Podcasts
CyberWire Daily
Ep 2513
The CyberWire Daily Podcast 3.20.26
Ep 2513 | 3.20.26

Millions of devices still up for grabs.

Show Notes
Transcript

Feds take down major IoT botnets. The FBI seizes hacktivist infrastructure. A data breach hits Kaplan, while a hacker claims access to millions of law enforcement tips. Fake Zoom calls deliver malware. A crypto “security” tool turns out to be spyware. A critical AI framework flaw gets exploited in hours. An insider extortion case ends in conviction. And a streaming scam pulls in over $10 million. A look back at ten years of Cyberwire podcasts. Intern Kevin gets ready for RSAC. A cyberattack leaves breathalyzers offline.

Today is Friday March 20th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Feds disrupt four major IoT botnets. 

The US government has disrupted four major Internet of Things botnets tied to some of the largest distributed denial-of-service, or DDoS, attacks ever recorded, including traffic exceeding 30 terabits per second.

In coordination with Germany and Canada, the Department of Justice targeted the command-and-control infrastructure of the Aisuru, KimWolf, JackSkid, and Mossad botnets. These networks compromised more than three million devices, including routers and cameras. Officials link them to hundreds of thousands of attacks, some targeting Department of Defense systems, and to criminal services like DDoS-for-hire and extortion.

The operation removes active control of powerful botnets, but leaves millions of vulnerable devices still infected. That persistent exposure continues to fuel the cybercrime economy and enables rapid rebuilding of similar attack networks.

The FBI seizes websites used by the Handala hacktivist group. 

The FBI has seized two websites used by the Handala hacktivist group after a destructive cyberattack on Stryker wiped roughly 80,000 devices.

The domains were taken under a warrant from a US District Court in Maryland, with authorities stating they supported malicious cyber activity tied to a foreign state actor. Handala, described as an Iranian-linked group, reportedly compromised administrative accounts and used Microsoft Intune to issue device wipe commands across Windows and mobile systems. The attack impacted both corporate and employee-managed devices.

The action disrupts part of the group’s public infrastructure, but the scale of the attack highlights how enterprise device management tools can be abused for widespread damage. It also underscores ongoing risks from state-linked hacktivist activity targeting critical sectors.

Kaplan North America discloses a data breach. 

Kaplan North America, a provider of educational and professional training services, has disclosed a data breach affecting nearly 195,000 individuals, involving the theft of sensitive personal information from internal systems.

The intrusion occurred over three weeks between October and November 2025, with attackers accessing and exfiltrating files containing names, Social Security numbers, and driver’s license data. The company completed its investigation in February 2026 and began notifying affected individuals in March, offering credit monitoring and identity protection services.

The exposure of high-value identity data increases the risk of fraud and long-term identity theft. It also highlights the impact of prolonged unauthorized access before detection.

A hacker claims to have breached a U.S. law enforcement tip platform. 

A hacker claims to have breached a U.S. law enforcement tip platform, stealing data tied to more than eight million confidential reports.

The actor, calling themselves “Internet Yiff Machine,” alleges they accessed P3 Global Intel, part of Navigate360, and exfiltrated 93 gigabytes of data. The company says it is investigating a potential incident with third-party support. According to the hacker, access came through social engineering and a vulnerability. Reuters could not independently verify the claims, though another outlet reported limited corroboration of leaked data.

Tip platforms handle sensitive submissions tied to law enforcement and public safety. A breach could expose informants and undermine trust in reporting systems, if confirmed.

Attackers use fake Zoom calls to trick users into installing malicious software. 

Attackers are using a fake, interactive Zoom call to trick users into installing malicious software disguised as a routine update.

According to Sublime, the campaign uses AI-generated JavaScript to simulate a glitchy Zoom meeting, complete with clickable controls and audio issues. Victims arrive via phishing emails and are guided through a fake “security check” before being prompted to install a “Zoom update.” The downloaded file installs legitimate ScreenConnect remote monitoring and management software, giving attackers device access. Researchers say the attack can be easily customized for specific targets.

