Podcasts
CyberWire Daily
Ep 2527
The CyberWire Daily Podcast 4.9.26
Ep 2527 | 4.9.26

Hackers ignore the ceasefire.

Show Notes
Transcript

Iran-linked hackers signal cyberattacks will continue despite the cease-fire. Microsoft restores access after suspending open-source developer accounts. John Deere settles its right-to-repair fight. A suspected Adobe Reader zero-day surfaces. Palo Alto Networks and SonicWall patch high-severity flaws. New macOS malware targets crypto wallets. A threat cluster abuses live chat to bypass MFA. CISA orders urgent Ivanti patching. Researchers track a stealthy DDoS-for-hire botnet. Our guest is Edgard Capdevielle, CEO of Nozomi Networks, sharing insights on threats posed by nation-states and AI on OT security. macOS has a 49 day time limit.

Today is Thursday April 9th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The fragile cease-fire in Iran won’t slow hacking groups. 

Pro-Iranian hacker groups say a fragile ceasefire involving Iran, the United States, and Israel will not stop their cyber operations, warning that digital retaliation will continue despite reduced military tensions. One group, Handala, said it is pausing attacks on U.S. targets for now but will keep targeting Israel and may resume operations against America later. 

U.S. authorities also warned that Iran-aligned hackers have already infiltrated programmable logic controllers used in critical infrastructure such as ports, power plants, and water systems. Security agencies urged organizations to strengthen defenses immediately. Experts caution that cyber activity may actually increase during a ceasefire, as threat actors shift attention toward U.S. companies connected to the war effort, including data centers and defense contractors.

So far, many attacks appear more symbolic than destructive, but analysts warn they still highlight persistent vulnerabilities and the growing role of cyber operations as a lasting feature of modern conflict.

Microsoft promises better communications after shutting down several open-source developer accounts. 

Microsoft suspended developer accounts used to maintain several widely used open-source Windows projects, temporarily preventing them from publishing updates and security patches. Affected software included WireGuard, VeraCrypt, MemTest86, and Windscribe. Developers said they received no warning or clear explanation and were unable to reach human support, raising concerns about delayed responses to potential security vulnerabilities affecting Windows users.

After public reporting, Microsoft said the suspensions resulted from missed mandatory account verification requirements in the Windows Hardware Program, which partners had been notified about since October 2025. Accounts that failed verification within 30 days were automatically suspended.

Microsoft executives later acknowledged communication gaps and said the company is reviewing its notification process. Some accounts began moving toward reinstatement after media attention prompted direct outreach from Microsoft leadership.

John Deere settles its long-running right-to-repair dispute. 

Farmers reached a landmark settlement with John Deere in a long-running right-to-repair dispute, securing $99 million for plaintiffs who paid authorized dealers for major equipment repairs since 2018. Court documents indicate participants may recover 26% to 53% of alleged overcharge damages, well above typical class-action recoveries. The agreement also requires Deere to provide digital tools needed for maintenance, diagnostics, and repairs on tractors and combines for 10 years, addressing long-standing restrictions that previously forced some farmers to modify equipment software themselves. The settlement still requires judicial approval. Deere also continues to face a separate lawsuit from the Federal Trade Commission, which alleges the company unlawfully restricted repair access, a case that could influence broader right-to-repair efforts across multiple industries.

A researcher reports a likely zero-day in Adobe Reader. 

Researcher Haifei Li reports a likely actively exploited zero-day in Adobe Reader after detecting a malicious PDF through his Expmon sandbox system. The file can collect system data and may enable remote code execution and sandbox escape, though the full attack chain remains unconfirmed. Evidence suggests exploitation may have been ongoing for at least four months, with some samples using Russian-language lures tied to oil and gas topics. Adobe is reviewing the findings after receiving disclosure details in early April.

Palo Alto Networks and SonicWall patch multiple vulnerabilities. 

Palo Alto Networks and SonicWall released patches for multiple vulnerabilities, including two high-severity flaws affecting enterprise security platforms. Palo Alto Networks fixed CVE-2026-0234 in Cortex XSOAR and XSIAM integrations with Microsoft Teams, which could allow attackers to tamper with protected resources, along with additional Windows agent and Chromium-related issues. SonicWall addressed CVE-2026-4112 in SMA1000 firewalls, which could enable privilege escalation, plus flaws exposing VPN credentials or bypassing authentication. Neither company reports active exploitation but urges prompt updates.

