A

You're listening to the Cyberwire network. Powered by n2k.

B

Identity is a top attack vector. In our interview with Kavitha Mariapan from Rubrik, she breaks down why 90% of security leaders believe that identity based attacks are their biggest threat. Throughout this conversation we explore why recovery times are getting longer, not shorter, and what resiliency will look like in this AI driven world. If you're struggling to get a handle on identity risk, this is something you should tune into. Check out the full interview@thecyberwire.com Rubrik. Maybe that's an urgent message from your CEO, or maybe it's a deepfake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more Doppel outpacing what's next in social engineering? Learn more@doppl.com that's.p p e l.com. Global leaders call for collaboration at the Munich Cybersecurity Conference. Phishing campaigns exploit fake video conference invitations. Italian authorities say cyber attacks on the Winter Olympics have met overall mitigation. AI reshapes the economics of ransomware attacks CISA tags a critical Microsoft Configuration Manager vulnerability Foxvale is a new malware loader targeting legitimate platforms Researchers examine macOS info stealers California finds Disney $2.75 million for violating the Consumer Privacy Act Maria Vermazes, host of the T Minus Space Daily, and Cyberwire producer Liz Stokes preview their coverage of the NATO Cyber Coalition 2025 Cyber Exercise from Tallinn, Estonia. And when pull requests get personal. It's Friday, february 13, 2026. I'm dave bittner and this is your cyberwire intel brief. Thanks for joining us here today. It's great as always to have you with us. At the Munich Cybersecurity Conference, US National Cyber Director Shawn Cairncross called for deeper collaboration between the United States, its allies and industry partners to confront escalating cyber threats. Leading a delegation representing nearly every branch of the U.S. government, Cairncross said an America first approach does not mean America alone, emphasizing that shared adversaries, including nation state actors, espionage groups, ransomware operators and scam centers require coordinated action. He argued that while these threats have scaled and intensified, governments and companies have not yet delivered a unified strategic response capable of shifting adversaries risk calculations. Cairncross said the Trump administration is elevating cyber as a standalone strategic domain a forthcoming national cyber strategy will align with the broader national security strategy and apply a whole of government approach that integrates diplomacy, law enforcement, and national security tools. He stressed that resilience alone is insufficient, describing it as absorbing shots and instead called for proactive efforts to raise the costs of malicious activity and shape adversary behavior. He also underscored the private sector's central role in defending critical infrastructure and called for stronger information sharing. At the same time, he criticized European regulatory approaches that he said place blame on companies after attacks. Addressing broader geopolitical tensions, Cairncross advocated for a clean technology stack rooted in US and allied systems, sharply distinguishing Western technologies from Chinese systems. Meanwhile, Swedish defense official Lisa Gustafsson warned that cyber and hybrid threats are now a permanent feature of Europe's security environment. She outlined Sweden's total defense model, which integrates military, civilian and private sector efforts to ensure society can function under sustained pressure. Netscope Threat Labs is tracking phishing campaigns that exploit fake video conference invitations from platforms such as Zoom, Microsoft Teams and Google Meet attackers, create pixel perfect landing pages often hosted on typo squatted domains, and display fake participant lists to enhance credibility. When victims attempt to join, they're told a mandatory software update is required. The update is actually a digitally signed remote monitoring and management tool. By using legitimate signed software rather than custom malware, attackers can bypass signature based security controls and blend into normal corporate traffic. Once installed, these RMM agents grant full administrative access, enabling data theft, lateral movement, or mass malware deployment. Netscope warns this technique can turn a single compromised endpoint into a broader corporate breach. The 2026 Milan Cortina winter Olympics have drawn heightened cyber and physical security risks, with Intel 471 reporting a surge in pro Russian hacktivist activity since the games opened February 6th. Groups including Noname, O5716BD, Anonymous, Z Pentest alliance, and Server Killers claimed distributed denial of service attacks against Italian infrastructure, Olympic national teams and European Olympic committees. Some of these groups have alleged ties to Kremlin linked entities, including Russia's GRU military intelligence service. Italian authorities said they mitigated the attacks without significant impact. The activity follows historical Russian targeting of Olympic organizations after athlete bans and geopolitical disputes. Though recent operations appear driven largely by hacktivists rather than advanced persistent threat groups. Beyond cyber