CyberWire Daily

This week, Dave speaks with Max Gannon [https://www.linkedin.com/in/max-gannon-34b775111/] of Cofense Intelligence [https://cofense.com/] to dive into his team's research on "The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders." Threat actors continuously develop new tactics, techniques, and procedures (TTPs) to bypass existing defenses. When defenders identify these methods and implement countermeasures, attackers adapt or create more sophisticated approaches. This research explores how cybercriminals are leveling up their credential phishing tactics using Precision-Validated Phishing, a technique that leverages real-time email validation to ensure only high-value targets receive the phishing attempt. The research can be found here: * The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders [https://cofense.com/blog/the-rise-of-precision-validated-credential-theft-a-new-challenge-for-defenders]⁠⁠⁠⁠ [https://www.cyberark.com/resources/threat-research-blog/agents-under-attack-threat-modeling-agentic-ai]⁠ [https://www.reversinglabs.com/blog/atomic-and-exodus-crypto-wallets-targeted-in-malicious-npm-campaign] Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]

NATO hosts the world’s largest cyber defense exercise. The DOJ charges a dozen people in a racketeering conspiracy involving the theft of over $230 million in cryptocurrency. Japan has enacted a new Active Cyberdefense Law. Lawmakers push to reauthorize the Cybersecurity Information Sharing Act. Two critical Ivanti Endpoint Manager Mobile vulnerabilities are under active exploitation. Hackers use a new fileless technique to deploy Remcos RAT. The NSA’s Director of Cybersecurity hangs up their hat. Our guest is Christopher Cleary, VP of ManTech's Global Cyber Practice, discussing the cyber battlespace of the future. Coinbase flips the script on an extortion attempt.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing [https://thecyberwire.com/newsletters/daily-briefing], and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn [https://www.linkedin.com/company/10454826/admin/feed/posts/]. CyberWire Guest Joining us on our Industry Voices segment, Christopher Cleary [https://www.linkedin.com/in/christopher-cleary-pmp-cissp-6242b635/], VP of ManTech [https://www.mantech.com/]'s Global Cyber Practice, talks about the battlespace of the future. If you would like to hear the full-length interview between Christopher and Dave, listen here [https://explore.thecyberwire.com/chris-cleary]. Learn more about ManTech’s cybersecurity work here [https://www.mantech.com/expertise/cyberspace-superiority/].  Selected Reading NATO's Locked Shields Reflects Cyber Defense Growth [https://www.securityweek.com/from-60-to-4000-natos-locked-shields-reflects-cyber-defense-growth/] (SecurityWeek) US charges 12 more suspects linked to $230 million crypto theft [https://www.bleepingcomputer.com/news/security/us-charges-12-more-suspects-linked-to-230-million-crypto-theft/] (Bleeping Computer) Japan enacts new Active Cyberdefense Law allowing for offensive cyber operations [https://therecord.media/japan-enacts-new-law-allowing-offensive-cyber-operations] (The Record) Lawmakers push for reauthorization of cyber information sharing bill as deadline looms [https://therecord.media/lawmakers-push-for-reauthorization-information-sharing-bill] (The Record) Ban sales of gear from China’s TP-Link, Republican lawmakers tell Trump administration [https://therecord.media/republican-lawmakers-call-for-tp-link-ban] (The Record) Scammers are deepfaking voices of senior US government officials, warns FBI [https://www.theregister.com/2025/05/16/fbi_deepfake_us_government_warning/] (The Register) Multiple Ivanti Endpoint Mobile Manager Vulnerabilities Allows Remote Code Execution [https://cybersecuritynews.com/ivanti-endpoint-mobile-manager-vulnerabilities/] (Cyber Security News) Updated Remcos RAT deployed in fileless intrusion [https://www.scworld.com/brief/updated-remcos-rat-deployed-in-fileless-intrusion](SC Media) NSA cyber director Luber to retire at month’s end [https://therecord.media/nsa-cyber-director-dave-luber-to-retire] (The Record) Coinbase offers $20 million bounty after extortion attempt with stolen data [https://therecord.media/coinbase-extortion-attempt-company-offers-20million-reward] (The Record) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey [https://www.surveymonkey.com/r/cwdp-listener] as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit [https://docsend.com/view/5ncb2vvpz2ntg95q]. Contact us at cyberwire@n2k.com [cyberwire@n2k.com] to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]

