You're listening to the Cyber Wire Network, powered by N2K. Maybe that's an urgent message from your CEO, or maybe it's a deepfake trying to target your business. Doppel is the AI-native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back, from automatically dismantling cross-channel attacks to building team resilience and more. Doppel, outpacing what's next in social engineering. Learn more at doppel.com. That's D-O-P-P-E-L dot com. Google says AI-powered cybercrime has gone industrial scale. Two new Windows Zero Days emerge. Signal threatens to leave Canada over lawful access legislation. A Pentagon-linked influence operation shifts to paid ads. Linux admins scramble to patch a new root-level flaw. Famous Sparrow targets Azerbaijan's energy sector. Cisco announces layoffs despite record revenue. An alleged Dream Market administrator faces cryptocurrency money laundering charges. Our guest is Cynthia Kaiser, SVP of the Ransomware Research Center at Halcyon, with the latest on the Akira Ransomware Group. And the surveillance will continue until employee sentiment improves. It's Thursday, May 14th, 2026. I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us here today. It's great, as always, to have you with us. Google Threat Intelligence Group reports that AI-driven cyber threats have evolved from experimental use into industrial-scale operations. According to GTIG, threat actors are now using generative AI for vulnerability discovery, malware development, defense evasion, and large-scale information operations. Researchers identified what they believe is the first AI-developed zero-day exploit, potentially intended for mass exploitation. AI-enabled malware such as PromptSpy demonstrates increasingly autonomous attack behavior, while adversaries linked to China, North Korea, and Russia are integrating AI into offensive workflows. Attackers are also targeting AI supply chains and using anonymized infrastructure to abuse large language models at scale. GTIG says AI remains a dual-use technology, serving both attackers and defenders. Google reports it's using AI tools like BigSleep and CodeMender to identify vulnerabilities, automate fixes, and strengthen defenses against evolving threats. An anonymous researcher known as Nightmare Eclipse, also called Chaotic Eclipse, has disclosed two additional Windows zero-day vulnerabilities following Microsoft's latest Patch Tuesday update. The flaws, dubbed Yellow Key and Green Plasma, reportedly enable BitLocker bypass and privilege escalation attacks. According to the register, Yellow Key requires physical access and a specially prepared USB drive to gain shell access to BitLocker-protected systems, raising concerns about stolen devices and data exposure. Security experts said organizations can partially mitigate the threat using BitLocker pins and BIOS passwords. Green Plasma includes partial exploit code that could eventually enable system-level access, although researchers noted it still triggers user account control prompts in default configurations. These disclosures follow earlier leaks from Nightmare Eclipse, including Bluehammer, Red Sun, and Undefend. Some previously linked exploits were reportedly adopted quickly in real-world attacks, raising concerns about additional future disclosures. Secure messaging platform Signal says it could withdraw from Canada if Bill C-22 forces changes that weaken user privacy or encryption protections. Signal's vice president said the company has serious concerns about Ottawa's proposed lawful access regime which would require telecom and electronic service providers to support surveillance capabilities for law enforcement and the Canadian Security Intelligence Service Signal warned that mandated system changes could introduce exploitable vulnerabilities and make encrypted platforms attractive targets for foreign adversaries and cybercriminals The bill could also require certain providers to retain metadata for up to a year. Privacy advocates and technology companies argue the legislation could fundamentally weaken end-to-end encryption and require permanent structural changes to secure communication systems. Canadian officials maintain the bill is encryption neutral. A new analysis suggests Pentagon-linked online influence operations have shifted away from fake social media personas and toward paid promotion of quasi-news websites targeting audiences across the Middle East, Latin America, Russia, and Asia. The report identifies a network of multilingual sites tied through shared infrastructure, advertising activity, and code patterns. Unlike earlier covert campaigns that relied on coordinated inauthentic behavior, the newer network appears to amplify mostly factual, selectively framed content through advertising on X, Meta, and Google platforms. Researchers linked the sites to contractor General Dynamics Information Technology which reportedly ran ads promoting the outlets The operation reflects an evolution in state influence tactics Instead of fabricated engagement or bot farms, the newer model appears designed to shape narratives through targeted distribution, selective framing, and reduce transparency around sponsorship. Linux distributions are deploying patches for a newly disclosed high-severity privilege escalation vulnerability that allows local attackers to gain root access on vulnerable systems. Nicknamed Fragnasia, the flaw affects Linux kernels released before May 13, 2026. Researcher William Bolling of Zellick said the bug stems from a logic error in a Linux subsystem. According to Bolling, attackers can exploit the flaw to write arbitrary bytes into the kernel page cache of read-only files, enabling modification of protected binaries to obtain root shells. A proof-of-concept exploit has already been released publicly. Fragnasia belongs to the broader Dirty Frag class of Linux privilege escalation vulnerabilities, which security researchers say can undermine core system protections. Administrators are being urged to patch immediately or disable affected kernel modules where possible. Researchers at Bitdefender Labs say the China-aligned threat group Famous Sparrow targeted an Azerbaijani oil and gas company in a multi-wave intrusion campaign spanning late 2025 through early 2026. According to the report, the attackers exploited the proxy-not-shell vulnerability to compromise a