Podcasts
CyberWire Daily
Ep 2517
The CyberWire Daily Podcast 3.26.26
Ep 2517 | 3.26.26

Wrapping RSAC 2026 up with a bow.

Show Notes
Transcript

RSAC wraps. CISA warns shutdown furloughs are weakening cyber defenses. China-linked actors burrow into global telecom infrastructure. Iran’s Pay2Key resurfaces. India probes suspected Pakistan-linked CCTV spying. Florida suspends a firm over offshore medical data exposure. Cisco patches fresh flaws. Russian police arrest the alleged LeakBase operator. Intern Kevin files his latest man-on-the street report. Google gets grabby with your homepage.

Today is Thursday March 26th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

RSAC winds down. 

As RSAC 2026 winds down here in San Francisco, we want to take a moment to say thanks. It’s been a busy week of conversations, interviews, hallway run-ins, and late-night events, and we’re grateful to everyone who took the time to connect with us along the way.

And a special thank-you to our teammates back home, who kept everything running smoothly while much of the crew was on the road. Conferences bring energy and opportunity, but they also bring a little extra chaos. We appreciate the teamwork that makes it all possible.

We’re glad you’re with us. 

Experts warn artificial intelligence agents are rapidly reshaping cyber risk, but defenders still lack a clear threat model for how to counter them.

At the RSAC Conference Cryptographers’ Panel, researchers said AI agents can already identify zero-day vulnerabilities in open-source software and may soon generate most new code. Panelists also warned large language models enable personalized spear-phishing, rapid exploit use after disclosure, and large-scale traffic analysis, though no new cryptographic weaknesses have yet been found.

Defenders face faster automated attacks and unclear assumptions about cryptographic safety, while patching delays and expanding agent access to sensitive data increase organizational exposure across environments, according to panelists’ assessments of current risks and emerging operational realities.

Former National Security Agency leaders say the threshold for a US military response to cyberattacks remains undefined, and ultimately rests with the president.

At the RSA Conference, retired General Paul Nakasone said the decision to respond kinetically, meaning with physical force such as missile strikes, should remain flexible. Former NSA director Admiral Mike Rogers argued instead for clearer criteria, including loss of life or damage to critical infrastructure. Panelists noted destructive incidents like North Korea’s Sony Pictures attack helped shape earlier debates, but no consensus red line emerged.

This matters because uncertainty about response thresholds complicates deterrence strategy, while officials also warned the US is falling behind adversaries amid persistent intrusions, ransomware growth, and workforce strain across government cyber defense efforts.

RSAC CEO Jen Easterly says cybersecurity has reached an inflection point where artificial intelligence is now inseparable from modern cyber defense and operations.

Speaking with The Register at the RSA Conference, Easterly said AI is already enabling stronger code development, vulnerability detection, and legacy system modernization at scale. She warned threat actors are using AI for highly personalized phishing, but said she has not yet observed entirely new cyber risks emerging from the technology. Her first conference as CEO drew about 43,000 attendees, though federal agencies including the FBI, NSA, and CISA were absent from panels.

Easterly argues AI could significantly reduce cyber risk and improve software quality, while stronger public-private collaboration remains essential as most critical infrastructure stays privately operated and global participation shapes security outcomes.

CISA’s acting director warns congress shutdowns have forced his agency into a reactive posture. 

CISA’s acting director warns a Department of Homeland Security shutdown is weakening federal cyber defenses as most agency staff remain furloughed.

Acting Director Nick Andersen told the House Homeland Security Committee that about 60 percent of CISA’s workforce is sidelined, forcing the agency into a reactive posture. Core services continue, including its 24/7 operations center and incident information sharing, but proactive programs, industry coordination, incident response capacity, and cyber policy work such as incident reporting rules have slowed or paused.

Andersen warned reduced coordination and delayed directives create openings for adversaries targeting critical infrastructure, while staffing shortages and retention losses could further erode long-term national cyber readiness if disruptions continue.

A China-linked threat actor has implanted stealth backdoors deep inside global telecommunications backbone infrastructure. 

Rapid7 reports a China-linked threat actor has implanted stealth backdoors deep inside global telecommunications backbone infrastructure to enable long-term espionage access.

