CyberWire Daily

The messaging app used by CBP and the White House faces continued security scrutiny. Hacktivists breach the airline used for U.S. deportation flights. The FBI warns that threat actors are exploiting outdated, unsupported routers. Education giant Pearson confirms a cyberattack. Researchers report exploitation of Windows Remote Management (WinRM) for stealthy lateral movement in Active Directory (AD) environments. A sophisticated email attack campaign uses malicious PDF invoices to deliver a cross-platform RAT. A zero-day vulnerability in SAP NetWeaver enables remote code execution. An Indiana health system reports a data breach affecting nearly 263,000 individuals. Our guest is Alex Cox, Director of Information Security at LastPass, discussing tax-related lures targeting refunds. AI empowers a murder victim to speak from beyond the grave.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing [https://thecyberwire.com/newsletters/daily-briefing], and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn [https://www.linkedin.com/company/10454826/admin/feed/posts/]. CyberWire Guest Today we are joined by Alex Cox [https://www.linkedin.com/in/alexjcox/], Director of Information Security at LastPass [https://www.lastpass.com/], to discuss tax-related lures facing both tax preparation agencies and filers expecting refunds. Selected Reading On the state of modern Web Application Security [https://www.brighttalk.com/webcast/18820/640148?bt_tok=%7B%7Brecord.BT_fastpass_token%7D%7D&utm_source=N2KNetworks&utm_medium=brighttalk&utm_campaign=640148] (BrightTalk) Customs and Border Protection Confirms Its Use of Hacked Signal Clone TeleMessage [https://www.wired.com/story/cbp-confirms-telemessage-use/] (Wired) Hackers hit deportation airline GlobalX, leak flight manifests, and leave an unsubtle message for "Donnie" Trump [https://www.bitdefender.com/en-us/blog/hotforsecurity/hackers-globalx-message-trump] (Bitdefender) FBI Sounds Alarm on Rogue Cybercrime Services Targeting Obsolete Routers [https://www.infosecurity-magazine.com/news/fbi-cybercrime-obsolete-routers/] (infosecurity magazine) Education giant Pearson hit by cyberattack exposing customer data [https://www.bleepingcomputer.com/news/security/education-giant-pearson-hit-by-cyberattack-exposing-customer-data/] (Bleeping Computer) Hackers Using Windows Remote Management to Stealthily Navigate Active Directory Network [https://cybersecuritynews.com/windows-remote-management-leveraged/] (Cybersecurity News) Hackers Weaponizing PDF Invoices to Attack Windows, Linux & macOS Systems [https://cybersecuritynews.com/hackers-weaponizing-pdf-invoices/] (Cybersecurity News) SAP Zero-Day Targeted Since January, Many Sectors Impacted [https://www.securityweek.com/sap-zero-day-targeted-since-january-many-sectors-impacted/](Security Week) Indiana Health System Notifies 263,000 of Oracle Hack [https://www.bankinfosecurity.com/indiana-health-system-notifies-263000-oracle-hack-a-28353] (Bank of Infosecurity) A Judge Accepted AI Video Testimony From a Dead Man [https://www.404media.co/email/0cb70eb4-c805-4e4e-9428-7ae90657205c/?ref=daily-stories-newsletter] (404 Media) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey [https://www.surveymonkey.com/r/cwdp-listener] as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit [https://docsend.com/view/5ncb2vvpz2ntg95q]. Contact us at cyberwire@n2k.com [cyberwire@n2k.com] to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]

The LockBit ransomware gang has been hacked. Google researchers identify a new infostealer called Lostkeys. SonicWall is urging customers to patch three critical device vulnerabilities. Apple patches a critical remote code execution flaw. Cisco patches 35 vulnerabilities across multiple products. Iranian hackers cloned a German modeling agency’s website to spy on Iranian dissidents. Researchers bypass SentinelOne’s EDR protection. Education tech firm PowerSchool faces renewed extortion. CrowdStrike leans into AI amidst layoffs. Our guest is Caleb Barlow, CEO of Cyberbit, discussing the mixed messages of the cyber skills gaps. Honoring the legacy of Joseph Nye. