Podcasts
CyberWire Daily
Ep 2503
The CyberWire Daily Podcast 3.6.26
Ep 2503 | 3.6.26

Iran is muddying the waters.

Show Notes
Transcript

Iran’s MuddyWater breaches multiple U.S. organizations. The FBI probes a breach of wiretap management systems. A China-linked threat actor targets South American telecoms. Cisco patches critical firewall flaws. CISA flags actively exploited bugs in Hikvision cameras and Rockwell industrial systems. A House committee advances the controversial KIDS online safety bill. The FBI arrests a suspect accused of stealing millions in seized crypto from the U.S. Marshals Service. Ben Yelin and Ethan Cook unpack the dispute between Anthropic and the Pentagon. Wikimedia worm wreaks widespread wiki woes.

Today is Friday March 6th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Iran’s MuddyWater infiltrates multiple U.S. organizations. 

Iranian advanced persistent threat group MuddyWater has infiltrated multiple organizations in the United States and allied regions, according to researchers at Broadcom’s Symantec and Carbon Black threat hunting team. The activity targeted an aerospace and defense contractor, a U.S. bank, an airport, a software company with operations in Israel, and a non-governmental organization active in the U.S. and Canada. Researchers say the intrusions continued in recent days amid escalating tensions following U.S. and Israeli military strikes on Iran. During the campaign, the attackers deployed two backdoors, Dindoor and Fakeset, both signed with certificates linked to the names “Amy Cherne” and “Donald Gay,” the latter previously associated with MuddyWater operations. The group also attempted to exfiltrate data from the software company’s Israeli branch. Although the observed activity has been disrupted, researchers warn the attackers’ existing foothold on U.S. and Israeli networks could enable further operations.

Tech firms rally behind Anthropic. 

Major technology firms and policy leaders are rallying behind AI developer Anthropic as its dispute with the Pentagon intensifies. The Information Technology Industry Council, which represents companies including Google, Apple and Microsoft, warned the Defense Department that labeling Anthropic a “supply-chain risk” over a procurement disagreement could set a dangerous precedent for the tech industry and the defense industrial base.

Separately, a bipartisan group of defense, intelligence and technology policy experts urged Congress to investigate the Pentagon’s actions, arguing Anthropic’s stance against using AI for mass domestic surveillance is reasonable. The White House has ordered agencies to phase out Anthropic technology within six months while seeking alternative AI providers willing to permit broader government use.

Lawmakers, including Senator Ron Wyden, are also pressing AI companies about safeguards around government access to Americans’ data. Analysts warn the dispute could complicate government systems that already rely on Anthropic models.

Later in the show Ben Yelin and Ethan Cook dig into the details of this dispute. 

The FBI confirms a breach of wiretap management systems. 

The FBI confirmed it is investigating a breach involving systems used to manage surveillance and wiretap warrants. The agency said it detected suspicious activity on its networks and has since contained the incident, though officials declined to provide details about the scope or impact.

According to reporting by CNN, the compromised systems are used to process court-authorized wiretapping and foreign intelligence surveillance warrants. The FBI stated it used its technical capabilities to respond after identifying the activity but did not say who may be responsible or whether sensitive information was accessed.

Authorities have not confirmed whether the incident is linked to prior intrusions. In 2024, a Chinese state-backed hacking group known as Salt Typhoon breached U.S. government systems involved in handling lawful wiretap requests, though investigators have not tied that activity to the current case.

A China-linked threat actor targets South American telecom providers. 

A China-linked threat actor tracked as UAT-9244 has targeted telecommunications providers across South America since 2024, compromising Windows, Linux and network-edge devices, according to Cisco Talos researchers. The activity cluster shows strong overlaps with tactics used by the FamousSparrow and Tropic Trooper groups, though researchers track it separately.

The campaign deploys three previously undocumented malware families. TernDoor is a Windows backdoor delivered through DLL side-loading that enables remote command execution and persistence through scheduled tasks and registry changes. PeerTime is a multi-architecture Linux backdoor that uses the BitTorrent protocol for command-and-control communications and appears designed for telecom and embedded systems. BruteEntry is a scanning and brute-force tool that converts compromised machines into proxy nodes to search for new targets.

Researchers say the activity shares victim profiles with the China-linked Salt Typhoon group, though no confirmed operational link has been established.

