Podcasts
CyberWire Daily
Ep 2538
The CyberWire Daily Podcast 4.24.26
Ep 2538 | 4.24.26

A digital battlefield in practice.

Show Notes
Transcript

Locked Shields wraps another year. Open models challenge Mythos. CISA tracks FIRESTARTER inside a federal agency. The White House targets foreign AI model extraction. Microsoft lets admins remove Copilot. Treasury sanctions a Cambodian scam-compound senator. Breeze Cache rushes a patch. Researchers downplay OT malware hype, while NIST pushes for better OT visibility. Our guest is Eric Russo, Director, SOC Defensive Security at Barracuda, discussing the risks posed by employees downloading pirated software. Con artists charge crypto for counterfeit clearance.

Today is Friday April 24th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The world’s largest live-fire cyber defense exercise wraps up another year. 

Locked Shields 2026, the world’s largest live-fire cyber defense exercise, concluded Friday in Tallinn, Estonia, after convening more than 4,000 participants from 41 nations. Organized by NATO’s Cooperative Cyber Defence Centre of Excellence, the exercise simulated sustained cyberattacks against critical infrastructure and military systems, including air defense networks and e-voting platforms, while also testing responses to disinformation and political pressure. Officials said participants demonstrated strong detection and response capabilities, but emphasized the importance of turning lessons learned into real-world readiness as artificial intelligence reshapes cyber operations. Sixteen multinational teams competed, with top performers including France and Sweden; Latvia and Singapore; and Germany, Austria, Luxembourg, and Switzerland. The exercise has grown significantly since its 2010 debut, which involved only four nations and 60 participants.

Mythos ain’t the only game in town. 

At Black Hat Asia in Singapore, RunSybil CEO Ari Herbert-Voss said open source AI models can identify software vulnerabilities as effectively as Anthropic’s restricted Mythos system when used together in coordinated workflows. He attributed Mythos’s strength to “supralinear scaling,” where doubling training resources can produce disproportionately greater capability. However, he argued organizations can approximate similar performance by combining multiple open source models, which also improves coverage because different systems detect different flaws. Cost and limited access further strengthen the case for open alternatives. Herbert-Voss emphasized that human expertise remains essential to coordinate models and evaluate findings, noting AI bug-hunting tools generate large volumes of alerts, similar to traditional fuzzing. He expects economic pressure to adopt AI-driven security tools will continue to push organizations toward broader use of automated vulnerability discovery.

CISA says FIRESTARTER breached a U.S. federal civilian executive branch agency. 

The Cybersecurity and Infrastructure Security Agency said a U.S. federal civilian executive branch agency was breached in September 2025 through vulnerabilities in Cisco Adaptive Security Appliance software, with attackers deploying FIRESTARTER malware to maintain long-term access. The backdoor allowed threat actors to regain entry in March 2026 without re-exploiting the original flaws. Investigators also identified Line Viper malware, which enabled unauthorized virtual private network sessions that bypassed authentication and exposed credentials and keys. CISA warned that patching alone does not remove the threat if persistence is already established. The agency issued updated directives requiring federal agencies to check for compromise and inventory affected devices. Officials have not attributed the campaign, though earlier reporting linked activity to actors aligned with China’s state interests.

The White House moves to counter foreign extraction of U.S. AI capabilities. 

The Trump administration is moving to counter what it describes as foreign extraction of U.S. artificial intelligence capabilities, focusing primarily on China. In a memo, White House science adviser Michael Kratsios accused China-based entities of conducting large-scale “distillation” efforts to replicate features of leading American AI systems. The administration said it will work with U.S. companies to detect such activity, strengthen defenses, and pursue penalties. The move comes as analysts report the performance gap between U.S. and Chinese AI models has narrowed significantly. Lawmakers are advancing bipartisan legislation to identify and sanction actors involved in model extraction. U.S. firms including OpenAI and Anthropic have also raised concerns about Chinese labs using distillation techniques, though experts note distinguishing unauthorized activity from legitimate use remains technically difficult.

Microsoft lets IT admins uninstall Copilot. 

