secure and your deals moving. Companies like Ramp and RYTR report spending 82% less time on audits. That's not just faster compliance, that's more time to focus on growth. When I look around the industry, I see over 10,000 companies, from startups to big enterprises trusting Vanta get started@vanta.com cyber. Brace yourselves for an AI driven patch surge Google fixes a critical Android flaw Trellix confirms a source code BRE Apache Software foundation ships urgent fixes data tied to Liberty Mutual leaks Clouds evolves to steal one time passwords ouroboros persistence raises the stakes A vishing suspect faces US charges. Our guest is Marcus Roshecker, Executive Director for the University of Maryland center for Cyber Health and Hazard Strategies on the importance of the non technical aspects of good cybersecurity preparedness and response. Our Threat Vector segment focuses on incident response and if you think UK age verification is working, I must ask your question. It's Tuesday, may 5, 2026. I'm dave bittner and this is your cyberwire intel brief.

C

Foreign.

B

Thanks for joining us here today. It's great as always to have you with us. Security leaders warn UK organizations to prepare for a surge in software patches driven by advanced AI tools used by vendors to uncover vulnerabilities. National Cybersecurity Center CTO Ollie Whitehouse describes this as a forced correction of of long standing technical debt. Tools From Anthropic and OpenAI are currently restricted to vendors, enabling rapid bug discovery and remediation. Organizations are urged to prioritize external attack surfaces, enable automated patching and adopt risk based frameworks like ssvc. However, patching alone is insufficient for unsupported legacy systems which may require replacement. In the US CISA may shorten patch deadlines, raising concerns about feasibility. Experts note most organizations lack the automation and visibility needed to respond at such speed. Indeed, most organizations are using AI tools, but fewer than half have formal policies to manage the risks raising exposure concerns. New research From ISACA finds 90% of digital trust professionals report employee AI use, yet only 38% have comprehensive policies and 25% have none. This gap fuels Shadow AI, where employees use tools without oversight, potentially exposing sensitive data. Many respondents say they lack visibility into these tools and remain uncertain about incident response timelines or shutdown procedures. Unmanaged AI use increases the risk of data leaks, phishing and trust erosion. Security teams face reduced visibility and slower response. Effective governance, strong data controls and leadership awareness are now critical to safely scale AI adoption. Google has released an Android update addressing a critical flaw that allows remote code execution without user interaction. The vulnerability affects Android's system component, specifically the Android Debug Bridge daemon or adb, which manages device to computer communication. Successful exploitation could allow attackers to execute code as the shell user without additional privileges. Google reports no evidence of active exploitation and notes no patches this cycle for several platforms including Wear OS and Pixel Watch. Zero interaction flaws raise the risk of silent compromise at scale. Even without active exploitation, organizations should prioritize rapid patching to reduce exposure. Trellix has disclosed a breach in which attackers access part of its source code repository. The company says it detected unauthorized access and is investigating with forensic experts and law enforcement. Trellix reports no evidence that its code distribution process was compromised or that the code has been exploited. Details on attribution remain unclear. Experts warn that access to security vendor code can reveal how defenses work and expose potential weaknesses. The Apache Software foundation has released updates addressing multiple critical vulnerabilities in HTTP Server and mina, including remote code execution risks. The latest version of Apache HTTP Server fixes 11 flaws, most affecting all prior versions. These include memory handling issues and protocol weaknesses that could enable denial of service or arbitrary code execution. Additional bugs expose data or allow response manipulation. Separate minor updates resolve critical flaws tied to incomplete fixes for earlier vulnerabilities are also enabling potential code execution. Widely deployed infrastructure software presents broad attack surfaces. Organizations should patch quickly and follow configuration guidance to reduce exploitation risk. The Everest Ransomware Group has begun leaking data it claims was stolen from Liberty Mutual after alleging the firm did not respond to extortion demands. The group says it exfiltrated 108 gigabytes of data, including policyholder details such as names and financial information. Liberty Mutual confirms it is investigating but reports no evidence its own systems were compromised, suggesting a potential third party vendor incident. Attribution and full impact remain unclear. A new version of the cloud's Remote Access Trojan, that's Cloud with a Z on the end, is using a plugin called Pheno to steal one time passcodes through Microsoft Phone Link. Researchers at Cisco Talos report the malware monitors active phone link sessions and accesses its local database to capture SMS messages and authentication codes. This allows attackers to intercept sensitive data without compromising the mobile device itself. The campaign, active since at least January, begins with a fake software update and and uses multiple evasion techniques to avoid detection. This challenges traditional assumptions about mobile security. Attackers can extract authentication data through trusted desktop integrations, weakening SMS based protections and exposing enterprise credentials. Researchers at Huntress have identified Ouroboros, a persistence technique that exploits delegated managed Service Accounts, or DMSAs in Windows Server 2025 to continuously extract credentials. The method abuses two design elements. It plants a shadow credential for authentication and modifies group MSA membership to let the DMSA authorize itself. This creates a loop where the account both authenticates and approves access to a linked account's credentials. The chain survives password resets and even deletion of the original attacker account. Microsoft addressed related issues previously, but does not classify this behavior as a vulnerability. This matters because it enables durable low noise persistence using legitimate features. Defenders may struggle to detect or remediate without deleting affected DMSAs entirely. A Romanian man has appeared in US court after extradition to face charges tied to a voice phishing bank fraud scheme. Federal prosecutors say Gavriel Sandu was indicted in 2017 and extradited from Romania on April 30th of this year. The indictment alleges Sandu and co conspirators hacked small businesses voiceover IP systems from 2009 to 2010. They allegedly used scripted calls to trick bank customers into providing debit card numbers and pins. Prosecutors say Sandu created magnetic stripe cards and withdrew victim funds from ATMs. Vishing remains a cross border fraud threat that blends telecom abuse, stolen credentials and money mule activity. The case also shows long running international enforcement efforts. Coming up after the break, my conversation with Marcus Rauschecker, Executive Director for the University of Maryland's center for Cyber Health and Hazard Strategies and our threat vector segment focuses on incident response. Plus, if you think UK age verification is working, I must stash you a question. Stay with us. And now a word from our sponsor, the center for Cyber Health and Hazard Strategies, also known as chhs. Looking for a graduate degree that will give you an edge on your professional career? Earn a Master of Science in Law at University of Maryland Carey School of Law. This part time two year online graduate degree program is designed for experienced professionals to understand laws and policies that impact your industry. Learn from CHHS faculty who are experts in their field. No GRE required. Learn how you can master the law without a JD at law umarland.edu.