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing [https://thecyberwire.com/newsletters/daily-briefing], and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn [https://www.linkedin.com/company/10454826/admin/feed/posts/]. CyberWire Guest Today we are joined by Caleb Barlow [https://www.linkedin.com/in/calebbarlow/], CEO of Cyberbit [https://www.cyberbit.com/], who is discussing the mixed messages of the cyber skills gaps. Selected Reading LockBit ransomware gang hacked, victim negotiations exposed [https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-hacked-victim-negotiations-exposed/] (Bleeping Computer) Russian state-linked Coldriver spies add new malware to operation [https://therecord.media/coldriver-russia-cyber-espionage-lostkeys-malware] (The Record) Fake AI Tools Push New Noodlophile Stealer Through Facebook Ads [https://hackread.com/fake-ai-tools-noodlophile-stealer-facebook-ads/] (Hackread) SonicWall urges admins to patch VPN flaw exploited in attacks [https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-patch-vpn-flaw-exploited-in-attacks/] (Bleeping Computer) Researchers Details macOS Remote Code Execution Vulnerability - CVE-2024-44236 [https://cybersecuritynews.com/macos-remote-code-execution-vulnerability/] (Cyber Security News) Cisco IOS XE Wireless Controllers Vulnerability Enables Full Device Control for Attackers [https://cybersecuritynews.com/cisco-ios-xe-wireless-controllers-vulnerability/] (Cyber Security News) Cisco Patches 35 Vulnerabilities Across Several Products [https://www.securityweek.com/cisco-patches-35-vulnerabilities-across-several-products/] (SecurityWeek) Iranian Hackers Impersonate as Model Agency to Attack Victims [https://cybersecuritynews.com/iranian-hackers-impersonate-as-model-agency/] (Cyber Security News) Hacker Finds New Technique to Bypass SentinelOne EDR Solution [https://www.infosecurity-magazine.com/news/new-technique-bypass-sentinelone/] (Infosecurity Magazine) CrowdStrike trims workforce by 5 percent, aims to rely on AI [https://www.theregister.com/2025/05/07/crowdstrike_trims_workforce_ai/] (The Register) Despite ransom payment, PowerSchool hacker now extorting individual school districts [https://therecord.media/despite-ransom-payment-powerschool-extorting] (The Record)  Joseph Nye, Harvard professor, developer of “soft power” theory, and an architect of modern international relations, dies at 88 [https://www.hks.harvard.edu/faculty-research/policy-topics/international-relations-security/joseph-nye-obituary] (Harvard University)  Nye Lauded for Cybersecurity Leadership [https://www.belfercenter.org/publication/nye-lauded-cybersecurity-leadership] (The Belfer Center for Science and International Affairs at Harvard University) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey [https://www.surveymonkey.com/r/cwdp-listener] as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit [https://docsend.com/view/5ncb2vvpz2ntg95q]. Contact us at cyberwire@n2k.com [cyberwire@n2k.com] to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]

From the N2K CyberWire network T-Minus team, please enjoy this podcast episode recorded at Space Symposium 2025. Find out how AWS for Aerospace and Satellite is  empowering exploration on the Moon, Mars, and beyond with Lunar Outpost. You can learn more about AWS in Orbit at space.n2k.com/aws [https://space.n2k.com/aws]. Our guests on this episode are AJ Gemer [https://www.linkedin.com/in/aj-gemer/], CTO at Lunar Outpost [https://www.lunaroutpost.com/] and Salem El Nimri, CTO at AWS Aerospace & Satellite. Remember to leave us a 5-star rating and review in your favorite podcast app. Be sure to follow T-Minus on LinkedIn [https://www.linkedin.com/company/n2k-space/] and Instagram [https://www.instagram.com/tminusdaily/]. Selected Reading AWS Aerospace and Satellite [https://aws.amazon.com/aerospace-and-satellite/?trk=c9d66aa7-01dc-4cbe-93b1-2c987a64a1d9&sc_channel=el] Audience Survey We want to hear from you! Please complete our short survey [https://www.surveymonkey.com/r/BL5NFPW]. It’ll help us get better and deliver you the most mission-critical space intel every day. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit [https://docsend.com/view/ung56qbvknfbj9z2]. Contact us at space@n2k.com [space@n2k.com] to request more info. Want to join us for an interview? Please send your pitch to space-editor@n2k.com [space-editor@n2k.com] and include your name, affiliation, and topic proposal. T-Minus is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]

