The military wants to move at cyber speed.

A

You're listening to the CyberWire network, powered by N2K.

B

Looking to understand the cybersecurity risks emerging beyond Earth's atmosphere? In the weekly Signals in Space newsletter, T Minus host Maria Vermazes and producer Ethan Cook connect the dots between terrestrial infrastructure and the growing attack surface in space. Each week you'll get the latest space cyber headlines, direct access to the week's T Minus podcast conversation, plus expert insights and resources to help security professionals better understand this rapidly evolving domain. Space systems are becoming critical. Infrastructure Signals in Space helps you stay ahead of the threats shaping the next frontier. Subscribe now to the Signals in Space newsletter. Foreign. No, it's not your imagination. Risk and regulation really are ramping up, and these days customers expect proof of security before they'll even do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. So whether you're getting ready for a SoC2 or managing an enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That means less time chasing paperwork and more time focused on growth. For me, it comes down to this. Over 10,000 companies, from startups to large enterprises, trust Vanta to help prove their security. Get started@vanta.com cyber. Cyber Command's new chief pushes modernization as lawmakers warn commercial location Data is exposing US troops a third party UK visa site leaks passports and selfies. Microsoft slams unpatched zero day disclosures researchers uncover a new macOS malware campaign targeting crypto developers while SEO poisoning and AI chatbots spread crypto jacking. Malware Carnival confirms a massive data breach tied to Shiny Hunters. Plus, the alleged Venom Rat developer is extradited to France and a Romanian hacker is sentenced for breaching Oregon State systems. Our guest is Courtney Gus, Crisis Management Director at Sempras, discussing crisis response planning and the surveillance on goes round and round. It's Thursday, may 28, 2026. I'm dave buettner and this is your cyberwire intel brief. Thanks for joining us here once again today. It is always great to have you with us. The new head of US Cyber Command has ordered two reviews aimed at modernizing the military's cyber warfare operations and accelerating organizational reform. Army general Joshua Rudd, who assumed leadership of both Cyber Command and the National Security Agency in March, tasked MITRE with conducting an outside assessment of the command structure and acquisition processes. According to officials familiar with the effort. The review could examine how Cyber Command manages personnel and procurement under its existing congressional authorities. Rudd also launched an internal study led by senior officials with special operations backgrounds to identify rapid improvements. The findings are expected to feed into his ongoing 90 day leadership review and broader Cybercom 2.0 modernization efforts. Cyber Command faces ongoing challenges retaining elite cyber talent and rapidly fielding new capabilities. Officials say. The reviews reflect pressure to move faster and align cyber operations with a more aggressive national security posture. US Military personnel deployed in active conflict zones have reportedly been targeted using commercially available location data collected through the digital advertising ecosystem, according to a letter from U.S. central Command shared by Senator Ron Wyden. Officials received multiple threat reports involving adversaries exploiting commercial location data to surveil or target American forces in theater. Lawmakers said the data could reveal troop movement, gathering points and behavioral patterns that could support missile, drone or roadside bomb attacks. The concerns center on the widespread trade and smartphone location data collected by apps and sold through advertising networks and data brokers. Legislators criticized the Pentagon for not moving faster to restrict tracking features on military issued devices. Commercially available data originally intended for advertising is increasingly viewed as an operational security risk. The reports underscore how consumer surveillance infrastructure can become battlefield intelligence for hostile actors. A third party website offering paid assistance with UK travel authorizations exposed passport scans, selfies and location data on a publicly accessible Amazon Web Services server. The site, UK Visa Portal, is not affiliated with the British government and is reportedly operated by UAE registered active lead gen LLC. TechCrunch reported the exposed storage bucket contained at least 100,000 documents. Although the bucket did not publicly list files, researchers said anyone with the correct web address could access them. Some uploaded selfies also included embedded GPS metadata that could reveal users home addresses. TechCrunch said it verified the exposure by contacting affected individuals directly. The company reportedly did not respond directly to repeated security inquiries before the server was secured. Exposed identity documents combined with geolocation data create a high value target for identity theft, fraud and surveillance. The incident also highlights ongoing risks tied to unofficial visa and travel processing services collecting sensitive personal information. Microsoft is condemning the public release of several unpatched vulnerabilities, warning the disclosures exposed customers to unnecessary risk before fixes were available, the company said. Six flaws affecting Microsoft Defender, Windows BitLocker and the Windows Cloud filter driver were disclosed without prior coordination. Microsoft argued the releases included proof of concept exploit code that could aid attackers while its team rushed to develop mitigations