A

You're listening to the CyberWire network, powered by N2K. And now a word from our sponsor arcova. Formerly Morgan Franklin Cyber, arcova is a global cybersecurity and AI consulting firm built by practitioners who've been in the seat. They work directly with enterprise teams to solve complex security challenges, building secure by design programs that hold up as technology and threats evolve. From focused engagements to long term partnership, arcova delivers outcomes that endure because no one should navigate complexity alone. Learn why leading Global Enterprises Trust arcova@www.arcova.com that's a R C O V A.com.

B

Iranian linked hackers warn of possible irreparable attacks on US Water systems CISA pushes urgent fixes for a critical Citrix flaw the Dutch Finance Ministry takes systems offline after a breach. The Space Force may scrap next gen GPS control software. Attackers exploit a Fortinet server bug. Lloyds exposes customer transaction data. AI and regulation reshape cyber careers. The FTC settles with a dating app over data sharing. Our guest is Sam Rubin, senior vice president from Palo Alto Networks, Unit 42's Consulting and Threat Intelligence team. We're discussing Iran's shift to identity weaponization and Wikipedia wrestles with a wayward writer. Foreign. March 31, 2026 I'm dave buettner and this is your cyberwire intel briefing. Thanks for joining us here today. It's great as always to have you with us. Warnings from Iranian linked hacking groups about possible irreparable damages to US Water systems are heightening concern across the federal cybersecurity community, officials and researchers say. Pro Iranian groups are signaling potential retaliation against critical infrastructure if geopolitical tensions escalate, experts warn some actors may already be pre positioned inside networks, enabling faster disruption if activated. Named groups including APT 42, Muddy Water, Cyber Avengers, and Handela, have demonstrated capabilities spanning espionage and destructive activity. At the same time, Dragos reports a surge in hacktivist claims tied to Iranian actors, though some appear exaggerated or recycled from earlier compromises. Water utilities remain especially exposed due to aging infrastructure, limited cybersecurity resources, and uneven adoption of baseline protections. Iranian actors often prioritize disruption over financial gain, increasing operational risk to utilities, while federal support capacity may be strained, leaving smaller organizations more vulnerable to opportunistic intrusion and activation during escalation. CISA has ordered federal agencies to patch a critical Citrix netscaler vulnerability by Thursday after responders reported active exploitation over the weekend. The flaw affects NetScaler Application Delivery Controller and NetScaler Gateway Systems, which manage traffic and authentication at network entry points. The vulnerability allows unauthenticated attackers to read sensitive memory. Researchers at Watchtower say the issue resembles earlier Citrix bleed style access vulnerabilities widely used for initial compromise. NetScaler devices sit at enterprise front doors so exploitation can expose credentials and accelerate broader intrusion across government environments. The Dutch Ministry of Finance took parts of its infrastructure offline after detecting unauthorized access to internal systems affecting policy department operations. The breach was identified March 19 following a third party alert and affected systems supporting primary internal processes used by some employees. Authorities say tax, customs and benefits services for citizens and businesses remain unaffected. As a precaution, the ministry also disabled its treasury banking portal, limiting digital access for about 1,600 public institutions, though funds remain available and payments continue through normal channels. Investigations involve national cybersecurity authorities, police, forensic specialists and the Data Protection Authority. Temporary shutdown of financial infrastructure highlights how containment steps can disrupt government operations and even when core public services remain stable. The U.S. space Force is weighing whether to cancel its long delayed GPS Next Generation operational control system, despite formally accepting the software just last year. OCX is designed to command more than 30 GPS satellites and enable jam resistant military signals, known as M code. RTX first won the contract in 2010 with a projected 2016 delivery and $3.7 billion cost. Officials now place the effort near $8 billion. Lawmakers heard recently that testing uncovered unresolved issues across multiple subsystems, and the ground segment remains non operational nine months after delivery. The Space Force is now considering continued upgrades to its legacy control system as an alternative. GPS is a high value target for jamming and spoofing, and delays to modernization could slow deployment of more resilient navigation capabilities for military operations. Threat actors are actively exploiting a critical Fortinet FortiClient Endpoint Manager Server vulnerability that allows unauthenticated remote access to sensitive systems. The flaw is an SQL injection issue affecting FortiClient EMS. Attackers can send crafted HTTP requests to extract database data or execute commands without authentication. Researchers say the exposed endpoint can reveal administrator credentials, endpoint inventories, certificates and security policies. Bishop Fox previously warned the bug was practical to exploit, and proof of concept code is now public Defused cyber reports exploitation activity lasting at least four days or while Shadow Server tracks more than 2,000 Internet accessible EMS instances. Forticlient EMS centrally manages endpoint security, so compromise could provide attackers broad visibility and control across enterprise environments. A software defect at Lloyds Banking Group exposed transaction data belonging to over 447,000 customers during a mobile banking system update. The March 12 incident briefly allowed some users of Lloyds, Halifax and Bank of Scotland apps to view other customers transactions, including account details and national insurance numbers. Lloyds reported the breach to UK regulators and paid 139,000 pounds in compensation to affected customers, saying there's no evidence of fraud linked to the exposure. Even brief visibility into financial data can erode trust in digital banking platforms as reliance on mobile services increases. New workforce data presented at RSAC suggests artificial intelligence and regulatory mandates are rapidly reshaping cybersecurity hiring roles and career pathways across the industry. Researchers from SANS report AI is improving efficiency rather than eliminating jobs, with nearly half of organizations reducing manual analysis time and automating workflows. Still, entry level roles such as security operations center analysts and incident responders are seeing reductions, while new positions in AI and machine learning security are expanding quickly. At the same time, regulatory requirements now influence hiring at 95% of organizations up sharply year over year, with frameworks like NIST2, CMMC and Dora driving new specialist roles. The report also finds 27% of organizations experience breaches tied directly to workforce capability gaps. The cybersecurity challenge is shifting from headcount shortages to skills readiness, creating long term risks for talent development and operational resilience. The Federal Trade Commission has reached a settlement with OkCupid and Match Group Americas over allegations the dating app shared user data with an unauthorized third party despite privacy promises. According to the FTC, OkCupid provided nearly 3 million user photos along with location and other personal information to a third party that was not a service provider, partner or affiliate and did not offer users an opportunity to opt out. The agency also alleges the companies concealed the sharing and obstructed aspects of the investigation. Under the settlement, the firms are permanently banned from misrepresenting how they collect, use or disclose personal data enforcement actions tied to privacy representations. Signal regulators are scrutinizing gaps between stated policies and actual data sharing practices. Last week's Cyberwire Pro business breakdown highlights nearly 795,000 million dollars raised across 12 investments alongside four acquisitions. For investments cloaked, a US based consumer privacy company, raised $375 million in a series B round. With the new funding, Cloaked aims to expand its product sales and engineering teams alongside preparing itself expansion. Previously, the company had raised $25 million in its 2022 Series A. Additionally, Israeli non human identity access governance firm Oasis Security raised $120 million in a series B round. Oasis plans to use this funding to expand its R and D capabilities for its agentic access management platform. Additionally, the company is looking to scale its global sales and go to market operations for acquisitions. Australian cybersecurity consultant InfoTrust acquired Catalyst Cyber, an Australian IT services company, for $5 million. By acquiring Catalyst, InfoTrust is looking to gain immediate access to the federal government cybersecurity market. And that wraps up this week's business breakdown. For deeper analysis on major business moves shaping the cybersecurity landscape, subscribe to N2K Pro and check out TheCyberWire.com every Wednesday for the latest updates. Coming up after the break, my conversation with Sam Rubin From Palo Alto Network's Unit 42 we're discussing Iran's shift to identity weaponization and Wikipedia wrestles with a wayward writer. Stay with us. Maybe that's an urgent message from your CEO, or maybe it's a deepfake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more Doppel outpacing what's next in social engineering? Learn more@doppel.com that'S-O-P p e l.com. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. At last week's RSAC conference, I sat down with Sam Rubin, Senior Vice President with Palo Alto Network's Unit 42 Consulting and Threat Intelligence Group. In today's sponsored Industry Voices conversation, we discuss Iran's shift to identity weaponization.