D

Study and play come together on a Windows 11 PC and for a limited time, college students get the best of both worlds.

E

Get the unreal college deal everything you

D

need to study and play with select Windows 11 PCs.

C

Eligible students get a year of Microsoft

D

365 Premium and a year of Xbox Game. Pass ultimate with a custom color Xbox wireless controller. Learn more@windows.com studentoffer while supplies last ends June 30th terms at aka mscollegepc.

B

Marcus Rauschecker is Executive Director for the University of Maryland center for Cyber Health and Hazard Strategies. I recently caught up with him to discuss the importance of the non technical aspects of good cybersecurity preparedness and response.

C

From my perspective, there are so many critical aspects to cybersecurity that are non technical and my own personal background is in cybersecurity, but also in emergency management. And when I think about cybersecurity, I bring a lot of the core emergency management principles to my thinking about cybersecurity. What are some of those fundamental things that we should all be doing, whether we are a business or a government agency or are responsible for an entire jurisdiction? What are the things, the core principles that we should be applying to make ourselves better prepared for a cyber incident and how do we prepare ourselves better to be in a position to respond well to those incidents? There are some core non technical aspects to all of that planning. It's true that cybersecurity is often framed as a technical problem, but fundamentally when you think about it, many of the failures that we see in cybersecurity are actually just organizational failures or legal failures or human failures. They're not technological failures. So it's critically important that an organization take a holistic organization wide lens to this problem of cybersecurity and not just treat it as a technical problem, but really think about who needs to be involved at the organizational level, who has roles and responsibilities when it comes to a cyber incident, and we start thinking about that, you really realize very quickly that there are so many other dimensions to cybersecurity that are not technical that need to be considered if we want to be well prepared.

B

Well, what are some of the things that are top of mind for you that organizations need to prioritize in terms

C

of what people or organizations need to think about? It is fundamentally about first and foremost who is going to be involved in a cyber incident, who are the players within our organization, within our business, who are going to need to be involved. And that goes from the top all the way down to the newest hire. Who are the people? Who are the departments that need to be involved? What is the role of the executive leadership when we're seeing in cyber incident occur? When do the lawyers get involved? What does HR need to do during a cyber incident? How do we handle communications both internally and externally? These are questions and issues that are again, not technical, but are incredibly important to getting through a cyber incident in the best way.