New macOS malware targets high-value cryptocurrency accounts. 

Cybersecurity researchers at Moonlock Lab identified notnullOSX, a new macOS malware strain designed to steal cryptocurrency from high-value victims with balances above $10,000. First detected March 30, 2026, activity has been observed in Vietnam, Taiwan, and Spain. The malware uses social engineering, including fake Google Docs errors and a trojanized WallSpace app, to trick users into running malicious Terminal commands and granting Full Disk Access. It can read sensitive data and maintain persistent remote control. A feature called ReplaceApp swaps legitimate wallet tools such as Ledger Live and Trezor with malicious versions to capture seed phrases. Researchers attribute the platform to a developer known as 0xFFF, and warn its modular design could support broader future targeting.

A new threat cluster abuses live chat to bypass MFA and steal corporate data. 

Google Threat Intelligence Group researchers warn that a financially motivated threat cluster tracked as UNC6783 is targeting business process outsourcers and large enterprises through helpdesk and live chat social engineering to enable data theft and extortion. Principal analyst Austin Larsen said attackers direct employees to spoofed Okta login pages using deceptive Zendesk-style domains that capture credentials and clipboard-based multi-factor authentication data, allowing persistent access. The group also distributes fake security updates that install remote-access malware and later sends ransom notes via Proton Mail after exfiltration. Researchers say the tactics resemble earlier helpdesk-focused extortion campaigns and urge organizations to deploy phishing-resistant authentication, monitor chat channels, and audit newly enrolled MFA devices.

Researchers uncover a stealth-focused DDoS-for-hire platform. 

Researchers at Trellix ARC report that the Masjesu botnet has operated continuously since 2023 as a stealth-focused DDoS-for-hire platform targeting routers, gateways, and other Internet of Things devices across multiple processor architectures. Marketed primarily through Telegram, the service supports large-scale TCP, UDP, and HTTP flooding and claims attack volumes reaching hundreds of gigabits per second. The malware spreads by scanning for known vulnerabilities in devices from vendors such as D-Link, GPON, and Netgear, while using XOR-based obfuscation, cron persistence, and process spoofing to evade detection. It also avoids blocklisted government IP ranges to reduce scrutiny. Updated samples show expanded command-and-control redundancy and broader device targeting, underscoring the botnet’s evolution into a resilient, commercially operated extortion and disruption platform.

CISA orders patching of a critical vulnerability in Ivanti Endpoint Manager Mobile. 

Cybersecurity and Infrastructure Security Agency ordered federal agencies to patch a critical vulnerability in Ivanti Endpoint Manager Mobile within four days after confirming active exploitation since January. The flaw, CVE-2026-1340, allows unauthenticated remote code execution on exposed systems. Ivanti previously warned only a limited number of customers were affected, but nearly 950 internet-facing instances remain visible. CISA added the issue to its Known Exploited Vulnerabilities catalog and urged all organizations to prioritize patching immediately due to ongoing risk.

 

macOS has a 49 day time limit. 

Once upon a time, classic pre-OS X Macs had a reputation for freezing if you merely looked at them wrong. Modern macOS, by contrast, feels rock solid, right up until day 49.7 of continuous uptime.

Researchers at Photon discovered that after exactly 49 days, 17 hours, 2 minutes, and 47 seconds, a 32-bit counter in the XNU kernel quietly overflows and freezes the system’s internal TCP clock. When that happens, closed connections in the TIME_WAIT state never expire. Ephemeral ports accumulate, new TCP sessions fail, and services slowly lose the ability to talk to anything at all. Ping still works, which only deepens the mystery.

The issue surfaced in long-running iMessage monitoring systems and was reproduced experimentally, then traced to a single comparison guarding the kernel’s TCP timestamp counter. The result is a silent countdown timer built into macOS networking. The only reliable fix today is a reboot before the clock runs out.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.
ADVERTISEMENT
Sponsored by Nozomi Networks
Sponsored by Nozomi Networks

Nozomi Networks is the leader in OT and IoT cybersecurity, delivering AI-powered asset visibility, threat detection, and continuous monitoring to protect critical infrastructure across industries including energy, manufacturing, healthcare, and transportation worldwide. Learn more.