Google issues an emergency patch for a high-severity Chrome browser flaw. Researchers bypass BitLocker encryption in minutes. A massive Chinese-language black market has shut down. The CFPB cancels plans to curb the sale of personal information by data brokers. A cyberespionage campaign called Operation RoundPress targets vulnerable webmail servers. Google warns that Scattered Spider is now targeting U.S. retail companies. The largest steelmaker in the U.S. shut down operations following a cybersecurity incident. Our guest is Devin Ertel, Chief Information Security Officer at Menlo Security, discussing redefining enterprise security. The long and the short of layoffs. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing [https://thecyberwire.com/newsletters/daily-briefing], and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn [https://www.linkedin.com/company/10454826/admin/feed/posts/]. CyberWire Guest On our Industry Voices segment and direct from RSAC 2025, our guest is Devin Ertel [https://www.linkedin.com/in/devinertel/], Chief Information Security Officer at Menlo Security [https://www.menlosecurity.com/], discussing redefining enterprise security. Listen to Devin's interview here [https://explore.thecyberwire.com/devin-ertel]. Selected Reading Google fixes high severity Chrome flaw with public exploit [https://www.bleepingcomputer.com/news/security/google-fixes-high-severity-chrome-flaw-with-public-exploit/] (Bleeping Computer) BitLocker Encryption Bypassed in Minutes Using Bitpixie Vulnerability: PoC Released [https://cybersecuritynews.com/bitlocker-encryption-bypassed/] (Cyber Security News) The Internet’s Biggest-Ever Black Market Just Shut Down Amid a Telegram Purge [https://www.wired.com/story/the-internets-biggest-ever-black-market-shuts-down-after-a-telegram-purge/] (WIRED)  German operation shuts down crypto mixer eXch, seizes millions in assets [https://therecord.media/exch-cryptocurrency-mixer-germany-takedown] (The Record) CFPB Quietly Kills Rule to Shield Americans From Data Brokers [https://www.wired.com/story/cfpb-quietly-kills-rule-to-shield-americans-from-data-brokers/](WIRED) EU ruling: tracking-based advertising by Google, Microsoft, Amazon, X, across Europe has no legal basis [https://www.iccl.ie/digital-data/eu-ruling-tracking-based-advertising-by-google-microsoft-amazon-x-across-europe-has-no-legal-basis/] (Irish Council for Civil Liberties) Operation RoundPress targeting high-value webmail servers [https://www.welivesecurity.com/en/eset-research/operation-roundpress/] (We Live Security) Google says hackers that hit UK retailers now targeting American stores [https://www.reuters.com/business/google-says-hackers-that-targeted-uk-retail-sector-are-now-targeting-us-2025-05-14/](Reuters) Cybersecurity incident forces largest US steelmaker to take some operations offline [https://therecord.media/cyber-incident-forces-nucor-steel-to-take-systems-offline] (The Record) Infosec Layoffs Aren't the Bargain Boards May Think [https://www.darkreading.com/cyber-risk/infosec-layoffs-arent-bargain-boards-may-think] (Dark Reading)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey [https://www.surveymonkey.com/r/cwdp-listener] as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit [https://docsend.com/view/5ncb2vvpz2ntg95q]. Contact us at cyberwire@n2k.com [cyberwire@n2k.com] to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]

A busy Patch Tuesday. Investigators discover undocumented communications devices inside Chinese-made power inverters. A newly discovered Branch Privilege Injection flaw affects Intel CPUs. A UK retailer may claim up to £100mn from its cyber insurers after a major cyberattack.  A Kosovo national has been extradited to the U.S. for allegedly running an illegal online marketplace. CISA will continue alerts on its website following industry backlash. On our Industry Voices segment, Neil Hare-Brown, CEO at STORM Guidance, discusses Cyber Incident Response (CIR) retainer service provision. Shoring up the future of the CVE program. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing [https://thecyberwire.com/newsletters/daily-briefing], and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn [https://www.linkedin.com/company/10454826/admin/feed/posts/]. CyberWire Guest On today’s Industry Voices segment, we are joined by Neil Hare-Brown [https://www.linkedin.com/in/neilhb/], CEO at STORM Guidance [https://www.stormguidance.com/], discussing Cyber Incident Response (CIR) retainer service provision. You can learn more here [https://www.cyber.care/cyberwire].  Selected Reading Microsoft Patch Tuesday security updates for May 2025 fixed 5 actively exploited zero-days [https://securityaffairs.com/177839/hacking/microsoft-patch-tuesday-security-updates-for-may-2025-fixed-5-actively-exploited-zero-days.html] (Security Affairs) SAP patches second zero-day flaw exploited in recent attacks [https://www.bleepingcomputer.com/news/security/sap-patches-second-zero-day-flaw-exploited-in-recent-attacks/] (Bleeping Computer)  Ivanti fixes EPMM zero-days chained in code execution attacks [https://www.bleepingcomputer.com/news/security/ivanti-fixes-epmm-zero-days-chained-in-code-execution-attacks/] (Bleeping Computer)  Fortinet fixes critical zero-day exploited in FortiVoice attacks [https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-zero-day-exploited-in-fortivoice-attacks/] (Bleeping Computer)  Vulnerabilities Patched by Juniper, VMware and Zoom [https://www.securityweek.com/vulnerabilities-patched-by-juniper-vmware-and-zoom/] (SecurityWeek) ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Phoenix Contact [https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-addressed-by-siemens-schneider-phoenix-contact/] (SecurityWeek) Adobe Patches Big Batch of Critical-Severity Software Flaws [https://www.securityweek.com/adobe-patches-big-batch-of-critical-severity-software-flaws/] (SecurityWeek) Ghost in the machine? Rogue communication devices found in Chinese inverters [https://www.reuters.com/sustainability/climate-energy/ghost-machine-rogue-communication-devices-found-chinese-inverters-2025-05-14/] (Reuters) New Intel CPU flaws leak sensitive data from privileged memory [https://www.bleepingcomputer.com/news/security/new-intel-cpu-flaws-leak-sensitive-data-from-privileged-memory/] (Bleeping Computer)  M&S cyber insurance payout to be worth up to £100mn [https://www.ft.com/content/723b6195-1ce7-4b5f-94f5-729e9152c578] (Financial Times) US extradites Kosovo national charged in operating illegal online marketplace [https://therecord.media/us-extradites-kosovo-national-online-marketplace] (The Record) CISA Planned to Kill .Gov Alerts. Then It Reversed Course. [https://www.databreachtoday.com/cisa-planned-to-kill-gov-alerts-then-reversed-course-a-28391] (Data BreachToday) CVE Foundation eyes year-end launch following 11th-hour rescue of MITRE program [https://cyberscoop.com/cve-program-funding-crisis-cve-foundation-mitre/] (CyberScoop) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey [https://www.surveymonkey.com/r/cwdp-listener] as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit [https://docsend.com/view/5ncb2vvpz2ntg95q]. Contact us at cyberwire@n2k.com [cyberwire@n2k.com] to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]