and patches. The company reiterated support for coordinated vulnerability disclosure practices where researchers privately report flaws before publication. The dispute highlights growing tension between rapid vulnerability, disclosure and defensive patch timelines, especially as AI accelerates security research and exploit development. Researchers at Wiz have identified a new financially motivated threat actor tracked as Jinx0164, targeting cryptocurrency developers through fake recruiter schemes and custom macOS malware. The campaign begins with LinkedIn outreach, impersonating recruiters or business contacts, directing victims to fake meeting sites, mimicking Microsoft Teams. Targets are tricked into installing a malware strain called AudioFix, a Python based stealer and remote access tool disguised as an audio driver. According to Wiz. The malware steals credentials, cryptocurrency wallet data, cloud keys and messaging sessions. The group then abuses stolen GitHub tokens to compromise development pipelines and injecting malware into internal repositories and spreading infections through software builds. Researchers also linked the actor to a Trojanized NPM package containing a secondary macOS backdoor. The campaign blends social engineering software, supply chain compromise and credential theft into a targeted operation against cryptocurrency firms. The activity also highlights growing threats to macOS environments and developer infrastructure. Microsoft researchers say threat actors are spreading GPU mining malware through poisoned search results and manipulated AI chatbot recommendations targeting users with high performance computers. The campaign uses fake download pages for popular utility software including Crystal Disk Info and HW Monitor. Victims receive Trojanized zip files containing legitimate software alongside malicious code that installs the Screen Connect remote management tool and additional malware, according to Microsoft. The attackers use persistence mechanisms, process hollowing and Microsoft Signed binaries to evade detection before deploying cryptocurrency miners optimized for graphics processing units. The campaign combines SEO poisoning, AI assisted deception and stealthy malware techniques to maximize crypto jacking profits from powerful consumer and professional systems. Carnival Corporation has confirmed that a phishing related cyber attack exposed personal information belonging to nearly 6 million customers following an April breach attributed by researchers to the Shiny Hunters extortion group. The crew's operator said the incident began with a social engineering attack targeting an employee on April 14. After a review of compromised data, Carnival confirmed that names, addresses, email addresses, phone numbers, dates of birth and state identification numbers were exposed. Shiny Hunters previously claimed responsibility for stealing terabytes of company data and suggested negotiations over extortion demands had failed. Carnival has started notifying affected individuals and is offering two years of credit monitoring services through TransUnion. The breach highlights the continuing effectiveness of phishing and social engineering attacks against major enterprises handling large volumes of sensitive consumer data. The incident also reflects the ongoing activity of financially motivated extortion groups targeting high profile brands. A 39 year old Albanian national accused of developing and selling the Venom rat malware has been extradited from Greece to France following a multinational investigation, authorities say. The suspect, known online as Venom, was arrested in Athens in November 2025 after investigators from Australia, Greece, France and the FBI traced his digital activity across several years. Court documents allege he sold the Remote Access Trojan at least 36 times between 2021 and 2025. Investigators reportedly linked cryptocurrency transactions, phone records and embassy correspondence to confirm his identity. The case highlights growing international coordination against malware developers operating across borders and commercial cybercrime marketplaces. A Romanian national has been sentenced to more than four and a half years in a US Federal prison for hacking an Oregon state government network and selling access to other compromised systems, prosecutors said. Catalyn Dragomir breached the Oregon Department of emergency management in 2021 and sold stolen access alongside sensitive personal data taken from the network, authorities said. He also sold access to nearly a dozen other U.S. victims, causing at least $250,000 in losses. Dragomir was arrested in Romania in 2024 and extradited to the United States earlier this year. Access brokering remains a key part of the cybercrime ecosystem, enabling follow on attacks against government and private sector targets. Coming up after the break, my conversation with Courtney Gus, crisis manager director at Sempras. We're discussing crisis response planning and the surveillance on the bus goes round and round. Stay. Foreign. Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker, allow listing, you stop unknown executables cold. With ring Fencing, you control how trusted applications behave. And with threatlocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose Threat Locker to minimize alert fatigue, stop ransomware at the source and regain control over their environments. Schedule your demo@threatlocker.com N2K today. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of or organizations reported at least one mobile application security incident last year, and 92% of responders reported Threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. Courtney Gus is Crisis Management Director at Sempras and in today's sponsored Industry Voices segment we discuss crisis response planning.