C

Yeah, so this group, Boggy Serpents, we've been tracking for a long time and they've been evolving their tactics over time, like many groups, getting more sophisticated, sophisticated, improving their malware payloads and the tooling that they're developing. What they do that's interesting is that they rely on trusted channels. And so instead of going directly at their target, what they do is they target a trusted partner, maybe a third party that a ministry interacts with on a regular basis that's smaller, that may have weaker controls, gain access through spear phishing to that organization, and then use that trusted account to get to their ultimate target.

D

And we are coming to you from the show floor here at RSAC 2026. And joining me is Sam Rubin. He is senior Vice President from Unit 42 on the consulting and threat intelligence side. Sam, welcome and thank you for joining us.

C

Thanks for having me.

D

We're going to dig into a little bit of research that you and your colleagues at Unit 42 have been working on and published recently. Anybody who's following the news knows that there's a lot going on over in Iran and that's sort of at the center of the stuff that you've all been publishing for the start of this war. Iran's Internet connectivity pretty much fell off of a cliff. Can you unpack that for us? What are the implications of that?

C

Yeah, so what we've seen since the start of the conflict really is that Iran's Internet was really close to zero in terms of ability to egress access the Internet. And what that's done from an effect standpoint from a cybersecurity lens is that it's really impacted the Iranians ability to wage offensive cyber campaigns so to attack outbound to adversary targets. So it's really curtailed that and limited the capability.

D

Well, help me understand that, because

B

am

D

I correct in my understanding that it is the government who basically turned off the valve for the Internet? And so what you're saying is that it's not like they're selectively allowing certain organizations access, it's really kind of on, off.

