The CyberWire Daily Podcast 7.17.26
Ep 2595 | 7.17.26

A nightmare on Windows street.

Transcript

Nightmare Eclipse drops another Windows zero-day. The Gentlemen take the ransomware crown. CISA orders emergency Fortinet patching. Canada’s surveillance bill faces U.S. scrutiny. Meta’s Oversight Board flags AI censorship bias. Commerce tops the cyber target list. An active espionage campaign hits Bangladesh’s military. The Hewlett Foundation commits $100 million to emerging tech security. And U.S. prosecutors dismantle an alleged cyber-enabled money laundering network. Our guest is Nick Stohlman, Vice President of CJIS Strategy at Imprivata, talking about CJIS readiness and the identity security challenges facing public safety agencies. Leaked source code reveals an AI mixtape. 

Today is Friday July 17th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Nightmare Eclipse drops another proof-of-concept zero-day. 

A security researcher using the handle Nightmare Eclipse has released LegacyHive, a proof-of-concept zero-day exploit that targets the Windows User Profile Service and enables privilege escalation on fully patched Windows systems. The vulnerability has not yet been assigned a CVE. Unlike the researcher’s earlier releases, this PoC has been deliberately limited, requiring additional user credentials to reduce the risk of widespread abuse. Testing by security researchers Will Dormann and Kevin Beaumont confirmed the exploit works. Dormann said it could let a standard user modify an administrator’s registry hive, potentially enabling code execution when the administrator logs in, while Beaumont published Microsoft Defender for Endpoint detection queries. LegacyHive is the latest in a series of Windows zero-day disclosures from Nightmare Eclipse, whose previous releases have prompted Microsoft patches and public legal warnings.

The Gentlemen top the ransomware leaderboard. 

The ransomware landscape is shifting, with The Gentlemen emerging as the most active cyber extortion group between March and May 2026, according to ReliaQuest. Researchers tracked 300 claimed victims linked to the group, surpassing Qilin, which recorded 289 incidents after leading ransomware activity throughout the previous year. Across 11 major ransomware operations, ReliaQuest identified 1,368 victim claims spanning 99 countries. The report attributes The Gentlemen’s rapid rise to aggressive affiliate recruitment, AI-assisted malware development, and a well-packaged ransomware-as-a-service toolkit that lowers the barrier for new operators. The toolkit includes detailed attack playbooks and preconfigured intrusion tools that help affiliates launch attacks more efficiently. ReliaQuest expects the group’s momentum to continue and recommends organizations strengthen remote access controls, harden identity protections, enforce Microsoft’s vulnerable-driver block list, and monitor suspicious network activity.

CISA orders urgent patching of critical Fortinet vulnerabilities. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to urgently patch two actively exploited critical vulnerabilities in Fortinet FortiSandbox, tracked as CVE-2026-39808 and CVE-2026-25089. The flaws, patched by Fortinet in April and June, allow unauthenticated remote code execution through command injection attacks that require no user interaction. Although Fortinet has not confirmed exploitation, threat intelligence firm Defused reported attacks in June, and CISA has now added both vulnerabilities to its Known Exploited Vulnerabilities catalog. Federal agencies must apply patches by July 19.

Canada’s Lawful Access Act draws US congressional scrutiny. 

Sen. Ron Wyden is urging Secretary of State Marco Rubio and acting Attorney General Todd Blanche to oppose Canada’s proposed Lawful Access Act, warning it could threaten U.S. national security and the privacy of American citizens. In a letter, Wyden argued the legislation could compel U.S. technology companies to secretly assist Canadian surveillance by retaining user metadata, creating backdoors, and modifying systems to facilitate lawful access requests. The bill has passed Canada’s House of Commons and is awaiting Senate approval. Wyden called for a review of whether the proposal could force companies like Apple and Google to disclose Americans’ data and recommended using ongoing U.S.-Canada CLOUD Act negotiations to prohibit such requirements. Canada’s Citizen Lab has also raised constitutional concerns about elements of the legislation.

Meta’s Oversight Board finds AI models less likely to criticize oppressive regimes. 

