Transcript
A (0:02)
You're listening to the CyberWire network, powered by N2K. And now a word from our sponsor arcova. Formerly Morgan Franklin Cyber, arcova is a global cybersecurity and AI consulting firm built by practitioners who've been in the seat. They work directly with enterprise teams to solve complex security challenges, building secure by design programs that hold up as technology and threats evolve. From focused engagements to long term partnership, arcova delivers outcomes that endure because no one should navigate complexity alone. Learn why leading Global Enterprises Trust arcova@www.arcova.com that's a R C O V A.com.
B (1:08)
Iranian linked hackers warn of possible irreparable attacks on US Water systems CISA pushes urgent fixes for a critical Citrix flaw the Dutch Finance Ministry takes systems offline after a breach. The Space Force may scrap next gen GPS control software. Attackers exploit a Fortinet server bug. Lloyds exposes customer transaction data. AI and regulation reshape cyber careers. The FTC settles with a dating app over data sharing. Our guest is Sam Rubin, senior vice president from Palo Alto Networks, Unit 42's Consulting and Threat Intelligence team. We're discussing Iran's shift to identity weaponization and Wikipedia wrestles with a wayward writer. Foreign. March 31, 2026 I'm dave buettner and this is your cyberwire intel briefing. Thanks for joining us here today. It's great as always to have you with us. Warnings from Iranian linked hacking groups about possible irreparable damages to US Water systems are heightening concern across the federal cybersecurity community, officials and researchers say. Pro Iranian groups are signaling potential retaliation against critical infrastructure if geopolitical tensions escalate, experts warn some actors may already be pre positioned inside networks, enabling faster disruption if activated. Named groups including APT 42, Muddy Water, Cyber Avengers, and Handela, have demonstrated capabilities spanning espionage and destructive activity. At the same time, Dragos reports a surge in hacktivist claims tied to Iranian actors, though some appear exaggerated or recycled from earlier compromises. Water utilities remain especially exposed due to aging infrastructure, limited cybersecurity resources, and uneven adoption of baseline protections. Iranian actors often prioritize disruption over financial gain, increasing operational risk to utilities, while federal support capacity may be strained, leaving smaller organizations more vulnerable to opportunistic intrusion and activation during escalation. CISA has ordered federal agencies to patch a critical Citrix netscaler vulnerability by Thursday after responders reported active exploitation over the weekend. The flaw affects NetScaler Application Delivery Controller and NetScaler Gateway Systems, which manage traffic and authentication at network entry points. The vulnerability allows unauthenticated attackers to read sensitive memory. Researchers at Watchtower say the issue resembles earlier Citrix bleed style access vulnerabilities widely used for initial compromise. NetScaler devices sit at enterprise front doors so exploitation can expose credentials and accelerate broader intrusion across government environments. The Dutch Ministry of Finance took parts of its infrastructure offline after detecting unauthorized access to internal systems affecting policy department operations. The breach was identified March 19 following a third party alert and affected systems supporting primary internal processes used by some employees. Authorities say tax, customs and benefits services for citizens and businesses remain unaffected. As a precaution, the ministry also disabled its treasury banking portal, limiting digital access for about 1,600 public institutions, though funds remain available and payments continue through normal channels. Investigations involve national cybersecurity authorities, police, forensic specialists and the Data Protection Authority. Temporary shutdown of financial infrastructure highlights how containment steps can disrupt government operations and even when core public services remain stable. The U.S. space Force is weighing whether to cancel its long delayed GPS Next Generation operational control system, despite formally accepting the software just last year. OCX is designed to command more than 30 GPS satellites and enable jam resistant military signals, known as M code. RTX first won the contract in 2010 with a projected 2016 delivery and $3.7 billion cost. Officials now place the effort near $8 billion. Lawmakers heard recently that testing uncovered unresolved issues across multiple subsystems, and the ground segment remains non operational nine months after delivery. The Space Force is now considering continued upgrades to its legacy control system as an alternative. GPS is a high value target for jamming and spoofing, and delays to modernization could slow deployment of more resilient navigation capabilities for military operations. Threat actors are actively exploiting a critical Fortinet FortiClient Endpoint Manager Server vulnerability that allows unauthenticated