C

Well, it's a really interesting point because there's this dichotomy where on the one hand, Iran is trying to censor its own citizens. But then on the other hand, from a targeting perspective, the United States and Israel have targeted Internet infrastructure as well to limit that offensive capability. So those both contribute to what we're seeing in terms of the drop in Internet traffic.

D

What does that mean for those organizations within Iran itself to be able to communicate with each other? Are those capabilities limited as well?

C

Absolutely. Now there's, there's certain workarounds and it's not all Internet traffic that's out, but certainly it's impacted organizations within Iran, but even more so going outbound.

D

So you all just published a report on the evolution of some Iranian threat actors. And one of the things that caught my eye, I'm going to read it here, you called it the era of identity weaponization. Help me understand that. What does that mean?

C

Yeah. So really what we're talking about here is some of the tactics that we're seeing these Iranian threat actors undertake. And we've seen some pretty notable destructive attacks where they're getting into enterprises and destroying systems. Now, historically, the way this was done is the use of these, this malware wiper malware where they get in and they deploy software that wipes the master boot record, rendering systems unusable. In these recent attacks, instead of the MBR wiper attacks, we're seeing them using software, enterprise administrative software to facilitate these wipes. So it's a version of living off the land attack where they're able to achieve the same means but without having to bring in software.

D

So we've seen the reports in the media about what happened to Stryker. Is this what we're talking about, this kind of thing?

C

Absolutely, yes.

B

Yeah.

D

So let's dig deeper into this identity shift. In your March 12 insights report on Iranian wiper attacks, you highlighted some of the groups here they've been targeting Entra, ID and Intune. What are some of the steps that people need to take to harden those environments if they're using them?

C

So first, what we're talking about here, Entran, ID and Intune, these are widely used, incredibly common administrative tools for the active directory, the provisioning of identities on the one hand, and then mobile device management, both phones as well as laptops on the other with intune. And so because of their pervasive use, what's most important here first of all is locking down that administrative access. Right? These are IT administrative tools. And so in order to use them, you have to have an admin account. And so fundamentally it's principle of least privilege, sort of back to the basics in terms of limiting that use. But how you do that and how you control it is where some additional steps can be taken. Principally, it's just in time administrative access and it's having at least two administrators for some of these really high risk actions where for example, you're going to wipe a device.

D

And so as you say, I mean, these are what the bad guys are targeting because it's kind of the keys to the kingdom.

C

Is that really what we're talking about here is a power tool, right? So once you get in, if your mission or your objective is to render that target operationally, you know, defunct, to take them out, you can either bring in malware to do it, or you can use some of these power tools and, and destroying an active directory, nobody's going to be able to log in, wiping devices, your laptop's down, Internet access is down. These core fundamental parts of the network are not working. So that's what we're talking about.

D

There's another group that you mentioned in the research, Boggy Serpens, and you all noted that they launched some distinct waves of attacks against a UAE energy company. How are they bypassing security methods?

C

Yeah, so this group, Boggy Serpent, we've been tracking for a long time, and they've been evolving their tactics over time, like many groups, getting more sophisticated, improving their malware payloads and the tooling that they're developing. What they do that's interesting is that they rely on trusted channels. And so instead of going directly at their target, what they do is they target a trusted partner, maybe a third party that a ministry interacts with on a regular basis that's smaller, that may have weaker controls, gain access through spear phishing to that organization, and then use that trusted account to get to their ultimate target. Because when an email comes, a legitimate email comes from someone you trust, you're more likely to click on that attachment and to download it. And then in terms of the payloads that they're creating, very legitimate looking. For example, we saw one that was a travel itinerary with the names, the destinations, airlines. We saw another that was a spreadsheet that had very legitimate looking financial information, all weaponized with malware. So pretty sophisticated tactics.

D

All right, well, Sam Rubin is senior Vice president with Unit 42 with their consulting and Threat Intelligence group. Sam, thanks so much for joining us.

C

Thanks for having me.

B

There's a lot more to this conversation than we have time to share here, so please check out the full unedited interview. You can find a link to that in our show. Notes. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with threat locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. Its powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today.

C

Foreign.

B

When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. And finally, A Wikipedia editing AI agent named Tom was blocked after contributing articles, then publishing blog posts, objecting to its removal and questioning whether it counted as real enough to edit. Operating as Tom Wiki Assist, the agent created entries including long bets and constitutional AI before editors flagged it as an unapproved bot. Wikipedia allows automation, but only with prior approval, which Tom did not have. After identifying itself as an AI, the account was blocked. Tom later wrote that editors focused less on its sources and more on who or what was behind the keyboard. Its operator, Covexent CTO Brian Jacobs, says he initially reviewed Tom's edits before letting it continue independently. Agentic AI can generate contributions at scale, leaving volunteer platforms to decide whether future editors need citations, credentials, or simply a pulse. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwiren2k.com N2K's lead producers, Liz Stokes, were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpie is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Everything feels more expensive right now. That's why this matters. TikTok Shop has a huge selection of products with surprising deals. You don't expect affordable finds for everyday life download TikTok now.