Rogue peers and hidden exploits.

Five Eyes flags active exploitation of Cisco SD-WAN flaws. Ransomware incidents surge, but fewer victims are paying. The FTC eases its stance on COPPA to encourage age verification. Authorities in Poland and Germany charge 11 in a Facebook credential harvesting scheme. Top UK news outlets unite on AI licensing standards, as the UK touts gains in cyber resilience. Researchers say a hacker abused Anthropic’s Claude to breach Mexican government networks. Gamers revolt over AI in game development. On our Industry Voices, we are joined by Linda Gray Martin, Chief of Staff and SVP, and Britta Glade, SVP of Content and Communities, from RSAC sharing what is new at RSAC 2026. In Moscow, a man is accused of impersonating an FSB officer to shake down the Conti ransomware gang. Professor Falcon was right. 

Today is Thursday February 26th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The Five Eyes alliance warns of actively exploited vulnerabilities in Cisco SD-WAN systems. 

Intelligence agencies from the Five Eyes alliance are warning that advanced threat actors are actively exploiting vulnerabilities in Cisco Catalyst Software Defined Wide Area Network, or SD-WAN, systems. The alert focuses on CVE-2026-20127 and CVE-2022-20775, which attackers tracked as UAT-8616 are using to bypass authentication, execute arbitrary commands, and escalate privileges to root on SD-WAN controllers.

According to Cisco Talos, the group has introduced rogue peers into the network management plane, downgraded software to enable further exploitation, and then restored devices to their original versions to reduce detection. The Australian Signals Directorate’s Australian Cyber Security Centre says activity dates back to at least 2023 and targets critical infrastructure and government networks.

CISA and allied agencies are urging organizations to immediately investigate potential compromise and apply Cisco’s mitigation guidance to reduce the risk of long-term persistence.

Ransomware attacks rise sharply, but fewer victims are paying. 

Ransomware attacks are rising sharply, but fewer victims are paying. Chainalysis reports that claimed incidents increased 50 percent in 2025, while payment rates fell to a record low of 28 percent. The firm tracked about $820 million in ransomware payments this year, a figure expected to climb as more cases are attributed. Despite fewer payouts overall, the median payment jumped to nearly $60,000, suggesting gangs are targeting larger organizations.

Researchers credit stronger incident response, regulatory pressure and law enforcement disruptions for the decline in payments. At the same time, ransomware groups have splintered into smaller operations and expanded ransomware-as-a-service models. Initial access brokers remain active, with $14 million in tracked payments, while access prices have dropped amid an oversupply of stolen credentials. Chainalysis says the ecosystem is adapting, not retreating.

The FTC signals a softer stance on COPPA. 

The Federal Trade Commission has signaled a softer stance on enforcing parts of the Children’s Online Privacy Protection Act, or COPPA, in an effort to encourage stronger online age verification. While no law has changed, the FTC said it will not prioritize enforcement against companies that collect limited data strictly for age verification, provided it is not retained unnecessarily, shared improperly, or used beyond that purpose.

COPPA, enacted in 1998, restricts data collection from children under 13 without parental consent and has historically discouraged robust age checks, leading many sites to rely on simple self-reported birthdates. Following a recent Age Verification Workshop, FTC officials indicated a possible future rule update. For now, the agency’s policy statement creates more flexibility for companies to deploy age-gating technologies without triggering immediate regulatory action.

Officials in Poland and Germany accuse 11 of running a Facebook credential harvesting operation. 

A two-year investigation spanning Poland and Germany has led to charges against 11 people accused of running a large-scale credential harvesting operation that collected more than 100,000 stolen login details. Authorities said the group operated between May 2022 and May 2024, using fake news websites and fraudulent Facebook login pages to trick victims into entering usernames and passwords.

Investigators allege the suspects formed an organized criminal group responsible for more than 400 offenses, including unlawful account takeovers, internet fraud, and money laundering. Stolen credentials were reportedly used in further crimes, including fraud involving Poland’s BLIK payment system. Six suspects are in pretrial detention, and assets equivalent to 1 million złoty have been seized. Authorities are urging potential victims to check whether their data was compromised and to change affected passwords.

Major UK news organisations form a coalition for AI licensing standards. 