B

How can governments and private organizations improve their coordination in the time before that crisis occurs?

C

Absolutely. Coordination is the fundamental piece to all this, really, because good response ultimately always depends on coordination and communication. Again, not technical issues. Right. These are issues that are just fundamental to any good preparedness effort and any good response effort. So good coordination and communication really is about identifying who the responsible parties are when it comes to preparing for and responding to an incident and then making clear what their roles and responsibilities are. If there is a cyber incident, you never want to be in a situation where there's a cyber incident that happens and then you don't know who's in charge. Right. Who's going to lead the incident response? There needs to be someone who's designated with that responsibility, with that role. And that needs to be clarified ahead of time. Because again, you do not want to be in a situation that's already stressful and then trying to figure out who's going to lead us through this, you know, what are their decision making authorities, who do they need to help them make those decisions, you know, who works together, who are all the stakeholders in that problem. Because it doesn't just depend on the organization itself usually. Right, the organization itself. If you're a business, you're going to have vendors, you're going to have customers, you might have regulators that you're dealing with, you might have government agencies that you're dealing with. So it is a giant ecosystem of stakeholders and entities that are going to be part of this response. And you want to think about how all of these pieces fit together when there is an incident. And that needs to be done ahead of time. Because like I said before, we do not want to be in a situation where we're trying to figure this out in the moment when everything is already so stressful and hectic.

B

Can we touch on the workforce development element of this? I mean, I think about organizations building their cybersecurity teams and I think sometimes there's a tendency to focus on the technical talent, but you really need a breadth of capabilities here.

C

Absolutely. So like we've been saying, cybersecurity is not just about technology, nor certainly you need the technical experts when it comes to a cyber incident. But beyond that, there are so many other dimensions to a cyber incident that are non technical. And for that you need people who are familiar with cybersecurity issues and are able to respond within their roles and responsibilities that are necessary for a proper and effective cyber response. So workforce development is critical when it comes to cybersecurity, as we all know, and we often hear about the cybersecurity talent gap out there. But it's important to remember that that gap isn't just technical. We need people with skills in law and policy, we need people with skills in risk management, we need people with skills in communications. And then finally, also let's not forget about just governance and ethics of all of this as well, especially with the emergence of newer technologies like artificial intelligence. And you know, it's important to know when I'm out there talking to folks in the industry and talking about the issue of workforce development specifically and what companies and organizations are looking for, it's very interesting to hear that lately a lot of the demand has not necessarily been focused on folks with technical abilities. Rather, what I'm hearing is that organizations are looking for people with critical thinking skills. And this is a refrain I've been hearing more and more recently. And I think it makes a lot of sense because again, as we're seeing these emerging technologies, technologies that are so powerful and that can already do so much, it really is important for all of us and every individual organization to really think about, you know, how are we going to be implementing these technologies in a responsible and effective way? What can we do to be most effective in our cybersecurity posture and our response capabilities. And all of that involves critical thinking. We need people who can think about the issue holistically, to think about all the dynamics, all the aspects to these issues and bring it all together in a strategic and forward thinking way. And that involves critical thinking skills. And so that's, you know, I'm not surprised to hear from the industry that that's what they're looking for these days. So it's absolutely critically important that, you know, when we're thinking about workforce development in the cybersecurity space, we are thinking about those non technical skill sets that are so critical.

B

That's an interesting insight. I'm curious, when it comes to organizations being best prepared, improving their cyber readiness, are there any recommendations you have in terms of any, let's say, cultural shifts or fundamental things that maybe is perhaps overlooked?