C

My role here is actually to lead up a product called ReadyOne. It's a tool meant to support customers in managing cyber crisis related events. But I do a little bit, I wear a couple of hats here, so I do a little bit of supporting our internal crisis management and business continuity plans as well as working with customers to solution programs of their own. Sometimes operationalizing crisis management or understanding what that means for the organization can be a daunting task or feel kind of like an overwhelming task. So really talking through what that looks like the steps needed, not over engineering the process. So I do that both internally and externally for customers.

B

Well, help us understand how do most organizations go about their crisis planning and are there general shortcomings that you see in the work that you do?

C

Traditionally we've been trained as an industry to build crisis response or business continuity plans that align with compliance requirements or oftentimes audit requirements. So what are the boxes we have to check or the items we should tick off? Things like calling our cyber insurance provider or communicating with a regulator. And I think that those plans are important and those milestones are critical, but I think we have to really challenge the way we look at these things moving forward. Because our industries or our organizations today are so heavily dependent on technology, a lot of our workforce doesn't know what it's like to operate on a day to day basis in a manual function. What does it look like when our technology goes out? And so I'd really love to see us as organizations, as industries, challenge the way we plan and prepare and think about what kinds of decisions we're really going to need to make if things go offline or the business has a disruption. What kinds of tasks people will actually have to carry out. I think oftentimes when we exercise, we exercise decision points, but we don't necessarily exercise the execution of those decisions. The actions I have to carry. So I think traditionally the way we plan and prepare doesn't actually align with the way we operate today. And that's what I see most often.

B

Yeah, that's interesting because I know a lot of organizations, they will do their planning and they'll have a shelf full of Binders with all the plans and they'll kind of pat themselves on the back and they'll say, we're good. Look, we even printed everything out. So if the computers go down, we're in good shape. But that often isn't enough, right?

C

No, that's a really interesting point. And we even have customers now saying, that's exactly what I'll do. I'll just take it all offline and print it out. Obviously some concerns there. You have to be in the office to get it. You have to assume everyone else is in the office. To read also becomes a challenge to keep it up to date and relevant. But then along those lines, you've built all these plans. We tend to practice in, I think, ideal state or a bit of in a vacuum, meaning when we run tabletop exercises or we run preparedness exercises, we assume that those plans operate as expected. We go from step one to step two to step three. But in reality, you might go from step one to step seven to step three. Step four fails. You have to come up with a new one. And so I think we need to start practicing to fail. And we need to move away from static plans and playbooks to something that gives me enough information to make a dynamic decision that makes sense without getting too far off course. And then also assuming I can access those plans and share them and all that other good logistical stuff.

B

Do you understand, do you have empathy for that impulse for so much of this planning to be around audits that you know that's an incentive?