House Republicans look to limit state regulation of AI. Spain investigates potential cybersecurity weak links in the April 28 power grid collapse. A major security flaw has been found in ASUS mainboards’ automatic update system. A new macOS info-stealing malware uses PyInstaller to evade detection. The U.S. charges 14 North Korean nationals in a remote IT job scheme. Europe’s cybersecurity agency launches the European Vulnerability Database. CISA pares back website security alerts. Moldovan authorities arrest a suspect in DoppelPaymer ransomware attacks. On today’s Threat Vector segment, David Moulton speaks with ⁠Noelle Russell⁠, CEO of the AI Leadership Institute, about how to scale responsible AI in the enterprise. Dave & Buster’s invites vanish into the void. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing [https://thecyberwire.com/newsletters/daily-briefing], and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn [https://www.linkedin.com/company/10454826/admin/feed/posts/]. Threat Vector  Recorded Live at the Canopy Hotel during the RSAC Conference in San Francisco, ⁠David Moulton [https://www.linkedin.com/in/davidrmoulton/]⁠ speaks with ⁠Noelle Russell [https://www.linkedin.com/in/noelleai/]⁠, CEO of the AI Leadership Institute and a leading voice in responsible AI on this Threat Vector [https://thecyberwire.com/podcasts/threat-vector] segment. Drawing from her new book Scaling Responsible AI, Noelle explains why early-stage AI projects must move beyond hype to operational maturity—addressing accuracy, fairness, and security as foundational pillars. Together, they explore how generative AI models introduce new risks, how red teaming helps organizations prepare, and how to embed responsible practices into AI systems. You can hear David and Noelle’s full discussion on Threat Vector here [https://thecyberwire.com/podcasts/threat-vector/66/notes] and catch new episodes every Thursday on your favorite podcast app.  Selected Reading Republicans Try to Cram Ban on AI Regulation Into Budget Reconciliation Bill [https://www.404media.co/republicans-try-to-cram-ban-on-ai-regulation-into-budget-reconciliation-bill/] (404 Media) Spain investigates cyber weaknesses in blackout probe [https://www.ft.com/content/a24e6e3c-cf9f-4093-833b-6e7492e7e7f0] (The Financial Times) Critical Security flaw in ASUS mainboard update system [https://beyondmachines.net/event_details/critical-security-flaw-in-asus-mainboard-update-system-k-5-z-y-7/gD2P6Ple2L] (Beyond Machines) Hackers Exploiting PyInstaller to Deploy Undetectable macOS Infostealer [https://cybersecuritynews.com/hackers-exploiting-pyinstaller/] (Cybersecurity News) Researchers Uncover Remote IT Job Fraud Scheme Involving North Korean Nationals [https://gbhackers.com/researchers-uncover-remote-it-job-fraud-scheme/] (GB Hackers) European Vulnerability Database Launches Amid US CVE Chaos [https://www.infosecurity-magazine.com/news/european-vulnerability-database-us/](Infosecurity Magazine) Apple Security Update: Multiple Vulnerabilities in macOS & iOS Patched [https://cybersecuritynews.com/apple-security-update-sensitive-data/] (Cybersecurity News) CISA changes vulnerabilities updates, shifts to X and emails [https://www.theregister.com/2025/05/12/cisa_vulnerabilities_updates_x/](The Register) Suspected DoppelPaymer Ransomware Group Member Arrested [https://www.securityweek.com/suspected-doppelpaymer-ransomware-group-member-arrested/](Security Week) Cracking The Dave & Buster’s Anomaly [https://rambo.codes/posts/2025-05-12-cracking-the-dave-and-busters-anomaly] (Rambo.Codes)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey [https://www.surveymonkey.com/r/cwdp-listener] as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit [https://docsend.com/view/5ncb2vvpz2ntg95q]. Contact us at cyberwire@n2k.com [cyberwire@n2k.com] to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]