A jury orders NSO Group to pay $167 millions dollars to Meta over spyware allegations. CISA warns of hacktivists targeting U.S. ICS and SCADA systems. Researcher Micah Lee documents serious privacy risks in the TM SGNL app used by high level Trump officials. The NSA plans significant workforce cuts. Nations look for alternatives to U.S. cloud providers. A medical device provider discloses a cyberattack disrupting its ability to ship customer orders. The Panda Shop smishing kit impersonates trusted brands. Accenture’s CFO thwarts a deepfake attempt. Our temporary intern Kevin Magee from Microsoft wraps up his reporting from the RSAC show floor.  Server room shenanigans, with romance, retaliation, and root access. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing [https://thecyberwire.com/newsletters/daily-briefing], and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn [https://www.linkedin.com/company/10454826/admin/feed/posts/]. CyberWire Guest Wrapping up RSAC 2025, we’re joined by our partner Kevin Magee [https://www.linkedin.com/in/kmagee/], Global Director of Cybersecurity Startups at Microsoft for Startups [https://www.microsoft.com/en-us/startups?wt.mc_id=cyberwireepisode_landingpage_organicsocial_mfsmktg]. Kevin brings the energy with a high-octane medley of interviews directly from the show floor, featuring sharp insights and bold ideas from some of cybersecurity’s most influential voices. It’s the perfect, fast-paced finale to our RSAC coverage—check out the show notes for links to all the guests featured! In this segment, you’ll hear from Eoin Wickens [https://www.linkedin.com/in/eoinwickens/], Director of Threat Intelligence of HiddenLayer [https://www.linkedin.com/company/hiddenlayersec/], Jordan Shaw-Young [https://www.linkedin.com/in/jordanshawyoung/overlay/about-this-profile/], Chief of Staff for Security Services at BlueVoyant [https://www.linkedin.com/company/bluevoyant/], Gil Barak [https://www.linkedin.com/in/gilbarak/overlay/about-this-profile/], co-founder and CEO of Blink Ops [https://www.linkedin.com/company/blink-ops/], and Paul St Vil [https://www.linkedin.com/in/paul-st-vil-8a48884/overlay/about-this-profile/], VP of Field Engineering at Zenity [https://www.linkedin.com/company/zenitysec/]. You can also catch Kevin on our Microsoft for Startups⁠ [https://explore.thecyberwire.com/microsoft-for-startups] Spotlight, brought to you by N2K CyberWire and Microsoft, where we shine a light on innovation, ambition, and the tech trailblazers building the future right from the startup trenches. Kevin and Dave talk with startup veteran and Cygenta co-founder FC about making the leap from hacker to entrepreneur, then speak with three Microsoft for Startups members: Matthew Chiodi⁠ of ⁠Cerby⁠, ⁠Travis Howerton⁠ of ⁠RegScale⁠, and ⁠Karl Mattson⁠ of ⁠Endor Labs⁠. Whether you are building your own startup or just love a good innovation story, listen and learn more here [https://explore.thecyberwire.com/microsoft-for-startups]. Selected Reading Spyware-maker NSO ordered to pay $167 million for hacking WhatsApp [https://www.washingtonpost.com/technology/2025/05/06/nso-pegasus-whatsapp-damages/] (The Washington Post) CISA Warns of Hackers Attacking ICS/SCADA Systems in Oil and Natural Gas Companies [https://cybersecuritynews.com/hackers-attacking-ics-scada-systems/] (Cyber Security News) Despite misleading marketing, Israeli company TeleMessage, used by Trump officials, can access plaintext chat logs [https://micahflee.com/despite-misleading-marketing-israeli-company-telemessage-used-by-trump-officials-can-access-plaintext-chat-logs/] (Micha Flee) NSA to cut up to 2,000 civilian roles as part of intel community downsizing [https://therecord.media/nsa-to-cut-up-to-2000-roles-downsizing]' (The Record) NIST loses key cyber experts in standards and research (Cybersecurity Dive [https://www.cybersecuritydive.com/news/nist-cyber-retirements-quantum-ai-research-standards/747270/]) A coherent European/non-US cloud strategy: building railroads for the cloud economy (Bert Hubert [https://berthub.eu/articles/posts/a-coherent-non-us-cloud-strategy/]) Medical device giant Masimo says cyberattack is limiting ability to fill customer orders [https://therecord.media/masimo-medical-device-company-cyberattack] (The