War comes for the cloud.

Cloud data centers come under fire in wartime. A massive dark web intelligence database is exposed. Chinese hackers exploit a video conferencing zero-day. The intelligence community rolls out cyber modernization plans. React2Shell attacks spread at scale. Iowa sues UnitedHealth over the Change Healthcare breach. France moves to bar kids from social media. Researchers warn about hidden risks in power regulation. An insider extortion plot locks admins out of hundreds of servers. Our guest Brandon Karpf, friend of the show, with insights on the war in Iran. Espresso exploit exposes executive emails.

Today is Friday April 3rd 2026.  I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Commercial cloud infrastructure becomes a wartime target. 

Recent Iranian strikes on telecom and cloud-linked facilities in Bahrain and a claimed attack on an Oracle data center in the United Arab Emirates signal a shift in modern conflict: commercial cloud infrastructure is becoming a wartime target. Earlier drone attacks in March 2026 hit multiple AWS facilities across the region, disrupting banking, payments, and government services, reinforcing what analysts describe as a clear pattern rather than isolated incidents. 

Iranian sources framed the strikes as responses to alleged U.S. military and intelligence use of these platforms, highlighting the growing “dual-use” nature of commercial data centers. This raises serious risks for enterprises that depend on regional cloud availability. 

At the same time, threats to submarine cables and maritime chokepoints such as the Strait of Hormuz increase the possibility of wider global connectivity disruptions. For CIOs, the takeaway is clear: geopolitical risk must now factor into infrastructure planning, including multi-region redundancy, war-scenario continuity testing, and closer scrutiny of cloud service contracts. 

Researchers uncover an Elastic database full of dark web threat intelligence. 

Researchers at UpGuard discovered a publicly accessible Elastic database in March 2026 containing nearly a terabyte of dark web and Telegram threat intelligence, apparently tailored to Chinese state interests. The dataset tracked breach victims, data brokers, journalists, social media groups, Telegram channels, and TOR marketplaces, with annotations such as “China-related,” “US-related,” and “counter-revolutionary speech.” It included roughly one billion breach records and monitoring of thousands of underground sources. The exposure highlights how China, despite its advanced offensive cyber campaigns such as SaltTyphoon and VoltTyphoon, relies on threat intelligence methods similar to Western defenders. It also reflects a broader shift toward pre-positioning in critical infrastructure and AI-assisted cyber operations. Overall, the leak illustrates how large-scale surveillance-style threat intelligence systems are now central to both national cyber defense and geopolitical competition.

Chinese hackers exploit a video conferencing zero-day. 

Chinese hackers exploited a zero-day vulnerability, CVE-2026-3502, in TrueConf video conferencing software to target government entities in Asia, according to Check Point. The flaw stems from the client’s failure to verify update integrity when retrieving packages from on-premises servers. Attackers compromised a government-operated TrueConf server, replaced legitimate updates with malicious ones, and distributed them to dozens of agencies through the trusted update process. The implanted malware enabled reconnaissance, persistence, lateral movement preparation, and communication with infrastructure linked to the Havoc post-exploitation framework. Because TrueConf is widely used in isolated government and critical infrastructure environments, the attack leveraged centralized trust rather than endpoint compromise. TrueConf patched the issue in version 8.5.3, and CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to remediate it by April 16.

ODNI announces cyber modernization efforts. 

The Office of the Director of National Intelligence (ODNI) announced new cybersecurity and technology modernization measures after a year-long effort across the U.S. intelligence community. The initiatives include policy standards for applying artificial intelligence to cyber defense, expanded automation of threat hunting across intelligence networks, and development of a zero-trust strategy focused on protecting data regardless of location. ODNI also created a shared repository of cybersecurity-reviewed applications to reduce duplication of testing and speed deployment across agencies. The National Counterintelligence and Security Center was directed to counter foreign intelligence cyber threats more proactively. The effort aligns with broader national cyber strategy goals to strengthen federal network defenses and advance defensive AI capabilities. The announcement marks the first major cybersecurity update under Director of National Intelligence Tulsi Gabbard during the second Trump administration.

Threat actors use React2Shell at scale. 