Researchers observed passive backdoors and kernel-level implants, including the Linux-based BPFdoor, short for Berkeley Packet Filter door, alongside credential harvesters and command frameworks such as CrossC2 and TinyShell. Attackers gained entry through public-facing applications and valid accounts, targeting Ivanti, Cisco, Fortinet, VMware, Palo Alto Networks, and Apache Struts systems. Newer BPFdoor variants use encrypted HTTPS triggers and packet-level filtering to evade detection.

Rapid7 says the campaign focuses on underlying telecom platforms rather than individual servers, creating persistent access layers inside critical communications infrastructure that could support long-duration intelligence collection against government and network environments.

The Iran-linked Pay2Key ransomware group has returned. 

Researchers warn the Iran-linked Pay2Key ransomware group has returned with enhanced evasion, execution, and anti-forensics capabilities following renewed US-Iran tensions.

According to Halcyon and Beazley Security, a recent attack on a US healthcare provider showed attackers using TeamViewer for access, credential harvesting tools including Mimikatz and LaZagne, and Active Directory utilities for lateral movement. The group deployed ransomware via a self-extracting archive and encrypted infrastructure within three hours.

Faster execution and anti-forensics techniques may reduce defenders’ response windows and complicate investigations into destructive ransomware activity tied to state-aligned actors.

Indian authorities fear Pakistani infiltration of CCTV cameras. 

Indian authorities have ordered a nationwide audit of CCTV systems after police uncovered cameras allegedly installed by Pakistan-backed operatives near rail stations and other infrastructure.

According to Indian media reports, suspects recruited locally deployed solar-powered cameras that streamed footage over cellular networks, possibly using stolen SIM-linked accounts. Officials warned the case highlights limits in device registration controls and concerns that insecure internet-connected cameras could enable broader surveillance activity.

Potential compromise of widely deployed CCTV systems raises risks to critical infrastructure visibility and national security monitoring.

Florida regulators crack down on illegal offshoring of medical data. 

Florida regulators suspended Mirra Health after finding the firm unlawfully offshored sensitive Medicare enrollee data to companies in India and the Philippines without authorization.

The Florida Office of Insurance Regulation said more than 23,000 Medicare Advantage beneficiaries were affected, including patients in chronic condition special needs plans. Officials warned the company failed to obtain required approvals before delegating services and exposed vulnerable residents’ protected health information to unlicensed offshore entities.

Improper handling of regulated health data can increase breach risk and trigger compliance exposure for organizations responsible for safeguarding patient information, even when services are outsourced internationally.

Cisco patches multiple vulnerabilities. 

Cisco released patches for multiple IOS and IOS XE vulnerabilities, including flaws that attackers could chain to trigger persistent denial-of-service conditions on network switches.

The updates address a dozen high- and medium-severity issues. Four publicly disclosed defects affect Catalyst 9300 Series switches, where attackers could combine two flaws to escalate privileges and force maintenance mode requiring physical access to recover. Cisco said none of the vulnerabilities have been exploited in the wild.

Russian authorities arrest the suspected operator of the LeakBase cybercrime forum. 

Russian authorities arrested a suspect believed to have operated the LeakBase cybercrime forum, weeks after an international law enforcement operation dismantled the platform.

According to Russia’s Interior Ministry and state news agency TASS, the Taganrog resident allegedly created and administered LeakBase, a forum with more than 142,000 users trading stolen data, exploits, and hacking services after Breached shut down in 2023. The FBI and partners in 14 countries seized the site in March during Operation Leak, conducting roughly 100 enforcement actions worldwide and targeting dozens of active users.

Investigators say seized forum databases, including private messages and IP logs, may support further cybercrime prosecutions and disrupt remaining marketplace activity tied to stolen data ecosystems.

 

 

Intern Kevin returns to the floor at RSAC 2026. 

Google gets grabby with your homepage. 

A newly granted Google patent describes a system that could replace your company’s landing page with an AI-generated version tailored to each individual user, sometimes before they ever see what you built.

The patent outlines a process where Google evaluates a page using signals such as conversion rate, bounce rate, and design quality. If the page scores too low, search results may instead link to a dynamically assembled alternative built from the user’s query, history, account context, and extracted site content. In some cases, that link could even appear inside sponsored results, though billing details remain unclear.

The patent suggests websites could shift from destinations to raw material for AI assembly, extending a trend where search features increasingly mediate how users experience brands, sometimes with Google politely redecorating the lobby.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.