Record) New Chinese Smishing Kit Dubbed 'Panda Shop' Steal Google, Apple Pay & Credit Card Details [https://cybersecuritynews.com/new-chinese-smishing-kit-dubbed-panda-shop/] (Cyber Security News) Accenture: What we learned when our CEO got deepfaked [https://www.computing.co.uk/event/2025/accenture-what-we-learned-when-our-ceo-got-deepfaked] (Computing) IT Worker from Computacenter Let Girlfriend Into Deutsche Bank’s Restricted Areas [https://gbhackers.com/it-worker-girlfriend-into-deutsche-banks-restricted-areas/] (GB Hackers) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey [https://www.surveymonkey.com/r/cwdp-listener] as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit [https://docsend.com/view/5ncb2vvpz2ntg95q]. Contact us at cyberwire@n2k.com [cyberwire@n2k.com] to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]

A critical flaw in a Samsung’s CMS is being actively exploited. President Trump’s proposed 2026 budget aims to slash funding for CISA. “ClickFix” malware targets both Windows and Linux systems through advanced social engineering. CISA warns of a critical Langflow vulnerability actively exploited in the wild. A new supply-chain attack targets Linux servers using malicious Go modules found on GitHub. The Venom Spider threat group targets HR professionals with fake resume submissions. The Luna Moth group escalates phishing attacks on U.S. legal and financial institutions. The U.S. Treasury aims to cut off a Cambodia-based money laundering operation. Our guest is  Monzy Merza, Co-Founder and CEO of Crogl, discussing the CISO's conundrum in the face of AI. Malware, mouse ears, and mayhem: Disney hacker pleads guilty. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing [https://thecyberwire.com/newsletters/daily-briefing], and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn [https://www.linkedin.com/company/10454826/admin/feed/posts/]. CyberWire Guest On our Industry Voices segment, we are joined by Monzy Merza [https://www.linkedin.com/in/monzymerza/], Co-Founder and CEO of Crogl [https://www.linkedin.com/company/crogl/], who is discussing the CISO's conundrum—the growing challenge of securing organizations in a world where AI rapidly expands both the number of users and potential adversaries. Selected Reading Samsung MagicINFO Vulnerability Exploited Days After PoC Publication (SecurityWeek [https://www.securityweek.com/samsung-magicinfo-vulnerability-exploited-days-after-poc-publication/]) Trump would cut CISA budget by $491M amid ‘censorship’ claim  (The Register [https://www.theregister.com/2025/05/06/cisa_budget_cuts/]) New ClickFix Attack Mimics Ministry of Defense Website to Attack Windows & Linux Machines [https://cybersecuritynews.com/new-clickfix-attack-mimics-ministry-of-defense-website/] (Cyber Security News) Critical Vulnerability in AI Builder Langflow Under Attack [https://www.securityweek.com/critical-vulnerability-in-ai-builder-langflow-under-attack/] (SecurityWeek [https://www.securityweek.com/samsung-magicinfo-vulnerability-exploited-days-after-poc-publication/]) Linux wiper malware hidden in malicious Go modules on GitHub [https://www.bleepingcomputer.com/news/security/linux-wiper-malware-hidden-in-malicious-go-modules-on-github/] (Bleeping Computer) Malware scammers target HR professionals with Venom Spider malware (SC Media [https://www.scworld.com/news/malware-scammers-target-hr-professionals-with-venom-spider-malware]) Luna Moth extortion hackers pose as IT help desks to breach US firms [https://www.bleepingcomputer.com/news/security/luna-moth-extortion-hackers-pose-as-it-help-desks-to-breach-us-firms/] (Bleeping Computer) US Readies Huione Group Ban Over Cybercrime Links [https://www.govinfosecurity.com/us-readies-huione-group-ban-over-cybercrime-links-a-28293] (GovInfo Security) Hacker 'NullBulge' pleads guilty to stealing Disney's Slack data [https://www.bleepingcomputer.com/news/security/hacker-nullbulge-pleads-guilty-to-stealing-disneys-slack-data/] (Bleeping Computer) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey [https://www.surveymonkey.com/r/cwdp-listener] as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit [https://docsend.com/view/5ncb2vvpz2ntg95q]. Contact us at cyberwire@n2k.com [cyberwire@n2k.com] to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]