Cisco Talos researchers warn that threat actor UAT-10608 is exploiting CVE-2025-55182, a critical React vulnerability known as React2Shell, to compromise vulnerable Next.js applications at scale. Using automated scanning, the attackers gained remote code execution and deployed scripts with the Nexus Listener framework to harvest credentials, cloud tokens, SSH keys, and environment secrets. Talos observed at least 766 compromised systems and over 10,000 stolen files within 24 hours. The campaign targets publicly exposed deployments indiscriminately, and researchers advise organizations to rotate all exposed credentials immediately to reduce risks of lateral movement, supply chain compromise, and further intrusion.

Iowa’s Attorney General sues UnitedHealth over a 2024 ransomware attack. 

Iowa Attorney General Brenna Bird has sued UnitedHealth Group and its Optum and Change Healthcare units over the 2024 ransomware attack that disrupted healthcare operations and exposed data from nearly 193 million people nationwide, including 2.2 million Iowans. The lawsuit alleges violations of Iowa consumer protection laws, breach notification requirements, and HIPAA-related obligations, and seeks civil penalties, damages, and mandated security improvements. Officials say attackers remained undetected for 10 days, stealing Social Security numbers, medical records, and insurance data while crippling claims processing across the state. The BlackCat ransomware incident halted insurance transactions and imposed significant costs on providers. UnitedHealth disputes the claims. Additional state lawsuits and a federal investigation by the Department of Health and Human Services remain possible.

French lawmakers approve a kids’ social media ban. 

France’s Senate has approved legislation to ban social media access for children under age 15, advancing a proposal that could make France the first European country to adopt restrictions similar to Australia’s approach. The bill would classify platforms by risk level, imposing outright bans on those deemed harmful to minors while allowing limited access to others with parental consent. Educational platforms would be exempt. The measure reflects a broader European trend, as the European Union, Spain, the Netherlands, and the United Kingdom consider similar age restrictions and verification requirements aimed at strengthening online protections for children.

Researchers highlight dependencies on DC power regulation. 

DC power regulation underpins modern digital infrastructure but has evolved from a simple voltage-stabilization function into a critical cybersecurity dependency. As described in the NCC Group report The silent dependency: DC power regulation in cyber-physical security, regulators now rely on embedded firmware, digital control, and network connectivity, making them part of the cyber-physical attack surface rather than passive electrical components. Compromise at this layer can manipulate voltage, disrupt availability, corrupt data, or trigger cascading failures across data centers, industrial systems, and telecommunications environments.

Modern risks include insecure firmware updates, supply-chain exposure, lateral movement through management networks, and physical fault-injection techniques such as voltage glitching. The report recommends treating power regulation as a security architecture component, with secure boot, segmentation, telemetry monitoring, and supplier verification. As AI-assisted power management and IT-OT convergence increase complexity, securing power infrastructure becomes essential to maintaining system resilience and trust.

A former infrastructure engineer admits to an attempted extortion scheme. 

A former infrastructure engineer has pleaded guilty to sabotaging his employer’s network in an attempted extortion scheme that locked administrators out of hundreds of systems. Prosecutors say Daniel Rhyne used unauthorized access to a Windows domain controller in November 2023 to delete admin accounts, reset passwords across more than 300 user accounts, and target credentials affecting 254 servers and over 3,000 workstations. He also scheduled server shutdowns and sent ransom emails claiming backups were deleted, demanding 20 bitcoin to halt further disruption. Investigators later found he researched methods for clearing logs and modifying administrator credentials before the attack. The incident highlights the risks posed by insider threats with privileged access. Rhyne faces hacking and extortion charges carrying a maximum sentence of 15 years in prison.

 

Espresso exploit exposes executive emails. 

In a cautionary tale for defenders everywhere, a digital forensics investigator discovered that a company’s mysterious data breach was not the work of elite hackers, but of a chatty office coffee machine. According to The Register, executives initially suspected corporate espionage. Investigators instead found an internet-connected espresso maker quietly exfiltrating sensitive data abroad every time someone brewed a cup. The device sat comfortably inside the secure network, protected by a default password, an outdated operating system, and apparently unlimited trust.

The awkward briefing that followed informed leadership their security posture had been undone by cappuccino.

Experts note such incidents are not rare. Connected devices often lack monitoring and basic safeguards, making them convenient entry points. The lesson is simple: change default passwords, segment networks, and remember that in modern environments, even the break room may be part of your attack surface.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.