Podcasts
CyberWire Daily
Ep 2515
The CyberWire Daily Podcast 3.24.26
Ep 2515 | 3.24.26

Reports from RSAC and beyond.

Show Notes
Transcript

RSAC spotlights public-private partnership gaps. DarkSword leaks to GitHub. The FCC blocks new foreign-made routers. Citrix patches a critical NetScaler flaw. DOE rolls out an energy-sector cyber strategy. CanisterWorm spreads through npm. Researchers flag suspected KACE SMA exploitation. QualDerm reports a 3.1-million-record breach. A Russian access broker gets 81 months. Intern Kevin checks in from RSAC. Maria Varmazis speaks with Jake Braun, longtime DEF CON organizer and former White House official about the DEF CON 33 Hackers' Almanack. Slow down, you vibe too fast.

Today is Tuesday March 24th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

RSAC highlights the challenges of public private partnerships. 

At RSAC 2026, panelists highlighted persistent gaps in real-time information sharing between government and private industry, using the cybercrime group Scattered Spider as a case study. Former FBI cyber official Dave Scott recalled that officials once proposed a joint coordination cell to exchange intelligence with private partners in real time, but legal and approval barriers prevented it. Years later, phone-based social engineering has become the second most common initial access method and the leading tactic for cloud intrusions, underscoring the missed opportunity.

A panel originally focused on China’s Volt and Salt Typhoon campaigns proceeded without FBI or NSA participation, leaving an empty chair onstage and reinforcing concerns about public-private coordination. Speakers stressed that private companies often detect activity first because attacks frequently target privately operated infrastructure. They argued that timely intelligence sharing, especially as AI accelerates threat activity, is increasingly critical. Still, the absence of government voices at a major security forum signaled lingering coordination challenges. 

DarkSword leaks to GitHub. 

A newer version of the iPhone hacking toolkit DarkSword spyware has been leaked to GitHub, raising concerns that attackers can easily target devices running outdated Apple operating systems. Researchers at iVerify warned the tool requires little technical expertise to deploy and can exfiltrate contacts, messages, call history, and keychain data from vulnerable devices. A security hobbyist reported successfully exploiting an iPad mini running iOS 18 using circulating samples. Apple said updated devices are not affected and issued emergency patches for older systems unable to run newer versions. Researchers estimate hundreds of millions of devices may remain exposed. The leak follows earlier reporting that DarkSword infrastructure was linked to activity attributed to Russian government hackers targeting Ukrainian users.

The FCC bans approval of foreign made routers. 

The Federal Communications Commission (FCC) has added all foreign-made consumer routers to its Covered List under the Secure Networks Act, citing national security risks tied to supply-chain exposure. The move blocks approval of new models but does not affect existing authorized devices already in use or on the market. The decision follows an executive-branch assessment aligned with National Security Strategy priorities to reduce dependence on foreign infrastructure components.

Officials argue routers have been exploited in campaigns such as Volt Typhoon, Flax Typhoon, and Salt Typhoon. Critics note most routers, including those from Cisco and Netgear, are manufactured abroad, leaving few domestic alternatives beyond Starlink Wi‑Fi router. The policy may pressure vendors to shift production to the United States, though exemptions remain available through national security review.

Citrix patches a critical NetScaler ADC and NetScaler Gateway flaw. 

Citrix has released patches for a critical NetScaler ADC and NetScaler Gateway flaw, tracked as CVE-2026-3055 (CVSS 9.3), affecting deployments configured as Security Assertion Markup Language (SAML) Identity Providers. The bug allows potential sensitive memory disclosure and could be exploited by unauthenticated attackers. A second issue, CVE-2026-4368, may cause user session mixups. No active exploitation is confirmed, but researchers warn attacks are likely once exploit code appears. Because SAML configurations are common in single sign-on environments, organizations are urged to patch immediately.

The DOE releases its strategy to strengthen cybersecurity across the nation’s energy infrastructure. 

The U.S. Department of Energy has released its first comprehensive five-year strategy to strengthen cybersecurity across the nation’s energy infrastructure, translating White House priorities into operational guidance. Developed by the Office of Cybersecurity, Energy Security and Emergency Response (CESER), the plan focuses on three pillars: advancing cybersecurity technologies for operational technology environments, hardening grid and supply-chain infrastructure, and improving incident response and recovery coordination.