Cisco patches critical firewall vulnerabilities. 

Cisco has released security updates addressing 48 vulnerabilities across several firewall platforms, including Cisco Secure Firewall Adaptive Security Appliance, Secure Firewall Management Center, and Secure Firewall Threat Defense. The advisories include two critical flaws, both with a maximum CVSS score of 10, affecting the Secure Firewall Management Center management platform. One vulnerability, CVE-2026-20079, allows authentication bypass through crafted HTTP requests, potentially granting root access. The second, CVE-2026-20131, involves insecure deserialization that could enable remote code execution. Cisco also patched 15 high-severity and 31 medium-severity flaws. The company says no workarounds exist, and organizations should update to the patched versions immediately.

CISA flags vulnerabilities affecting Hikvision cameras and Rockwell Automation Logix industrial systems. 

Two longstanding vulnerabilities affecting Hikvision cameras and Rockwell Automation Logix industrial systems are now high-priority risks after being added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog. The first flaw, CVE-2017-7921 (CVSS 10), allows authentication bypass on certain Hikvision IP cameras, potentially exposing device credentials, configurations, and images. The second, CVE-2021-22681 (CVSS 9.8), enables attackers with network access to impersonate trusted engineering workstations in Rockwell Logix environments.

CISA’s KEV listing indicates active exploitation in the wild. Security teams are urged to patch vulnerable Hikvision devices, reduce internet exposure, and apply network segmentation and other compensating controls for affected industrial control system environments.

A House committee advances the online KIDS safety act amid controversy. 

The House Energy and Commerce Committee advanced the Kids Internet and Digital Safety (KIDS) Act in a party-line vote, triggering sharp debate over how aggressively Congress should regulate online platforms. Republicans say the bill would strengthen protections by empowering parents and requiring platforms to disable recommendation algorithms for minors by default.

Democrats criticized the measure as too weak, arguing it lacks a “duty of care” that would force companies to proactively mitigate online harms and includes a knowledge standard that could allow tech firms to avoid responsibility. They also warned that provisions preempting some state laws could undermine ongoing legal actions against companies such as Meta and Roblox.

The committee also advanced Sammy’s Law, which would alert parents to serious risks to children online, and the App Store Accountability Act, requiring parental consent for downloads by minors. Critics say the proposals could threaten privacy and free expression.

The FBI arrests a man alleged to have stolen millions in crypto from the U.S. Marshals Service. 

John Daghita was arrested in Saint Martin for allegedly stealing more than $46 million in seized cryptocurrency from the U.S. Marshals Service, according to the FBI. FBI Director Kash Patel said the arrest was carried out with assistance from France’s GIGN tactical police unit. Authorities described Daghita as a government contractor, though blockchain investigator ZachXBT claims he is the son of Dean Daghita, head of Command Services & Support (CMDSS), a contractor managing seized assets for the Marshals Service.

Investigators have not publicly explained how the cryptocurrency was transferred, but ZachXBT says the activity was uncovered after a dispute on Telegram revealed wallet addresses linked to Daghita. The funds may include cryptocurrency seized after the 2016 Bitfinex hack. Following the revelations, CMDSS removed its website and social media presence while authorities launched an investigation.

 

Wikimedia worm wreaks widespread wiki woes. 

The Wikimedia Foundation had a brief but lively security scare when a self-propagating JavaScript worm began rewriting user scripts and vandalizing pages on Meta-Wiki. Editors first noticed the chaos on Wikipedia’s Village Pump, as automated edits quietly slipped hidden loaders and oversized images onto random pages, a digital graffiti spree with surprisingly good uptime.

The culprit appears to be a dormant script, User:Ololoshka562/test.js, uploaded in 2024 and accidentally activated during a staff security review. Once executed, it behaved much like the mischievous worms of cybersecurity lore, echoing the propagation tricks of the Morris Worm in 1988 and the more flamboyant spread of Code Red and SQL Slammer decades later. The script copied itself into user and global JavaScript files, ensuring anyone loading the wiki might unknowingly help it travel further.

Engineers quickly locked down editing, reverted changes, and removed the code. The worm ran for about 23 minutes, altered roughly 4,000 pages, and infected around 85 user scripts. Cleanup is ongoing.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.