Realistic, interactive phishing lures lower user suspicion and increase compromise rates. It also highlights how legitimate administrative tools can be abused for unauthorized access.

Researchers dismantle  a malicious browser extension that posed as a crypto security tool. 

Researchers have dismantled “ShieldGuard,” a malicious browser extension that posed as a crypto security tool but was designed to steal sensitive user data.

Okta Threat Intelligence reports the extension used social media promotion and token “airdrop” incentives to lure users. Once installed, it targeted platforms like Binance, Coinbase, and MetaMask, collecting account data, transaction histories, and browsing activity. The malware used obfuscation and a custom JavaScript interpreter to evade Chrome protections and dynamically execute code. Researchers also identified links to a broader campaign known as “Radex.”

Attackers are increasingly disguising malware as security tools, exploiting trust in the crypto ecosystem. It also highlights the risks of browser extensions as a vector for large-scale data theft.

Threat actors rapidly exploited a critical Langflow vulnerability. 

Threat actors exploited a critical Langflow vulnerability within 20 hours of disclosure, building working attacks directly from the advisory description.

The flaw, CVE-2026-33017, is an unauthenticated remote code execution vulnerability with a CVSS score of 9.3. It allows arbitrary Python execution on exposed systems with a single request. Sysdig observed attackers scanning for targets, deploying custom scripts, and harvesting credentials, including API keys and database access. No public proof-of-concept code was available at the time.

Exploitation timelines are shrinking faster than patch cycles. Organizations often take weeks to remediate, leaving a wide exposure window as attackers rapidly weaponize newly disclosed flaws.

A North Carolina contractor has been found guilty of extortion using sensitive data he accessed during his employment.

A North Carolina contractor has been found guilty of extorting a technology company using sensitive data he accessed during his employment.

According to the Justice Department, Cameron Curry exploited his role as a data analyst to steal payroll and employee information from Brightly Software. After his contract ended in December 2023, he sent more than 60 extortion emails demanding $2.5 million, threatening to leak personal and compensation data. The company ultimately paid a smaller amount in Bitcoin before reporting the incident. Authorities later seized evidence from Curry’s residence.

It’s a reminder that insider threats remain a significant risk, especially when employees retain access to sensitive systems. It also highlights how stolen corporate data can be weaponized for extortion.

Streaming fraud generates over $10 million in illicit royalties. 

A North Carolina musician has pleaded guilty to orchestrating a large-scale streaming fraud that generated over $10 million in illicit royalties.

According to court documents, Michael Smith used AI-generated music and automated bot accounts to inflate streaming numbers across platforms including Spotify, Apple Music, Amazon Music, and YouTube Music. Prosecutors say the scheme ran from 2017 to 2024, using VPNs and hundreds of thousands of tracks to evade detection. At its peak, over 1,000 bots streamed billions of plays, diverting royalties from legitimate artists. Smith has agreed to forfeit more than $8 million.

AI and automation are lowering barriers for fraud at scale, challenging detection systems and undermining trust in digital revenue models.

A cyberattack leaves breathalyzers offline. 

A cyberattack on Intoxalock has left thousands of court-mandated drivers unable to start their cars, turning a safety device into an unexpected immobilizer.

The company says attackers flooded its servers, disrupting systems that support breathalyzer-equipped ignition interlock devices across Maine and 45 other states. These devices require drivers to pass a breath test before starting their vehicles. Since the outage began, some users have remained locked out entirely, with installations, calibrations, and account access also affected. Intoxalock says data remains secure and services are being restored, with temporary extensions offered to customers.

A single point of failure can sideline critical compliance systems at scale. It also shows how cyber incidents can ripple into everyday life, sometimes with inconvenient consequences. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Check us out at RSAC 2026: 

Monday: 

  • Innovation Sandbox 

  • CyberTacos panel with fellow N2K CyberWire hosts: David Moulton from Palo Alto Networks Threat Vector and Caleb Tolin from Rubrik’s Data Security Decoded podcasts

Tuesday: 

  • Palo Alto Networks Unit 42 Drown Out the Noise reception 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.