Officials say the strategy clarifies DOE’s role as sector risk manager and emphasizes a resilience-first approach. However, analysts warn execution risks remain, citing reduced funding and reliance on partners such as the Cybersecurity and Infrastructure Security Agency (CISA), which has lost staffing capacity. The plan promotes voluntary security practices and highlights persistent capability gaps among smaller utilities.

CanisterWorm seeds malicious code into npm packages. 

A malware campaign dubbed CanisterWorm is rapidly spreading through developer ecosystems after attackers seeded malicious code into more than 45 npm packages. Researchers at Aikido Security link the activity to stolen credentials from an earlier compromise of Aqua Security’s Trivy scanner, enabling attackers to hijack maintainer accounts and publish infected updates within minutes. The worm steals authentication tokens and SSH keys to propagate across systems and distribute additional malicious packages.

The campaign uses a decentralized command system hosted on the Internet Computer Protocol blockchain, complicating disruption efforts. Behavior varies by environment: on Kubernetes networks in Iran, it deploys destructive wiping malware, while elsewhere it installs a backdoor. Researchers warn the attack demonstrates rapid supply-chain propagation and unusually resilient command infrastructure.

Researchers suspect exploitation of a Quest Software KACE SMA vulnerability. 

Arctic Wolf observed suspected exploitation of CVE-2025-32975 in publicly exposed Quest Software KACE Systems Management Appliance (SMA) instances beginning March 9, 2026. The critical authentication bypass flaw enables attackers to impersonate users and gain full administrative control. Observed activity included remote command execution, credential harvesting with Mimikatz, creation of admin accounts, and lateral movement into backup systems and domain controllers. No public proof-of-concept is known. Defenders are urged to patch affected versions and remove internet exposure of SMA appliances.

A healthcare management firm suffers a data breach affecting 3.1 million individuals. 

Healthcare management firm QualDerm Partners is notifying more than 3.1 million individuals that personal, medical, and insurance data was stolen during a December 2025 network intrusion lasting two days. Exposed information includes names, contact details, medical records, diagnoses, insurance data, and, in some cases, government ID numbers. The incident was reported to the U.S. Department of Health and Human Services breach portal. The company says it contained the activity, notified authorities, and is offering 12 months of identity theft and credit monitoring services while its investigation continues.

A Russian initial access broker gets 81 months in prison. 

Aleksei Volkov, a Russian initial access broker linked to the Yanluowang ransomware gang, has been sentenced to 81 months in prison for helping breach U.S. organizations and enable ransomware attacks. Prosecutors said Volkov identified network vulnerabilities and sold access to co-conspirators, who deployed ransomware against banks, telecommunications providers, and engineering firms across multiple states. The campaign caused more than $9 million in losses and involved ransom demands exceeding $24 million. Volkov was arrested in Rome and extradited to the United States, where he pleaded guilty in federal cases in Indiana and Pennsylvania. Investigators also found he communicated with members of the LockBit ransomware group. As part of sentencing, he agreed to pay restitution and forfeit equipment used in the attacks.

Intern Kevin gets ready.

Kevin Magee is Global Director of Cybersecurity Startups Microsoft, but this week at RSAC he is better known as Intern Kevin.

 

Slow down, you vibe too fast. 

Artist Sam Lavigne has devised a modestly mischievous solution for anyone worried that friends, students, or coworkers are outsourcing their inner lives to chatbots: make the bots unbearably slow. According to 404 Media, his tool, “Slow LLM,” quietly stretches response times from systems like ChatGPT and Claude by tampering with a browser data-retrieval function, creating the impression that the machines themselves have suddenly lost enthusiasm for helping.

Lavigne says the idea came after watching people rely on generative tools for tasks once handled by their own brains. The project can run as a browser extension or, more boldly, as a network-wide DNS tweak that spreads the gift of patience to entire households or offices. He frames the effort as restoring “friction” to learning and creativity, though he admits using Claude to help write the code, at least until his own tool slowed it down. The goal is not prohibition, but reflection, preferably after a long wait.

 

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.