C

Absolutely. I mean, I come from the audit and compliance side of the house. My first foot into the cybersecurity space was managing a large scale SOX audit here in the US and so I understand the importance from a business perspective to align with those requirements and make sure you're meeting those needs not just from a stakeholder and finance perspective, but obviously from an industry perspective. But I think we have an opportunity to continue to hit on those requirements and markers, but make better business decisions. So how do we take all of those compliant and audit requirements, pull out the stuff that matters during a severe incident or crisis or a disruption, and really make sure we're hitting on those while not compromising or shifting the way we need to respond and recover. I think it all comes back to defensibility. If I feel like I'm making a decision that aligns with our company goals, with our resiliency, play with what matters to the business, then I feel like I can defend that decision after the incident. When all that audit and compliance comes Back around for review.

B

What are your recommendations for an organization? Setting their priorities? How should they go about that?

C

Interesting. I just had this conversation yesterday with another organization. I think really understanding what matters to the business requires a lot of stakeholder discussion and involvement. It's not just what keeps the lights on and the doors open, but it's really what matters to us. And so if you're a healthcare organization, it might be patient care or community impact. If you're more of a retail or logistics organization, it could be maintaining stakeholder or consumer trust or availability. But I feel like if we have a good idea of what that North Star is, then you can almost reverse engineer the supporting requirements around that. So I think having very candid and frank conversations at the level of your organization that owns authority, the authority to make those decisions and deciding what that North Star is and aligning allows everyone else to kind of follow that guidance when they have to improvise or kind of make an ad hoc decision. I do think there's a couple of key pieces to identifying or prioritizing. And like I said a minute ago, the big one is who has the authority to make those decisions? Who are the required stakeholders that should be in that conversation or in the room, and then really leaving with a shared alignment in terms of what matters. Because if I pulled five leaders across an organization into a room and I said, what matters to us? What are our biggest risks? What's our North Star? I would most likely get five different answers. And so making sure we leave the room with one answer, or at least one and a half answers, gets us closer to the goal.

B

Well, what happens when an organization finds themselves in this situation? You know, the pressure is on. It's not just a tabletop exercise. This is real. How do we ensure that everyone can execute when they're under this immense pressure?

C

That's a tough one. And you won't always know how people handle these intense situations until it happens. You'll see some people step forward and some people kind of pull back. Just natural human reaction. But if you don't have a plan plan and you don't have predefined decisions or authority points for critical milestones, then you're most likely improvising. And I think the statistics show about 60% of organizations improvise during a cyber crisis response. And that could cost the business not only time, but a significant financial investment as well. And oftentimes what you see when you don't have that predefined decision or authority is one person is on the hook for making some really critical decisions. It could be the ciso, it could be the CEO, and depending on how those decisions fall, could also mean somebody's job. And so I think really understanding kind of what those key steps are, in a crisis, it could be, if we have a ransomware attack, who makes the final decision on whether or not we pay and how much? Is that a joint decision? Is that an individual decision? If it's a cyber crisis event, does the CISO have the authority to shut off the network? You know, having some of those predefined decisions and assigned authority gives the person the empowerment that they need to make critical decisions, knowing it's not going to cost them their job or their role afterwards, but also reduces additional downtime or additional time lag to move forward in the response and recovery.

B

I want to touch again on the compliance element of this because is it fair to say that compliance is still in the mix here? I mean, compliance still matters, but as you say, is it a matter of prioritization?

C

Absolutely, yeah. Compliance and regulatory frameworks are definitely not going anywhere. And they do provide value. They protect consumers and stakeholders across the world. And it's important it does provide us some alignment as well. A lot of organizations probably wouldn't know where to start without some of those requirements. I actually had a customer ask me one time, you know, who's good at this stuff? And I said, the organizations that have to be because they spend the money on it, because they don't have a choice. And so it does definitely provide drive and alignment. I think a couple of areas where it gets really confusing and complex are where you're either a multinational organization, global organization, or even an organization here in the US that works across multiple states, because now you're managing multiple regulatory compliance frameworks. And that's where it can be very complex. And I think that's where prioritization becomes super critical. Not every single one of those compliance metrics are a requirement. Not every single one has clear guidelines. Oftentimes it's very gray as to how you manage those. So I think understanding what you're required to follow, what's mission critical, and prioritizing those and then understanding that hitting on these other ones are super important, but maybe not as critical, allows you to really focus on what matters when it starts to get really complex and heavy and those response times.

