Podcasts
CyberWire Daily
Ep 2557
The CyberWire Daily Podcast 5.21.26
Ep 2557 | 5.21.26

That shield has cracks in it.

Show Notes
Transcript

Microsoft confirms active exploitation of two Defender flaws. Europol dismantles a VPN service tied to ransomware gangs. A nine-year-old Linux kernel bug exposes SSH keys and password hashes. Cisco patches a critical Secure Workload vulnerability, while Drupal fixes a highly critical SQL injection flaw. Android malware quietly signs victims up for premium SMS scams. Webworm upgrades its espionage toolkit with Discord and Microsoft Graph backdoors. Plus, China and Russia deepen cooperation on AI, cybersecurity, and satellite systems. Our guest is Jake Moore, Global Cybersecurity Advisor for ESET, sharing a glimpse into his Infosecurity Europe keynote "The Deepfake Interview." Greg doesn’t even work here anymore…

Today is Thursday May 21st 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Microsoft confirms active exploitation of two Microsoft Defender vulnerabilities. 

Microsoft says attackers are actively exploiting two Microsoft Defender vulnerabilities, CVE-2026-41091 and CVE-2026-45498, prompting action from both Microsoft and the Cybersecurity and Infrastructure Security Agency, or CISA.

CVE-2026-41091 is a local privilege escalation flaw in the Microsoft Malware Protection Engine. Successful exploitation could grant attackers SYSTEM-level privileges. CVE-2026-45498 can force Microsoft Defender into a denial-of-service state, potentially disrupting endpoint protection. Microsoft says both flaws are publicly disclosed and exploited in the wild. Patches are available in updated Defender engine and platform releases.

Microsoft Defender is widely deployed across enterprise and government environments. CISA has added both vulnerabilities to its Known Exploited Vulnerabilities catalog and ordered federal civilian agencies to patch or discontinue affected products by June 3, 2026.

Europol-led operation dismantles VPN service tied to ransomware, fraud, and cybercrime infrastructure.

European law enforcement agencies have seized First VPN, a privacy service investigators say was widely used by ransomware gangs and other cybercriminal groups to conceal operations online.

The operation, called Operation Saffron, involved authorities from 16 countries with support from Europol and Eurojust. Investigators seized 33 servers, shut down multiple domains, and interviewed the alleged administrator in Ukraine. According to Europol, the VPN advertised heavily on Russian-speaking cybercrime forums and offered anonymous payments and concealed infrastructure designed to evade law enforcement. Authorities also gained access to the service’s user database, which investigators say contains information tied to thousands of suspected criminal users.

The takedown highlights a growing law enforcement focus on disrupting the infrastructure that enables cybercrime, not just the operators behind attacks. Seized customer data could support future ransomware, fraud, and data theft investigations across multiple countries.

Nine-year-old Linux kernel flaw exposes SSH keys and password hashes. 

Researchers at Qualys have disclosed a Linux kernel vulnerability that could allow unprivileged local users to access sensitive files, including SSH private keys and password hashes, on default Debian, Fedora, and Ubuntu systems.

The flaw, tracked as CVE-2026-46333, has existed in the Linux kernel since 2016. Qualys says the bug affects the kernel’s ptrace mechanism, which manages process tracing and debugging. By exploiting a race condition tied to credential changes and the pidfd_getfd() system call, attackers can inherit access to protected file descriptors from privileged processes. Qualys demonstrated proof-of-concept exploits targeting ssh-keysign and chage, exposing SSH host keys and /etc/shadow password hashes.

Researchers warn the issue is especially dangerous in shared hosting and multi-tenant environments where untrusted users can obtain local shell access. Kernel patches are available, and Ubuntu and Qualys recommend tightening ptrace restrictions as a temporary mitigation.

Cisco patches a critical Secure Workload flaw. 

Cisco has patched a critical vulnerability in Secure Workload, tracked as CVE-2026-20223, with a maximum CVSS score of 10. The flaw affects internal REST API endpoints and could allow attackers to access sensitive information and modify configurations across tenant boundaries with Site Admin privileges. Cisco says the issue impacts both SaaS and on-prem deployments but does not affect the web management interface. Patches are available in Secure Workload versions 3.10.8.3 and 4.0.3.17. Cisco also addressed three medium-severity flaws affecting ThousandEyes products and Nexus switches. The company says it has not observed active exploitation.

Android malware campaign silently enrolls users in premium SMS services. 

Researchers at Zimperium zLabs have uncovered a large-scale Android malware campaign that secretly subscribed victims to premium SMS services without their consent. The operation involved roughly 250 malicious apps impersonating popular brands including TikTok, Instagram Threads, Minecraft, and Facebook Messenger.

The malware targeted mobile carriers in Thailand, Croatia, Romania, and Malaysia by checking SIM card details before activating fraud routines. Researchers say the apps disabled Wi-Fi, intercepted one-time passwords using Google’s SMS Retriever API, and automated hidden subscription workflows through background WebViews. One malware variant also exfiltrated victim data and subscription confirmations through Telegram.

The campaign highlights how attackers continue to weaponize legitimate mobile platform features and weak SMS-based authentication systems to support long-running fraud operations. Researchers say the infrastructure operated for nearly ten months and was optimized to evade detection while maximizing carrier billing abuse.

Drupal patches highly critical SQL injection flaw. 

Drupal has released patches for CVE-2026-9082, a highly critical SQL injection vulnerability affecting sites that use PostgreSQL databases. The flaw exists in an API responsible for sanitizing database queries and could allow unauthenticated attackers to obtain sensitive information, escalate privileges, or potentially achieve remote code execution. Drupal warned users before disclosure that exploit code could emerge quickly after patches became public. Updates are available for Drupal 11.3, 11.2, 10.6, and 10.5.x. The release also addresses additional vulnerabilities in Symfony and Twig dependencies.

Webworm expands cyberespionage toolkit with Discord and Microsoft Graph-based backdoors.

ESET researchers say the China-aligned Webworm threat group has significantly evolved its operations in 2025, shifting focus from Asia toward European government organizations and deploying new stealth-focused malware and proxy infrastructure.

The group introduced two new backdoors, EchoCreep and GraphWorm, which use Discord and Microsoft Graph API for command-and-control communications. Researchers decrypted more than 400 Discord messages tied to EchoCreep and uncovered evidence of targeting in Belgium, Italy, Poland, Serbia, and South Africa. Webworm also expanded its use of custom proxy tools designed to create layered, encrypted traffic chains across compromised systems. ESET says the group stages malware through GitHub repositories and used a compromised Amazon S3 bucket for configuration retrieval and data exfiltration.

The findings reflect a broader trend among advanced persistent threat groups toward blending malicious activity with legitimate cloud services and collaboration platforms to evade detection. Researchers also identified reconnaissance activity using open-source vulnerability scanners and web directory brute-forcing tools against dozens of targets across Europe and Africa.

China and Russia expand cooperation on AI, cybersecurity, and satellite infrastructure.

Chinese President Xi Jinping and Russian President Vladimir Putin pledged deeper cooperation on artificial intelligence, cybersecurity, satellite systems, and internet governance during a summit in Beijing.

In a joint statement, the two countries outlined plans to expand collaboration on satellite internet technologies, open-source software, and joint development initiatives aimed at reducing dependence on Western technology. Moscow and Beijing also agreed to improve interoperability between Russia’s GLONASS and China’s BeiDou satellite navigation systems and coordinate more closely on cyber policy and information security. Both governments reaffirmed support for “internet sovereignty,” which gives states broader control over domestic digital environments.

The agreement reflects a growing strategic alignment between China and Russia in cyberspace and emerging technologies, particularly as both countries seek alternatives to Western-controlled infrastructure and standards. The announcement also comes amid increasing concerns over the military and cyber applications of artificial intelligence

Greg doesn’t even work here anymore… 

According to The Register, Nicole Beckwith of Cribl recalls investigating a breach at a U.S. city where attackers first treated the network like tourists on a casual sightseeing trip. They played with conference room projectors, wandered through city systems, and eventually discovered controls tied to the municipal water utility. That is where the story stopped being funny.

The attackers gained access through an account belonging to “Greg from Auditing,” a former employee who had not worked for the city in years. Somehow, Greg’s account still held domain admin privileges, SCADA operator access, and help desk permissions, which is an impressive résumé for someone no longer on payroll. Beckwith suspects attackers found Greg’s credentials in a previous data leak and simply tried reused passwords until something worked.

The incident highlights an old but persistent security problem: dormant accounts, excessive privileges, and the dangerous assumption that someone else surely handled offboarding. As Beckwith put it, every forgotten account is just one bad day away from the evening news.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.