Microsoft Exchange server and employ the Snappy B or Deed Rat backdoor through DLL sideloading. In later stages, the group introduced Turndoor malware and a rootkit-enabled driver to gain deeper system control, steal administrator credentials, and move laterally across the network using remote desktop protocol and impact tools. Researchers said the attackers repeatedly regained access through the same unpatched exchange vulnerabilities despite remediation efforts The campaign highlights how advanced threat actors maintain persistence by repeatedly exploiting unresolved entry points while adapting malware and evasion techniques over time Cisco says it will cut fewer than 4,000 jobs as part of a broader restructuring tied to its push into AI, networking, and other strategic growth areas. In a memo titled Our Path Forward, CEO Chuck Robbins praised employees for delivering record quarterly revenue of $15.8 billion and double-digit growth, even amid supply chain pressures and intensifying competition. The company said the restructuring is intended to realign resources around AI infrastructure and future investments. Cisco also said effective employees will receive severance support and one year of access to Cisco training and certification programs. For workers impacted by the cuts, the announcement lands amid strong financial performance, underscoring the uncertainty many technology employees face as companies redirect spending toward AI-focused priorities and operational restructuring. U.S. prosecutors have indicted O. Martin Andresen, a German national accused of serving as the primary administrator of the now-defunct Dream Market Darkplace Marketplace, and laundering millions in criminal proceeds. According to the indictment, Andresen allegedly controlled cryptocurrency wallets tied to Dream Market after the platform shut down in 2019 under law enforcement pressure. Investigators say he moved funds from dormant marketplace wallets into consolidated accounts beginning in 2022, then used cryptocurrency to purchase gold bars shipped to Germany. Authorities allege he laundered more than $2 million between 2023 and 2025. During coordinated searches in Germany, investigators reportedly seized roughly $1.7 million in gold bars and identified additional bank accounts and cryptocurrency holdings. The case highlights how law enforcement agencies continue tracing cryptocurrency transactions years after darknet marketplaces disappear, targeting the financial infrastructure that supports transnational cybercrime and narcotics trafficking. Coming up after the break, my conversation with Cynthia Kaiser from Halcyon. She brings us the latest from Acura Ransomware. And the surveillance will continue until employee sentiment improves. Stay with us. Thank you. time to market, or user experience. Discover how GuardSquare provides industry-leading security for your Android and iOS apps at www.guardsquare.com. No, it's not your imagination. Risk and regulation are ramping up, and customers expect proof of security just to do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk, and customer trust together on one AI-powered platform. Whether you're preparing for a SOC 2 or managing an enterprise GRC program, Vanta helps keep you secure and your deals moving. Companies like Ramp and Ryder report spending 82 less time on audits That not just faster compliance that more time to focus on growth When I look around the industry I see over 10,000 companies from startups to big enterprises trusting Vanta. Get started at vanta.com slash cyber. Cynthia Kaiser is Senior Vice President of Ransomware Research at Halcyon. I recently caught up with her to discuss their recent report, Akira Ransomware Attacks in Under an Hour. Akira is one of the most significant threats we're tracking. FBI actually last week put out their internet crime report for 2025 and listed it as the number one group. But what I would say about it is it's really one of the most kind of professional business optimized groups we follow. They're volume driven. They're trying to make a lot of decisions so that it incentivizes victims to pay. And not all of those are really dastardly. Some of them are just more efficient. but one of the things your research highlights here is the speed at which akira can do the things that they're up to can you take us through that i mean some some of these can happen in under an hour that's crazy right like think of that a few years ago we used to believe right yeah we used to believe hey an actor gets on the network and they're gonna kind of look around move laterally find what's useful, and defenders assumed they had weeks of dwell time to really identify these front actors. But Akira has taken kind of their experience, their ability to rapidly operationalize certain vulnerabilities, and then move incredibly quickly using a playbook across a network to be able to go from initial access to full encryption and sometimes under an hour, but I would even say most often about four hours. That's so fast. I mean, that's dinner with your family and then it's done. I don't know how any human really can keep up with that. Well, you talk about the full attack life cycle. What happens during that window between initial access to encryption? So Akira typically is able to get onto networks through the exploitation of certain vulnerabilities. One of those really is the sonic wall vulnerabilities that we've been able, that we've seen several actors start to use, but they're getting on, they're establishing that initial foothold, foothold, starting to develop and identify credentials. And then they rapidly cascade into a full domain compromise. So they'll commonly use tools when they go across your network that are often found already there. They're using in packet, like data staging tools. they are developing persistence through things like AnyDesk and then using just other items, which we've seen across other attack cycles. But what makes it really fast and what makes a lot of the groups nowadays much faster is as they're going through and looking across the network, they're really targeting hypervisors. And that's the parts of a network that allow for the virtualization across it all, right? We're all connected more. We all have more connected devices than we did in the past. If a group like Akira is able to stage there, they can try to