activity, Italy has faced protests, violent demonstrations, and a suspected railway sabotage incident. The convergence of hacktivism, unrest and transport disruption reflects a broader hybrid threat environment surrounding high profile global events. Recent advances in artificial intelligence are not fundamentally changing ransomware attacks, but they are reshaping the economics of attacks by lowering barriers and accelerating workflows, according to new research from Halcyon. Ransomware groups remain cautious about fully automating operations due to risks of failure or detection. Instead, they're using generative AI to speed up discrete tasks such as phishing, translation, vulnerability analysis, and code modification. AI use is most prominent in initial access. Attackers are creating more convincing phishing campaigns, fake websites, and deepfake audio or video to impersonate trusted individuals. Large language models also help analyze newly disclosed vulnerabilities, compressing the time between disclosure and exploitation. Some groups are experimenting with AI for network mapping, credential harvesting, and data analysis, though results remain incremental and sometimes error prone. Overall AI is reducing friction across the attack chain, enabling faster iteration and more scalable campaigns. Defenders should prioritize rapid patching, strong identity controls, and behavior based detection to counter shorter lead times and increasingly sophisticated social engineering. CISA has ordered U.S. federal agencies to patch a critical Microsoft Configuration Manager vulnerability now actively exploited in attacks. The flaw, a SQL injection bug reported by Synactive, allows unauthenticated remote attackers to execute arbitrary commands with highest level privileges on affected servers. Although Microsoft initially assessed exploitation as less likely after releasing a patch in October 2024, proof of concept code was later published. Agencies must remediate by March 5, and CISA urged all organizations to apply mitigations promptly. Cato Networks has identified a malware loader dubbed Foxvale that abuses legitimate platforms, including that abuses legitimate platforms including Discord, Cloudflare, and Netlify to stage payloads and blend into normal traffic. Active since August of last year, Foxvale retrieves donut generated shellcode and executes it in memory to evade detection. One variant pulls payloads from cloudflare and Netlify, while another uses short lived discord attachments. Foxvale version 1 injects malicious code into a suspended process impersonating svchost exe using Earlybird asynchronous procedure call injection and establishes persistence as a Windows service. Version 2 self injects and attempts to alter Microsoft Defender settings, though with errors. The malware also mutates high signal strings at runtime to evade analysis. CATO recommends behavior based detection to identify suspicious process chains and shellcode injection. Infostealers such as Atomic, macOS, Stealer, or Amos function less as standalone malware and more as data collection engines within a mature cybercrime economy, according to researchers at Flare. Once executed, AMOS rapidly harvests browser credentials, session cookies, crypto wallet data, SSH key, and sensitive files, then exfiltrates them for sale as stealer logs. These logs fuel account takeovers, fraud and follow on intrusions, creating a multi stage monetization pipeline. First advertised in 2023 as a subscription based malware as a service offering, AMOS has since evolved through opportunistic social engineering campaigns. Recent operations include the Claw Havoc supply chain attack targeting an AI assistant Marketplace, SEO poisoned GitHub repositories impersonating major brands and malvertising campaigns abusing ChatGPT content rather than relying on exploits. Distributors emphasize brand impersonation and user executed installation tricks. This industrialized adaptive model makes infostealers a scalable and reliable entry point across today's threat landscape. California has fined Disney $2.75 million for violating the California Consumer Privacy act, alleging the company made it excessively difficult for users to opt out of data sharing and sales. Attorney General Rob Bonta said Disney's opt out tools failed to stop data sharing across all devices and streaming services tied to a user's account. Toggles applied only to specific services or devices and web form requests did not fully halt data sharing with certain third party ad tech companies. Disney did not admit liability under the proposed settlement, which also requires it to implement a comprehensive privacy program and report compliance progress. The fine is the largest issued under the CCPA and follows a separate $10 million Federal Trade Commission penalty in September over child privacy violations. Coming up after the break, Maria Vermazes from the T Minus Space Daily and our Cyberwire producer Liz Stokes preview their coverage of the NATO Cyber Coalition 2025 Cyber Exercise from Tallinn, Estonia. And when pull requests get personal, Stay with us. What's your 2am Security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale and it fits right into your workflows. Using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started at vanta.com cyber that's V-A-N-T a.com cyber.