C

Yeah, I think we've seen a trend over, I would say, the last decade or so, where again, in the beginning, again, technology was thought to be the primary aspect of cybersecurity. The thinking was, oh, the IT department is going to handle cybersecurity. And that was a thinking that was especially prevalent among organizational leadership. Oftentimes leadership didn't really have a lot of familiarity with technology, so they were very willing to put that responsibility on IT departments within their organizations. But we've seen this drastic and rapid development of a realization that cybersecurity is not just a technical problem, but that really is an enterprise wide problem. And that leadership first and foremost has a responsibility for understanding what the risks and the threats are to their organization and for strategically addressing those risks and threats. And that means making decisions about investments in certainly technological protections, but also investments in the workforce and investments in planning and preparedness efforts. We think about planning and preparedness with respect to all kinds of emergencies, fires or floods or what have you. But I think there has been a shift, and rightfully so, to thinking about cybersecurity as just another one of these types of emergencies. Right. And this gets back to this idea that there are core preparedness principles that we should be implementing, that we already have in implementing when it comes to natural disasters and other man made disasters. But now we're seeing that those principles are actually being applied to cyber issues as well, cyber threats and cyber response capabilities. So it is again about good planning, testing and training those plans, exercising those plans, and making sure that when you do all that go through that process, the traditional emergency management, emergency preparedness process, that that applies and works well for your cyber incidents as well. Because fundamentally, whether you're a business or government agency, you have responsibility, you have responsibility to your customers, you have a responsibility to your constituents if you're a government agency. And fundamentally you want to continue providing essential services, the essential services that your organization provides. So ultimately it comes down to the question, regardless of what happens, whether again it's a natural disaster or a cyber incident, are you going to be in a position to be able to provide yours? Continue to provide your essential services to your constituents, to your customers. And that's fundamental. Continuity of operations, planning, business continuity, planning, it all comes together. And I think we have seen a shift over the years to that kind of mindset amongst organizations and I think we're all better for it.

B

I know you and your colleagues have a hand in training this next generation of people who are going to be assisting here. Can you give us an overview of the types of things that you all are working with.

C

Yes. So in terms of workforce development, we've always thought about the non technical pieces to creating a strong workforce in cybersecurity. So over a decade ago, CHHS has partnered with the University of Maryland Carey School of Law to develop a couple of academic programs geared towards law and policy education in cybersecurity. So the law school now offers a certificate program in cybersecurity law for law students pursuing a JD degree. And CHHS develops those courses and teaches those courses and brings real world experience into those courses. So our legal graduates, I think are in a really good position to have an impact on day one when they start that new job after graduation, really bringing this law and policy perspective to the issue of cybersecurity. And then beyond that, we also have helped the law school develop a Master's of Science in cybersecurity law for working professionals. The idea of this master's program is to provide an opportunity to people who are already in the field, technical folks who want to know more about legal and policy issues regarding cybersecurity. And the idea is that they probably don't have a need to become a lawyer and get a full fledged law degree, but they're probably finding themselves in meetings more and more these days where they're confronted with law and policy issues and they're having, you know, discussions and meetings with lawyers at their, at their businesses. And so this Master's of Science in Cyber Security Law at the Maryland Carey Law School is really geared towards those kind of professionals who want to know more about the law, don't need a full fledged law degree, and can learn all of that, you know, in a, in an online master's program that is flexible and really geared towards the working professional. So, you know, I think these are a couple of examples of academic programs that are really key to developing this holistic workforce that we certainly need when we're addressing all the threats that are related to cybersecurity.

B

That's Marcus Rauschecker, executive Director for the University of Maryland center for Cyber Health and Hazard Strategies. On today's Threat Vector segment, host David Moulton speaks with Steve Elovitz. They're reflecting on two decades of incident response.

F

Hi, I'm David Moulton, host of the Threat Vector podcast where we break down cybersecurity threats, resilience, and the industry trends that matter most. What you're about to hear is a snapshot from my conversation with Adam Matic and Jared Forgeschlenker from the FBI's Cyber Division. We're talking about Operation Winter Shield. The FBI has investigated hundreds of thousands of cyber intrusions. And when Adam and Jared sat down internally to compare notes, 10 defensive gaps kept showing up. Over and over in this episode, we get into why SMS based MFA is still failing and what phishing resilient authentication actually requires, what the FBI actually does when they show up at a digital crime scene and why it looks nothing like what you've seen on tv and why you don't need to have your act together before you call your local FBI office. Trying might actually hurt the investigation. Let's talk about Operation Winter Shield. Right. This is a list of 10 specific recommendations rooted in Yalls recent investigations. And before we get into those individual items, I'm hopeful that you can help me understand your process. How do you go from hundreds of cases to this short list of 10 actions and then decide those are the ones to worth that, that are worth amplifying to the public right now?

D

Yeah, that's, it's not necessarily an easy task. Right. Because we, we, we're constantly dealing with all kinds of different manifestations of criminal activity. We're seeing a very broad scope of the way in which actors are manipulating and exploiting systems. And to your point, it's, you know, we're in the hundreds and thousands of cases and incidents so it isn't necessarily intuitive. However it, these, these things that are in this, the key defenses that we have listed here exist in most if not all of the cases that we have. So it may seem challenging to, to break this down, but as we see this repeated over and over and over again, it's fairly intuitive from our side what bubbles to the top and which vulnerabilities make their way into all of our cases. And so externally it seems like there's a lot more complexity to it. But as we have from our headquarters side, our program managers that are keeping tabs on and tracking all of our investigations across our criminal threats and our nation state threats, we have that awareness from a top level on what aspects are being exploited continually. And so it was a fairly easy mechanism for us to build this out pretty quickly. In terms of which controls are the most commonly exploited.