remote access to sensitive systems. The flaw is an SQL injection issue affecting FortiClient EMS. Attackers can send crafted HTTP requests to extract database data or execute commands without authentication. Researchers say the exposed endpoint can reveal administrator credentials, endpoint inventories, certificates and security policies. Bishop Fox previously warned the bug was practical to exploit, and proof of concept code is now public Defused cyber reports exploitation activity lasting at least four days or while Shadow Server tracks more than 2,000 Internet accessible EMS instances. Forticlient EMS centrally manages endpoint security, so compromise could provide attackers broad visibility and control across enterprise environments. A software defect at Lloyds Banking Group exposed transaction data belonging to over 447,000 customers during a mobile banking system update. The March 12 incident briefly allowed some users of Lloyds, Halifax and Bank of Scotland apps to view other customers transactions, including account details and national insurance numbers. Lloyds reported the breach to UK regulators and paid 139,000 pounds in compensation to affected customers, saying there's no evidence of fraud linked to the exposure. Even brief visibility into financial data can erode trust in digital banking platforms as reliance on mobile services increases. New workforce data presented at RSAC suggests artificial intelligence and regulatory mandates are rapidly reshaping cybersecurity hiring roles and career pathways across the industry. Researchers from SANS report AI is improving efficiency rather than eliminating jobs, with nearly half of organizations reducing manual analysis time and automating workflows. Still, entry level roles such as security operations center analysts and incident responders are seeing reductions, while new positions in AI and machine learning security are expanding quickly. At the same time, regulatory requirements now influence hiring at 95% of organizations up sharply year over year, with frameworks like NIST2, CMMC and Dora driving new specialist roles. The report also finds 27% of organizations experience breaches tied directly to workforce capability gaps. The cybersecurity challenge is shifting from headcount shortages to skills readiness, creating long term risks for talent development and operational resilience. The Federal Trade Commission has reached a settlement with OkCupid and Match Group Americas over allegations the dating app shared user data with an unauthorized third party despite privacy promises. According to the FTC, OkCupid provided nearly 3 million user photos along with location and other personal information to a third party that was not a service provider, partner or affiliate and did not offer users an opportunity to opt out. The agency also alleges the companies concealed the sharing and obstructed aspects of the investigation. Under the settlement, the firms are permanently banned from misrepresenting how they collect, use or disclose personal data enforcement actions tied to privacy representations. Signal regulators are scrutinizing gaps between stated policies and actual data sharing practices. Last week's Cyberwire Pro business breakdown highlights nearly 795,000 million dollars raised across 12 investments alongside four acquisitions. For investments cloaked, a US based consumer privacy company, raised $375 million in a series B round. With the new funding, Cloaked aims to expand its product sales and engineering teams alongside preparing itself expansion. Previously, the company had raised $25 million in its 2022 Series A. Additionally, Israeli non human identity access governance firm Oasis Security raised $120 million in a series B round. Oasis plans to use this funding to expand its R and D capabilities for its agentic access management platform. Additionally, the company is looking to scale its global sales and go to market operations for acquisitions. Australian cybersecurity consultant InfoTrust acquired Catalyst Cyber, an Australian IT services company, for $5 million. By acquiring Catalyst, InfoTrust is looking to gain immediate access to the federal government cybersecurity market. And that wraps up this week's business breakdown. For deeper analysis on major business moves shaping the cybersecurity landscape, subscribe to N2K Pro and check out TheCyberWire.com every Wednesday for the latest updates. Coming up after the break, my conversation with Sam Rubin From Palo Alto Network's Unit 42 we're discussing Iran's shift to identity weaponization and Wikipedia wrestles with a wayward writer. Stay with us. Maybe that's an urgent message from your CEO, or maybe it's a deepfake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more Doppel outpacing what's next in social engineering? Learn more@doppel.com that'S-O-P p e l.com. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. At last week's RSAC conference, I sat down with Sam Rubin, Senior Vice President with Palo Alto Network's Unit 42 Consulting and Threat Intelligence Group. In today's sponsored Industry Voices conversation, we discuss Iran's shift to identity weaponization.