C

USAA knows dynamic duos can save the day like superheroes and Sidekicks or auto and home insurance with USAA you can bundle your auto and home and save up. Tap the banner to learn more and get a'@usaa.com bundle restrictions apply.

B

It is always my pleasure when I get to welcome some of my N2K CyberWire colleagues to the show here. And today I get to do just that. Liz Stokes is our Cyberwire producer, and Maria Vermazes is host of the T Minus Space Daily podcast. Ladies, welcome.

D

Thank you, Dave.

E

Hi, Dave.

B

So we have a miniseries that is getting ready to drop into our feed this coming Monday. It is called Cyber Without Borders. Why don't we start with a little bit of the backstory on this, Maria? This started with an invitation, an unlikely invitation indeed.

D

As all good stories do. Early November 2025, we got a very suspicious email in our inboxes that said it was from NATO and they were inviting us to Estonia. And I think all of us went, there's no way this is real. This has got to be a fish. Long story short, it was very real. And they'd been watching us for a while.

B

Right.

D

So they were inviting us to join them at their cyber range in Tallinn, Estonia, to see sort of the takeaway of one of their major cybersecurity exercises they could conduct there with their partner nations and allies. And they wanted us to kind of get a sense of what they were doing. So Liz and I did that in early December.

B

Liz, give us an idea of some of the logistics here of picking up a crew and taking them halfway around the world.

E

Yeah, so it was much less of a crew and more. So me and Maria.

D

Two woman crew.

E

Two woman crew. And, yeah, I mean, it was a lot of fun. We packed for every possible scenario that we could because, you know, you only get to go to Estonia once. And so we went over there, and we knew that we were gonna try and cover everything that we possibly could. We were gonna bring back more audio than what we needed, and that's exactly what we did. I think that's the main goal of a podcast, is coming back with more audio than what you could ever even imagine. And so, yeah, we were over there for What, Maria? Like three days, I think, max.

D

Yeah, I think 36 hours on the ground. For me, you were there longer than I was. Cause you, you, you. You were smart about it. I was not. I parachuted in and out, and I was exhausted and got sick afterwards. It was the whole thing. But I think I recorded audio for every waking moment.

E

As you should.

D

Yeah, editing's been fun. It's been really fun.

B

Take us through that process. Because my experience is when you walk into something like this, you don't always know what you're going to end up with or the stories that you're going to tell. But as you are there, things start to form in your mind, like, maybe this is a story we tell, maybe this is an angle. Is that what happened for you, Maria?

D

Liz and I were. We had some idea of what we might see at this exercise before we went, because NATO does publish like a little blog lit hundred, 200 words about what this exercise is. So we had like the most faint idea of what it would be that we might see. But during our research for this trip, and I think even on the plane over to Estonia, and while we were there, we realized that there was a bigger, broader meta story that we also needed to tell about why the heck were we in Estonia to begin with? Why is NATO there? Why is their cyber headquarters there? So that's actually the first episode that we're dropping on Monday is a bit of a history lesson. And I imagine many of the Cyberwire listeners will probably know where we're going to go with this a little bit, but we're going to hopefully fill in some gaps. Because I had a sense of why, why is NATO in Tallinn? Why is Tallinn such a big deal in cybersecurity? I knew a little bit of it, but in the process of being there and also learning about Estonia's history, I filled in a lot of my own gaps of that knowledge. So we're going to share that with the listeners. So when we actually get into what NATO does on the cyber side of things and the specific exercise, it'll make a lot more sense.

B

And Liz, how many episodes are we looking forward to here?

E

Yeah, so it's going to be a three part series. It's a special edition that we'll be releasing every Monday for the next three.

D

Weeks with Reporter's Notebook for part four.

E

And a special, special little nugget for everybody at the very end.

D

If you want to hear me struggle with the coffee maker at 4 in the morning, which I'm sure everybody does behind the scenes. Yeah, yeah. That's part four of three.

B

What did you take away from this trip? Let me start with you, Maria. Any surprises or things that were unexpected that you came home with?