E

Yeah, I was going to say it's a little bit more intuitive than it is entirely data driven. We don't have every single one of our case files tagged with the specifics of what you know, exploit was leveraged and what you know, security vulnerability and weakness was, was, was actuated by, by the threat actor. But we know as investigators what we continually see, and when we just talked internally as a team, these 10 things just bubbled to the top.

F

So end of life technology shows up in a number of the case studies behind your recommendations. I think you had SOHO routers, you had IoT devices. Walk me through what an attack actually does or an attacker actually does when a device isn't receiving patches anymore and why you think that problem persists in organizations at every size.

E

Sure, yeah. I mean, it's really the intersection of the inevitability of software vulnerabilities and a device being end of life, meaning it's not supported by the manufacturer anymore. And when those devices are on the wide open Internet, they're at the edge of networks, they're routers and firewalls. It becomes basically trivial for threat actors to use them as obfuscation points in trying to attack other systems. So effectively, what it looks like in practice is you've got a small router on the edge of a home network, it's not supported by the manufacturer, it's not supported by the provider, and there's a vulnerability in the management software of that router where effectively an attacker can just send the right type of packet, the right type of communication to some port on the outside, and immediately they have full root access to that device. Even if the owner ends up rebooting it, then they can just get back in very, very quickly because the vulnerability is still there. And what we've seen in practice is that threat actors are using automation to stitch together hundreds or thousands of these types of devices into, we either call them proxy networks or obfuscation networks. In some cases they're using them for their own nefarious means to launch attacks against US industry or other victims around the world. And in other cases they're using, they're selling access to these networks to other criminals who are wanting to do similar things. And you know, they're paying an hourly or a daily rate or whatever to use the obfuscation network or the proxy network.

D

Something else too on it is that with regard to these, this small office and home office routers, the SOHO routers, those targeted entities may not be the ultimate final end and target, which I think folks don't necessarily entirely grasp or understand. So you may have a small business that doesn't have the ability to, to purchase new devices to increase their security posture, but because that doesn't occur, that obfuscation network is able to expand and persist and then other more sophisticated targets can be accessed. And we have, as investigators and law enforcement have a real challenge back to ultimately disrupt those actors because of that initial compromise downstream of the ultimate intended target. And so a lot of what Operation Winter Shield is meant to do and the objective of this is to communicate and educate some of those smaller businesses and medium sized businesses about the way in which the security within those organizations or potentially the lack of security or lack of security measures consistent with the 10 key defenses that we highlight ultimately result in a lack of security across all of our networks that puts everyone at risk.

F

The episode is called operation winter shield what the FBI wants industry to do do now and it's live in your threat vector feed.

B

Be sure to catch the complete episode of Threat Vector wherever you get your favorite podcasts.

A

When you need to build up your team to handle the growing chaos at work, use Indeed Sponsored Jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit@ Indeed.com podcast. That's Indeed.com podcast. Terms and conditions apply. Need a hiring hero? This is a job for Indeed Sponsored

C

Jobs it's time to refresh your yard during Spring Backyard Days at the Home Depot. Get low prices guaranteed on propane grills starting at $179 like the next grill 3 burner gas grill. Or get $50 off a select Weber Spirit Grill and bring big flavor to your backyard. Then set the scene with Hampton Bay string lights that bring it all together.

B

Shop Spring backyard days for seven days

C

at the Home Depot, now through May 6th. Exclusions applies to homedebo.com Pricematch for details.

B

And finally, new research suggests the UK's tougher online age checks are proving less formidable than intended, with kids finding ways around them occasionally with little more than a drawn on mustache. A survey by UK online safety group Internet Matters found 46% of children say age verification is easy to bypass, though only about a third admit actually doing so. Workarounds range from fake birthdays and borrowed IDs to using video game characters for selfie checks. Some parents are not exactly reinforcing the rules either, with a notable share either helping or just ignoring them. Meanwhile, nearly half of children report still encountering harmful content online. Technical controls alone are not shaping behavior without stronger enforcement and parental alignment safeguards risk becoming performative rather than protective. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.