Microsoft has introduced a new policy setting that allows enterprise IT administrators to uninstall the Copilot AI assistant from managed Windows devices following the April 2026 Patch Tuesday updates. The RemoveMicrosoftCopilotApp policy applies to Windows 11 version 25H2 systems under specific conditions and is available through Microsoft Intune and System Center Configuration Manager. The change affects Enterprise, Professional, and Education editions, and users can reinstall Copilot if desired. Microsoft also recently paused automatic Copilot deployments and previously addressed a bug that exposed confidential email summaries despite data loss prevention controls.

The U.S. Treasury sanctions a Cambodian senator Kok An for operating scam compounds. 

The U.S. Treasury Department sanctioned Cambodian senator Kok An and 28 associates for operating scam compounds linked to millions of dollars in losses to American victims. Officials said the network used casinos and office complexes to conduct cryptocurrency investment fraud, launder proceeds, and support human trafficking operations in which victims were forced to run scams under threat of abuse. Investigators tied at least $73.6 million in victim funds to accounts controlled by laundering networks connected to the operation. The sanctions align with broader U.S. enforcement efforts targeting Southeast Asia’s scam center economy, which authorities estimate has generated tens of billions of dollars. Additional actions included domain seizures, arrests tied to Myanmar-based scam compounds, and expanded federal coordination through the Justice Department’s Scam Center Strike Force.

The Breeze Cache WordPress plugin gets an emergency update. 

Cloudways has released an emergency update for the Breeze Cache WordPress plugin to fix CVE-2026-3844, a critical vulnerability under active exploitation that allows unauthenticated attackers to upload malicious files to servers. The flaw affects versions up to 2.4.4 and can lead to full website compromise through persistent web shell access. Exploitation requires the “Host Files Locally – Gravatars” setting to be enabled, which is not the default. Administrators are urged to update to version 2.4.5 immediately or disable the affected setting as a temporary mitigation.

Researchers warn against OT vulnerability hype. 

Researchers initially flagged a malware sample called ZionSiphon as a potential threat to Israeli water infrastructure, but analysts at Dragos say the tool is largely nonfunctional and poses no real risk to operational technology environments. First identified by Darktrace, the malware appeared designed to manipulate chlorine levels at water facilities. However, investigators found the code riddled with logic errors, fictional system references, and likely AI-generated content that demonstrated little understanding of industrial control systems. Dragos warned that overstating such immature threats can distract defenders from more credible risks, including activity by groups like Volt Typhoon. The episode highlights ongoing debate over how seriously security teams should treat early-stage AI-assisted malware targeting critical infrastructure.

NIST looks to improve OT visibility. 

The National Institute of Standards and Technology (NIST) is launching a new project through its National Cybersecurity Center of Excellence to help critical infrastructure organizations improve visibility into operational technology (OT) assets. Officials said asset management and inventory remain the most common challenge across sectors, especially in legacy industrial control environments. The initiative will demonstrate practical approaches for improving OT visibility using existing standards, frameworks, and commercially available tools, with possible support from artificial intelligence depending on stakeholder interest. The effort follows warnings from U.S. and international agencies urging infrastructure operators to inventory OT systems amid growing nation-state threats. In parallel, NIST is advancing AI security work, including guidance for securing AI systems, managing AI-enabled risks, and developing identity and authorization standards for emerging enterprise AI agents.

 

Con artists charge crypto for counterfeit clearance. 

Crypto scammers are reportedly targeting commercial vessels stranded near the Strait of Hormuz, posing as Iranian authorities and requesting “transit fees” in bitcoin or tether for safe passage through the contested waterway. Greek maritime risk firm MARISKS warned shipowners after identifying at least one vessel that may have paid such a demand before being fired upon anyway. Another cargo ship, Epaminondas, was also shot at after receiving what may have been fraudulent clearance to proceed. Roughly 2,000 ships remain stuck amid escalating regional conflict, with confirmed missile, drone, and small-boat attacks complicating navigation. Iranian inspections, U.S. naval enforcement actions, and retaliatory strikes have created a confusing security environment, one apparently chaotic enough that even counterfeit maritime toll booths, now accepting cryptocurrency, are finding willing customers.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.