B

So what is the ultimate end goal here? How does an organization know that they're properly prepared?

C

I think for me, if I were to say what the end goal should be or could be, it's maintaining business operations in the event of a severe disruption. The definition of resiliency, right. So for my organization, resiliency would be maintaining customer support, consumer stakeholder support, health and human safety of our employees despite a severe disruption or incident, maybe potentially a crisis for every organization. The definition of resiliency will vary and so understanding what it means for us to maintain minimum viable operations in the event of one of these events is super important. And then from there, aligning to what kind of requirements we might have to fall to, depending on where the incident is and who's impacted, is going to determine which regulatory and compliance requirements I have to hit on. And so I think aligning on kind of what resiliency means for us, because that's what's going to be what matters, and then really focusing on what those key prioritized items are during that time does take quite a bit of planning and conversation. So if I was looking at a response and recovery playbook development for something like that, I might say for an outage. These are the critical operations I want to be focused on restoring. These are the people that are impacted by those critical operations, and these are the kind of reporting or regulatory requirements I have in a situation like this. Try not to overcomplicate it more than that because you're going to have to make a lot of improvised decisions. We don't have to over engineer these playbooks and scenario preparation plans, but at the same time, just give me what's most important so I make sure I don't miss those and we'll figure out the rest.

B

That's Courtney Gus, Crisis management director at CMPress. For more Links related to today's discussion, please check out our show Notes.

D

Study and play come together on a Windows 11 PC and for a limited time, college students get the best of both worlds. Get the Unreal College Deal Everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft 365 Premium and a year of Xbox game. Pass ultimate with a custom color Xbox wireless controller. Learn more@windows.com studentoffer while supplies last ends June 30th terms at aka Ms. CollegePC.

A

When you need to build up your team to handle the growing chaos at work, use Indeed Sponsored Jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit@ Indeed.com podcast. That's Indeed.com podcast. Terms and conditions apply. Need a hiring hero? This is a job for indeed Sponsored

C

Jobs the wheels on the bus go round and round, round and round, round and round.

B

And finally, Bus Patrol, the company behind AI powered on more than 40,000 US school buses, is reportedly preparing to expand those systems into full time automated license plate readers. In other words, the big yellow bus may soon be doing more than carrying kids and stopping traffic. It may also be cataloging where everyone else was driving that afternoon. According to leaked documents reviewed by 404 Media, the upgraded system would photograph passing vehicles, log license plates and GPS locations, and make that data searchable by law enforcement, potentially through integrations with Axon. Critics warn the plan transforms a child safety tool into a mobile surveillance network, raising concerns about warrantless tracking, ice access and mission creep. Bus Patrol internally acknowledged the controversy but reportedly believes the child protection angle will help sell the expansion. Mobile license plate systems dramatically widen surveillance coverage compared to fixed cameras. Privacy advocates say the technology risks normalizing mass tracking under the banner of public safety, a familiar pattern in the post 911 surveillance era. The surveillance on the bus goes round and round. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cyber security. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producers, Liz Stokes, were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here tomorrow.

D

Did you know if your windows are bare, indoor temperatures can go up 20 degrees, turn the temperature down with blinds.com and get up to 50% off custom window treatments like solar roller shades and more during the Memorial Day Mega Sale. Whether you want to DIY it or have a pro handle everything, we've got you free samples, real design experts and zero pressure. Just help when you need it. This is your last chance to shop up to 50% off site wide during the Memorial Day mega sale. @blinds.com rules and restrictions apply.