encrypt over 100 servers at once. And that can be just really impactful very quickly. So talking about the speed here, is this mostly the result of automation? Is it, are they pre-positioning themselves before encryption? How do they achieve this? So in a few ways, one is the hypervisors that I talked about. Those have really just rapidly increased the speed across most ransomware groups because it allows speed across your own network. It allows speed for when the ransomware actors are trying to do a lot of things at once. But Akira has taken this, I think, to a different level. as they're encrypting files, they're actually not encrypting 100% of the file. In certain large files, they're only encrypting 1% of that file because they know that still makes it inaccessible to you. But it also speeds up their operations significantly in going through and being able to encrypt files rapidly. Now, I think it's really tempting to say, oh, it must be AI, right? That's why these actors have been able to go so fast. And I mean, yeah, I'm sure groups like Akira have been able to incorporate the same way as we all do business efficiency on our end. But it really is a lot more just about repetition, having a playbook, being more deliberate and executing your operations via that playbook. And then using some of these tools like hypervisors, like encryption of only a small percentage of the file to speed it up even further. Yeah, one of the things that really surprised me in your research was how much Akira invests in making sure that victims can actually recover their files after paying. Why is it important for them to prioritize that? Well, it's interesting, right? Because most ransomware groups we see, they put a lot more effort into breaking things than they do fixing things. But because Akira sees itself as a business and it believes its operational success is predicated on creating efficiencies, being able to do volume, making sure people pay, they've spent a much more significant time developing decryptors that actually work. I actually talked to an incident responder who told me once like I almost want to tell people that got encrypted by Akira like congratulations you going to probably going to get your files back a lot more And that not an advertisement for them right It just shows that they really are trying to influence not just the victims who may or may not know that aspect but the incident responders the negotiators, everybody who's involved in an incident response will, when they have the knowledge that, well, this decryptor works more than this decryptor, or, hey, if you pay, maybe you're going to be able to get more of your files back. I mean, that matters. And it shows how Akira really is thinking about the broad spectrum of how a victim experiences a ransomware attack to try to maximize their financial gains. Yeah, it really, I guess, reflects the level of professionalism that we have with a high-level group like Akira. Well, it makes it scary to talk about professionalism among ransomware actors because it means they've been allowed to operate with such impunity that they've been able to develop that repetition. They've been able to develop those playbooks and develop that professionalization. It makes me kind of mad. So what are your recommendations here, based on all the information that you've put together in this research? How should defenders best position themselves to protect themselves here? Overall, organizations that have not yet addressed exposed VPN appliances, legacy credentials, and gaps in multi-factor authentication enforcement really are the most at risk to Akira attacks. So ensuring that you are patching the vulnerabilities that are exploited specifically by Akira, monitoring and restricting remote services, the misuse of valid accounts, ensuring that you can reduce your exposure from trusted relationships, third-party pathways. A lot of that is going to sound very familiar to everyone. But here's what I'd emphasize. If a curer can go from initial access to full encryption in one hour, humans can't necessarily intervene in that amount of time. You really have to focus in on automated tools that detect, contain, and kick off threat actors before even some of our teams can get to answer their phones. Because if we're doing that process, it's too late. So really getting into that automation, assuming you could be breached. So what happens? How do I quickly address it? What tools can I put in place to quickly address it? That's the most important thing when you're looking at such a speedy type of attack. That's Cynthia Kaiser, Senior Vice President of the Ransomware Research Center at Halcyon. Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker Allow Listing, you stop unknown executables cold. With Ring Fencing, you control how trusted applications behave. And with Threat Locker DAC, Defense Against Configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. Threat Locker is the simplest way to enforce zero-trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable, even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo at threatlocker.com slash n2k today. And finally, a growing industry known as Emotion AI promises employers something managers have apparently dreamed of for centuries. Not just productive workers, but cheerful, agreeable ones too. In a sweeping look at workforce surveillance, the Atlantic's Ellen Cushing describes software that analyzes faces, voices, emails, and chat messages to measure emotions like attentiveness, positivity, and frustration. Some systems monitor call center tone, truck driver fatigue, or employee friendliness, while others score job candidates during interviews. One fast food headset assistant is even named Patty because nothing says human connection quite like being emotionally evaluated by a branded chatbot during the lunch rush. Researchers and privacy advocates warn the technology often rests on shaky science and can misread context, culture, disability, or simple concentration as negativity. Still, companies continue adopting these tools as workplace analytics expand from measuring what employees do to measuring how pleasantly they appear to do it. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazis. Our executive producer is Jennifer Iben, Peter Kilpie is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