A study by Meta’s independent Oversight Board found that leading AI models, including those from OpenAI and Anthropic, are significantly less likely to generate politically critical content about governments with restrictive speech laws than about more permissive countries. Across 10 models, researchers found refusals occurred 34% of the time for restrictive jurisdictions, compared with 14% for permissive ones. The board warned this could introduce bias into widely used AI systems and called for greater transparency in AI training, evaluation, and human rights assessments.

A new report says commerce is the most targeted industry for cyberattacks. 

Akamai’s latest State of the Internet report says commerce has become the world’s most targeted industry for cyberattacks as AI-powered shopping agents and autonomous tools reshape online retail. By the end of 2025, AI bots accounted for nearly 48% of all commerce traffic on Akamai’s network, with AI training crawlers making up the majority. The report warns that attackers are increasingly exploiting AI through agent hijacking, synthetic identity fraud, and API attacks, while Layer 7 distributed denial-of-service (DDoS) attacks continue to surge, particularly against retailers. Akamai also found widespread gaps in API visibility, with most organizations unable to identify sensitive data exposure. Meanwhile, phishing and malware activity have risen sharply, fueling account takeovers and loyalty fraud as attackers industrialize cybercrime against digital commerce platforms.

An active cyber-espionage campaign targets Bangladesh’s military. 

Researchers at Cyderes Howler Cell uncovered an active cyber-espionage campaign targeting Bangladesh’s military and defense sector and attributed it with high confidence to DoNot (APT-C-35). The operation begins with a spear-phishing RTF document disguised as the biography of a Bangladesh Air Force officer. The document uses remote template injection to retrieve a malicious macro, with server-side geofencing limiting delivery to intended regional targets. The malware executes through multiple encrypted stages before installing a DLL that establishes persistence, profiles the infected system, and communicates with command-and-control (C2) servers over encrypted HTTPS. By interacting directly with the C2 infrastructure, researchers retrieved a live second-stage payload, confirming the campaign remains active. Matching encryption keys, infrastructure, and communication patterns further strengthen the attribution to DoNot and indicate an ongoing intelligence-gathering operation targeting South Asian government and military organizations.

The Hewlett Foundations launches a $100 million Emerging Technology and Security Initiative. 

The William and Flora Hewlett Foundation has launched a $100 million Emerging Technology and Security Initiative to fund research and policy efforts through 2031 focused on the safe development of artificial intelligence, biotechnology, and quantum computing. Announced at the Aspen Security Forum, the initiative will support universities, think tanks, and civil society organizations working to protect critical infrastructure, address emerging technology risks, and strengthen global governance. Building on earlier exploratory grants, the program aims to promote practical, evidence-based solutions that balance innovation with security through collaboration across government, industry, and independent organizations.

On a personal level, our own Research Saturday program was initially made possible by a Hewlett Foundation grant. 

Prosecutors charge the alleged operators of a cyber-enabled money laundering network. 

U.S. prosecutors have charged Zhuoying Chen and Haojie Zhang, two New York residents, with operating a large-scale money laundering network that allegedly moved at least $43 million in proceeds from cyber-enabled investment fraud scams between 2020 and 2022. According to the indictment, the pair managed a network of more than a dozen associates who used approximately 140 bank accounts tied to 45 shell companies to transfer stolen funds to China. The underlying scams involved criminals building trust with victims through social media and messaging platforms before convincing them to invest in fake opportunities. If convicted of conspiracy to commit money laundering, the defendants face up to 20 years in prison. The case highlights the continued growth of investment fraud, which the FBI says caused $8.6 billion in reported losses in 2025.

 

Leaked source code reveals an AI mixtape. 

A hacker has pulled back the curtain on how AI music company Suno built its models, revealing source code that allegedly shows the platform scraped millions of songs, lyrics, podcasts, and stock audio from services including YouTube Music, Deezer, Genius, Pond5, and Jamendo. The leaked code appears to detail massive training datasets, automated scraping tools, and techniques for finding vocal tracks, while also suggesting the use of proxy infrastructure to collect content at scale. The breach reportedly exposed customer contact information and limited Stripe payment data, though Suno says the incident involved outdated code, was quickly contained, and did not compromise full payment card numbers. The revelations add weight to ongoing copyright lawsuits accusing Suno of training on copyrighted music. It is a reminder that, in AI, today’s training playlist can become tomorrow’s courtroom exhibit.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.