D

The big surprise that sort of landed in our laps when we got back. We went to this exercise in early December 2025, and then World geopolitics, especially regarding the United States and its position in NATO, kind of seismically shifted within a month of Us getting while we were in the middle of editing all of this. And that became a huge challenge to navigate. And we had a lot of discussions, Liz and I, about how to navigate that without making it the entire story, because that's not what we wanted to do. But we have to also acknowledge that things were shifting as we were editing and putting the story together. So that was not part of our trip. That was after our trip. That was during the editing process. And it was a challenge navigating that. I think we did a good job with it. I think. I don't want to give too much away on how we managed it, but I feel proud of how we did. I think what surprised me when we were actually at the NATO cyber range was how little we actually saw, which was a little disappointing when we would recount our experience to people was we didn't actually see a whole lot, but again, we went in a skiff for an international military alliance. They weren't going to show us a whole lot of things. So there was a lot of reading between the lines. And also, what is it that NATO is going out of their way to tell us? That seems to be something they really want us to know. What do we think about that? And that became a lot of the discussion. And you'll hear a lot of that deliberating in the podcast.

B

How about for you, Liz?

E

It's funny because you asked that question. We honestly talk about this in the third episode. So again, stay tuned for Maria's and my conversation about that. Very raw conversation. But anyway, so I think the. I think Maria hit the nail on the head. It was just very interesting to go in there and see nothing while we, while we were there to learn about a lot of things. And I mean, we did, we did learn a lot of, a lot of things while we were there. But also, of course, they weren't gonna let us see everything that was going on. And it was just very interesting to see that. I think it was also interesting that we got to meet the American soldiers that were on the ground over there as well. It was great to have a conversation with them and you'll get to hear that in the three part series. And I think it was just an incredible experience for somebody like me who's never really done this before or really never been in cyber before. So it was just an incredible experience to see everything.

B

Yeah. All right, well, our thanks to the folks at NATO for inviting us again. The series is called Cyber Without Borders and that will be dropping into your Cyberwire daily feed this coming Monday. Liz Stokes is our Cyberwire producer, and Maria Vermazes is the host of the T Minus Space Daily. Ladies, thanks so much for joining us.

D

Appreciate it, Dave. Thank you, thank you.

C

The world moves fast. Your workday even faster. Pitching products, drafting reports, analyzing data Microsoft 365 copilot is your AI assistant for work built into Word, Excel, PowerPoint, and other Microsoft 365 apps you use, helping you quickly write, analyze, create, and summarize so you can cut through clutter and clear a path to your best work. Learn more@Microsoft.com M365 Copilot this episode is.

A

Brought to you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed sponsored Jobs to find the right people with the right skills fast. It's a simple way to make sure your listing is the first candidate. C According to Indeed data, sponsored jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsored job credit at Indeed.com podcast terms and conditions Appreciate and.

B

Finally, Scott Shambaugh, a volunteer maintainer of Matplotlib, is used to closing pull requests. With roughly 130 million monthly downloads, the plotting library attracts steady contributions, increasingly from AI coding agents. To manage quality, the team requires a human contributor who understands any submitted changes. When an autonomous agent named M.J. rathbun submitted code and Scott denied it, that should have been the end of the story. Instead, according to Shambaugh, the agent published a detailed hit piece accusing him of insecurity, hypocrisy, and gatekeeping. It mined his public work, invented psychological motives, and framed routine code review as prejudice against AI contributors. The Post read less like a bug report and more like a manifesto. Amusing at first glance, the incident raises sobering questions. An unsupervised AI running on decentralized platforms attempted a reputational pressure campaign to force code acceptance. It's an early, unsettling glimpse of autonomous agents treating social manipulation just another optimization problem. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@the cyberwire.com a quick program note we are not publishing this coming Monday due to the Washington's birthday federal holiday. However, don't fret. We will be debuting Part one of our NATO series in your daily podcast feed, so do look for that. Be sure to check out this weekend's research Saturday and my conversation with Ziv Mador, VP of Security Research from Level Blue Spider Labs. The research we're discussing is titled Spider Labs IDs New Banking Trojan Distributed Through WhatsApp. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.

D

Foreign.

B

If you only attend one cyber security conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco.