Podcasts
CyberWire Daily
Ep 2575
The CyberWire Daily Podcast 6.17.26
Ep 2575 | 6.17.26

The nominee in limbo.

Show Notes
Transcript

President Trump halts a key intelligence nomination. The FBI warns of a new Microsoft 365 phishing threat. France cuts ties with Palantir. A new Android banking trojan emerges. Fortinet firewalls come under attack. CISA orders emergency Joomla patching. Plus, Madison Square Garden data leaks and malware hidden in Steam wallpapers. Our guest is Christy Wyatt, CEO from Absolute Security, discussing their new ebook. The DOJ claims pollution is mission-critical.

Today is Wednesday June 17th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

President Trump pauses the DNI director nomination. 

President Trump has abruptly delayed the Senate confirmation process for Jay Clayton as director of national intelligence, using the nomination to pressure lawmakers on two separate priorities: the confirmation of another nominee, Jamie McDonald for U.S. Attorney, and passage of a voting restrictions bill. In an early morning Truth Social post, Trump announced the cancellation of Clayton’s scheduled Senate hearing and said acting intelligence chief Bill Pulte would remain in the role until his demands are met.

The move surprised lawmakers because Clayton, currently the U.S. Attorney for the Southern District of New York and a former Securities and Exchange Commission chair, appeared headed for a relatively smooth confirmation. Senators had hoped to install him quickly to limit the tenure of Pulte, whose appointment has drawn criticism due to his lack of intelligence experience and his history of publicly targeting Trump’s political opponents.

Trump also wants reauthorization of FISA Section 702, a key U.S. surveillance authority, tied to the voting legislation. The dispute threatens both leadership stability at the Office of the Director of National Intelligence and the future of an important intelligence-gathering tool, while highlighting ongoing political battles over national security and election-related issues.

Senator Warner sounds the alarm over CISA budget cuts. 

Sen. Mark Warner is raising concerns about the future of the Cybersecurity and Infrastructure Security Agency, warning that staffing cuts, leadership vacancies, and the loss of a key information-sharing program could weaken the nation’s cyber defenses. In letters to acting CISA Director Nick Andersen, DHS leadership, and all 50 governors, Warner argued that the agency has lost roughly one-third of its workforce, including many senior officials, while facing a proposed budget reduction of more than $700 million.

Warner said state and local officials, educators, law enforcement, and industry leaders have reported reduced support and slower responsiveness from CISA. He also criticized the shutdown of federal funding for the Multi-State Information Sharing and Analysis Center, which helps protect state and local governments. While Andersen has announced plans to hire more than 300 employees, Warner is seeking detailed information about staffing levels, vacancies, service delivery, and the agency’s ability to support critical infrastructure nationwide.

France’s spy agencies pursue digital sovereignty. 

France is cutting ties between its domestic intelligence agency and Palantir, citing concerns about growing dependence on American technology. Prime Minister Sébastien Lecornu announced that the DGSI will end its contract with the U.S. data analytics company as part of a broader push for digital sovereignty and a €655 million investment in French artificial intelligence.

The move follows the U.S. decision to restrict access to Anthropic’s Fable AI model for non-American users, a development French officials say highlights the risks of relying on foreign providers that can suddenly limit access. Lecornu argued that France cannot afford strategic digital dependencies controlled by outside governments or companies.

The decision reflects a wider European trend toward reducing reliance on U.S. technology. France is also replacing some Microsoft products with European alternatives, while officials in the UK have raised similar concerns about Palantir contracts, warning that dependence on a small number of American tech firms could create strategic vulnerabilities.

Rokarolla steals credentials from banking and cryptocurrency applications. 

Researchers at Zimperium have identified a new Android banking trojan dubbed Rokarolla, a highly sophisticated malware strain designed to steal credentials from 217 banking and cryptocurrency applications. Distributed through malicious websites masquerading as legitimate apps such as TikTok or Google Chrome, the malware uses a dropper to install a second-stage payload while impersonating Google Play Protect.

Once installed, Rokarolla abuses Android Accessibility Services and extensive permissions to gain deep control over infected devices. The malware can steal lock-screen PINs and passwords, harvest SMS messages and contacts, log keystrokes, intercept calls, manipulate clipboard contents, and capture screenshots for remote surveillance. It also deploys convincing overlays that mimic banking apps and Android lock screens to trick users into surrendering credentials.

Researchers identified 137 commands that allow attackers to manage infected devices, disable Google Play Protect, suppress alerts, and maintain persistence. The malware communicates with resilient command-and-control infrastructure that can dynamically switch domains, making detection and disruption more difficult while enabling long-term financial fraud.

A massive campaign targets Fortinet firewalls and VPN gateways. 

Researchers are warning about a massive campaign targeting Fortinet firewalls and VPN gateways, with attackers reportedly compromising nearly 74,000 firewall URLs across 194 countries. Analysis by Hudson Rock and researcher Volodymyr Diachenko suggests the operation relied on credential-stuffing at enormous scale, testing leaked usernames and passwords against exposed FortiGate devices.

The attackers allegedly conducted more than a billion login attempts and, in some cases, intercepted and cracked VPN authentication hashes before moving deeper into corporate networks. The dataset includes more than 21,000 affected domains and reportedly contains credentials linked to major enterprises, government organizations, and critical infrastructure providers.

The findings underscore a familiar cybersecurity lesson: strong passwords provide little protection once credentials have been stolen or leaked. Researchers recommend immediate password rotation, universal multi-factor authentication, log reviews for suspicious access, and monitoring for exposed credentials. The campaign highlights how exposed gateways combined with recycled or compromised credentials remain a highly effective path into enterprise networks.

CISA orders urgent patching of a critical Joomla Content Editor (JCE) plugin vulnerability. 

CISA has ordered federal agencies to patch a critical vulnerability in the Joomla Content Editor (JCE) plugin by Friday after confirming active exploitation in the wild. The flaw, tracked as CVE-2026-48907, allows unauthenticated attackers to upload and execute malicious PHP code through improperly secured editor profiles. The issue was fixed in JCE Pro 2.9.99.6, but developers warn that updating alone will not remove malware from already compromised systems. CISA added the bug to its Known Exploited Vulnerabilities catalog and warned that public exploit code and automated attacks make unpatched Joomla sites especially vulnerable.

Hackers publish data allegedly stolen from Madison Square Garden. 

Hackers associated with ShinyHunters have published nearly 45GB of data allegedly stolen from Madison Square Garden after the organization reportedly refused to pay a ransom. A sample reviewed by 404 Media includes customer communications, contact details, and files referencing Knicks players, coaches, celebrities, and other sports personalities. The leak comes just days after the Knicks’ NBA Finals victory, increasing public attention on the incident. ShinyHunters claims the breach occurred on June 5 and warned that organizations that do not pay ransoms risk having their data exposed. MSG has not publicly commented on the latest data release.

Hackers abuse Steam Workshop Wallpapers. 

Kaspersky researchers have uncovered dozens of malicious wallpapers distributed through Steam Workshop by abusing a feature in Wallpaper Engine that allows users to run executable applications as desktop backgrounds. Since late 2025, attackers have embedded malware, including DarkKomet, Lumma, Vidar, crypto miners, and ransomware loaders, inside seemingly harmless wallpapers that have been downloaded thousands of times.

When activated, some wallpapers secretly install malware that steals Steam credentials, hijacks active sessions, and communicates with attacker-controlled servers. Researchers found attackers using both bundled malware files and password-protected archives to evade detection.

The campaign primarily targets gamers in China, which accounted for 89% of observed malicious downloads, though users in Russia and several other countries were also affected. Steam has removed the identified wallpapers, but researchers warn that new malicious uploads continue to appear, making antivirus scanning and caution essential when downloading community-created content.

Update to the SPARTA framework from the DHS S&T directorate

The Department of Homeland Security’s Science and Technology Directorate is backing new efforts to strengthen cybersecurity across the space sector as satellites become increasingly critical to communications, navigation, and other infrastructure. The DHS is working with The Aerospace Corporation to expand the Space Attack Research and Tactic Analysis or SPARTA framework, which is the open-source catalog of tactics, techniques and procedures specifically targeting spacecraft. The two DHS updates to SPARTA include a new set of behavioral indicators designed to help operators detect attacks through unusual system activity rather than traditional malware signatures. The second update includes methods for prioritizing cybersecurity countermeasures with the unique challenges of the space threat landscape in mind, as they are based on effectiveness, mission deployment constraints, and mission lifecycle cost.

The DHS says its contributions to SPARTA were partly motivated by the 2022 cyberattack on the Viasat commercial satellite network at the start of Russia’s invasion of Ukraine, and that the new resources aim to make advanced space cybersecurity practices more accessible and to help operators build resilience against emerging threats. An open-source reference implementation of threat detection tools is expected later this year.

The DOJ claims pollution is mission-critical. 

What began as a dispute over air permits in Mississippi has evolved into a remarkably modern question: How many gas turbines does it take to power national security?

The Department of Justice has entered the NAACP’s lawsuit against Elon Musk’s xAI, urging a court to dismiss claims that the company is operating dozens of unpermitted natural gas turbines at its Colossus 2 data center in Southaven. The NAACP argues the turbines violate the Clean Air Act and increase pollution risks in communities that already face significant health burdens.

The DOJ sees the matter differently. According to court filings, xAI’s Grok model is one of only a handful of AI systems supporting operations on classified government networks. A Defense Department official said the technology supports critical national security missions, including recent military strikes against Iran, and warned that shutting down the turbines could disrupt those efforts.

Meanwhile, the numbers continue to grow. The lawsuit originally cited 27 turbines. Environmental advocates say records now show 57 operating at the site. So the court is left weighing two competing concerns: local air quality and the proposition that somewhere in Mississippi, a fleet of generators has become part of America’s national security infrastructure. That’s not a sentence many people expected to read a few years ago.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.
ADVERTISEMENT
Sponsored by Absolute Security
Sponsored by Absolute Security

Absolute Security delivers self-healing cybersecurity solutions that provide continuous endpoint visibility, control, and resilience. Embedded in over 600 million devices worldwide, the platform helps organizations prevent, detect, and rapidly remediate security threats. Learn more.