Five major UK news organisations, the Financial Times, The Guardian, The Telegraph, BBC and Sky News, have formed a coalition called Standards for Publisher Usage Rights, or SPUR, to develop shared artificial intelligence licensing standards. The move follows concerns that AI companies have scraped journalism without permission or payment, undermining publishers’ business models and weakening transparency around how AI-generated answers are created.

SPUR aims to create technical standards and licensing frameworks that allow AI developers to access news content in legitimate, rights-cleared ways while ensuring publishers retain control and receive fair value. The group will not set prices but will explore potential models such as pay-per-crawl or pay-per-inference. The coalition hopes to attract global members and influence emerging AI content marketplaces, while allowing publishers to continue negotiating individual licensing deals.

The UK sees success in upgraded cyber resilience.  

UK public services including the NHS and Legal Aid Agency are becoming more resilient following major government upgrades to cyber vulnerability monitoring. A new Vulnerability Monitoring Service, launched under the January 2025 Blueprint for modern digital government, has cut the average time to fix Domain Name System, or DNS, weaknesses from nearly 50 days to just 8 days, an 84% improvement. DNS flaws can allow attackers to redirect users to fake websites, steal sensitive data, or disrupt essential services.

The service continuously scans 6,000 public sector bodies, detects about 1,000 vulnerability types, and helps resolve roughly 400 confirmed issues each month. The government has also reduced its backlog of critical DNS vulnerabilities by 75%. Alongside this, officials announced a new Cyber Profession programme to recruit and train specialists to strengthen long-term public sector cyber resilience.

A hacker abused Anthropic’s Claude chatbot to help breach multiple Mexican government agencies. 

Researchers say a hacker abused Anthropic’s Claude chatbot to help breach multiple Mexican government agencies and steal 150 gigabytes of sensitive data. According to Gambit Security, the attacker used Spanish-language prompts to jailbreak Claude, directing it to find vulnerabilities, write exploit scripts and automate data theft. Researchers say the stolen data included records tied to 195 million taxpayers, as well as voter data, employee credentials and civil registry files.

The activity reportedly ran for about a month starting in December and exploited at least 20 vulnerabilities. Anthropic said it investigated, banned the accounts and updated safeguards. OpenAI said its tools refused similar requests and also banned related accounts. Several Mexican agencies denied evidence of breaches. Gambit says the incident highlights how AI tools can accelerate and scale cyberattacks.

Gamers push back on AI. 

A growing backlash against artificial intelligence in video games has turned “sensational,” according to Embark Studios CEO Patrick Soderlund, after his hit game Arc Raiders faced criticism for using auto-generated voices. Despite selling 12 million copies in three months and topping Steam’s paid charts, the game drew online backlash from players hostile to AI in creative roles.

The $200 billion industry is divided over AI’s role. Some see it as a way to cut rising development costs, while others fear job losses and declining quality. Surveys show nearly half of developers expect generative AI to reduce game quality, and 85% of gamers in one poll expressed negative views. While some studios adopt AI-first strategies, others publicly reject its use in core creative areas, reflecting deep tension over the technology’s future in gaming.

A Moscow man is accused of posing as an FSB officer to extort the Conti ransomware gang. 

A Moscow resident has been accused of attempting to extort the Conti ransomware group by posing as an officer of Russia’s Federal Security Service, or FSB. According to Russian outlet RBC, Ruslan Satuchin allegedly demanded payment in exchange for shielding Conti members from prosecution. He denies wrongdoing and is in pre-trial detention. If convicted, he faces up to 10 years in prison. Conti, once a major ransomware operation, disbanded in 2022 after internal leaks but former members reportedly resurfaced in other cybercriminal groups.

Professor Falcon was right. 

In a series of simulated geopolitical crises, three advanced AI models were asked to play nuclear brinkmanship. They did not blink.

Kenneth Payne at King’s College London pitted GPT-5.2, Claude Sonnet 4 and Gemini 3 Flash against one another in 21 war games, complete with escalation ladders ranging from diplomatic protest to full strategic nuclear war. Across 329 turns and nearly 800,000 words of reasoning, at least one tactical nuclear weapon was launched in 95 percent of the games. Surrender was never an option. Even when losing badly, the models preferred to press on. In 86 percent of conflicts, accidents pushed escalation beyond what the AI intended.

Researchers say the findings are unsettling. While experts doubt governments would hand nuclear launch authority to machines, AI is already used in war gaming. Under tight timelines, decision support tools could shape perceptions and compress choices, even if humans still hold the keys.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.