Podcasts
CyberWire Daily
Ep 2511
The CyberWire Daily Podcast 3.18.26
Ep 2511 | 3.18.26

Persistent threats in a shifting battlefield.

Show Notes
Transcript

Iran’s cyber ops stay resilient. U.S. lawmakers press Big Tech on EU rules. Researchers expose a Fancy Bear server. Japan moves toward offensive cyber. CISA calls for cross-agency teamwork. New malware targets network infrastructure. AI fooled by font-based attacks. Schneider Electric warns of critical flaws. Quantum cryptography earns top honors. Guest Bradon Rogers, Chief Customer Officer at Island, discusses making AI browsers safe for enterprises. Smart glasses on the witness stand.

Today is Wednesday March 18th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Iran’s cyber operations appear resilient and decentralized. 

U.S. and Israeli strikes on Iran reportedly killed two individuals tied to state-backed cyber operations, but activity from affiliated hacking groups continues.

Among those killed were Mohammad Mehdi Farhadi Ramin, charged by the Justice Department in 2020 for hacking U.S. aerospace and defense firms, and Seyed Yahya Hosseiny Panjaki, an intelligence official linked by the FBI to cyberattacks and terror plots. Cybersecurity sources say Panjaki oversaw groups like Handala. Despite this, Handala claimed a major attack on medical device company Stryker, alleging large-scale data destruction. Stryker confirmed a Microsoft system compromise but said restoration is underway. Additional claims targeted Verifone, which reported no breach, while another MOIS-linked group disrupted Albania’s parliament email systems.

Iran’s cyber operations appear resilient and decentralized. Groups continue operating despite leadership losses, using tools like Starlink and possibly artificial intelligence. That suggests sustained cyber risk for Western organizations and allies, even amid kinetic conflict.

U.S. Lawmakers demand records tied to enforcement of EU digital rules. 

The House Judiciary Committee is pressing major tech firms to hand over communications with European Commission officials tied to enforcement of EU digital rules.

In letters to companies including Alphabet, Meta, Microsoft, TikTok, and X, Chairman Jim Jordan said firms must preserve and produce records under February subpoenas, including messages set to auto-delete. The request follows reports that EU officials, including Digital Services Act enforcer Prabhat Agrawal, shifted to encrypted messaging apps like Signal with disappearing messages. The committee alleges potential censorship under the EU’s Digital Services Act, while the Commission denies the claims and says it aims to reduce user risk.

The dispute highlights growing tension over platform regulation and data retention, with potential legal and compliance risks for global tech companies handling cross-border communications.

Researchers explore an exposed Fancy Bear server. 

Researchers say an exposed server linked to Russia’s Fancy Bear revealed a broad espionage campaign targeting government and military webmail across Eastern Europe and the Balkans.

Building on Hunt.io’s March 11 analysis, Ctrl-Alt-Intel says it found a second open directory on the same server containing command-and-control code, payloads, telemetry logs, and exfiltrated data. The researchers report more than 2,800 stolen emails, 240 credential sets, 140 forwarding rules, and over 11,500 harvested contact addresses. Victims included entities in Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. The report also describes a previously unreported SquirrelMail cross-site scripting, or XSS, payload. According to the analysis, the same server had been tied to earlier CERT-UA reporting and remained active for more than 500 days.

The exposure shows both the reach and persistence of the operation. It also suggests that simple operational security failures can give defenders unusual insight into sophisticated state-linked tradecraft.

Japan signals a shift toward offensive cyber operations. 

Japan will allow its Self-Defense Forces to conduct offensive cyber-operations beginning October 1, marking a notable shift in national security policy.

Chief Cabinet Secretary Minoru Kihara said the move reflects a worsening threat environment and the growing impact of cyberattacks on daily life and the economy. A government cyber-management committee will approve or reject operations. If authorized, police and the Self-Defense Forces can attack and disable infrastructure used in cyberattacks, with protections for citizen privacy.

This expands Japan’s interpretation of self-defense into cyberspace and signals a more proactive posture against digital threats.

A top CISA official urges cross agency cooperation. 

A senior CISA official says the U.S. government should take a more flexible approach when leading cybersecurity efforts across critical infrastructure sectors.

Speaking at an event hosted by Auburn University’s McCrary Institute, acting director Nick Andersen said rigid adherence to sector risk management agency roles can slow effective response. Instead, agencies should defer to whichever organization has the strongest relationship with affected operators, whether that is CISA, the Department of Energy, FBI, or others. Andersen pointed to past coordination challenges, including responses tied to Guam incidents linked by Microsoft to Volt Typhoon. Lawmakers have also questioned CISA’s capacity following telecom-focused activity attributed to another group, Salt Typhoon.

Effective incident response may depend less on formal roles and more on trusted partnerships, especially as threats grow in scale and complexity.

Researchers report emerging botnet and cryptomining malware exploiting routers and infrastructure at scale. 

New malware samples highlight a growing trend of threat actors targeting network infrastructure to gain access and scale attacks.

Researchers at Eclypsium identified two previously undocumented strains. One, a CondiBot variant derived from the Mirai botnet, turns compromised Linux devices into distributed denial-of-service, or DDoS, nodes. The other, “Monaco,” brute-forces Secure Shell, or SSH, credentials to deploy cryptomining malware across servers, routers, and Internet of Things devices. The report says these tools are multi-architecture and not limited to specific vendors. Supporting data from Verizon and Google indicates a sharp rise in exploitation of network devices, often with little delay between vulnerability disclosure and attack.

Network infrastructure offers attackers persistent, low-visibility access and a foothold for broader compromise across enterprise environments.

A custom font technique can trick AI assistants into missing malicious instructions. 

Researchers say a simple custom font technique can trick AI assistants into missing malicious instructions hidden in webpages.

LayerX demonstrated a proof-of-concept where harmless text appears in the underlying HTML, while browser-rendered content shows instructions leading to a reverse shell. The attack uses custom fonts and CSS to alter visible meaning without changing the Document Object Model, or DOM, that AI tools analyze. In testing, multiple assistants failed to detect the threat and judged the page safe. The technique requires no exploits or JavaScript and relies on a gap between what AI systems parse and what users see.

Attackers can exploit AI-assisted workflows for social engineering, potentially leading to harmful user actions or data exposure.

Schneider Electric issues a critical advisory for its SCADAPack products. 

Schneider Electric has issued a critical advisory for a vulnerability affecting its SCADAPack remote terminal units and RemoteConnect software.

Tracked as CVE-2026-0667 with a CVSS score of 9.8, the flaw involves improper input validation in Modbus TCP communications. The company says attackers can exploit it with crafted network packets to execute arbitrary code with system-level privileges, or cause denial of service and data compromise. Affected products include all SCADAPack 57x devices, certain 47x and 47xi models, and older RemoteConnect versions. Schneider Electric urges immediate updates and recommends network segmentation and access controls where patching is delayed.

The Turing awards recognize quantum cryptography. 

Charles Bennett and Gilles [zheel] Brassard have been awarded the Turing Award for developing quantum cryptography, a breakthrough that could redefine how sensitive data is protected.

Their work in the 1980s introduced the BB84 protocol, which uses photons to generate encryption keys that reveal any interception attempt. Because measuring quantum particles changes their state, eavesdropping leaves detectable traces. The researchers later expanded into quantum teleportation, demonstrating secure data transfer using entanglement. At the time, these ideas were largely theoretical. Today, they are gaining traction as companies like Google and Microsoft advance quantum computing, which experts believe could break widely used encryption methods developed in the 1970s.

Experts say organizations may need to transition to quantum-resistant approaches. Quantum cryptography offers a model where security is rooted in physics, not computational difficulty, as the threat landscape evolves.

 

Smart glasses on the witness stand. 

A UK insolvency case took an unexpected turn when a witness appeared to receive live coaching through smart glasses, then blamed the disruption on ChatGPT.

Judge Agnello KC said Laimonas Jakštys paused repeatedly during questioning, prompting suspicion from opposing counsel and even the court interpreter, who reported hearing voices. The situation became harder to ignore when a connected mobile phone began broadcasting a live voice mid-hearing. Call logs showed repeated contacts from a mysteriously named source, “abra kadabra,” which Jakštys described as a taxi driver. He denied any coaching and later suggested the audio may have come from ChatGPT.

The case highlights a growing challenge for courts: distinguishing credible testimony from tech-assisted improvisation, especially as consumer devices blur the line between memory and messaging.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.
ADVERTISEMENT
Sponsored by Island
Sponsored by Island

Island created the Enterprise Browser, a simplified workspace delighting CIOs, CISOs, and end users. It embeds core IT, security, and productivity needs into the browser, making application delivery simple, data fundamentally secure, and work smooth and natural. Learn more.