You're listening to the Cyber Wire Network, powered by N2K. No, it's not your imagination. Risk and regulation really are ramping up, and these days customers expect proof of security before they'll even do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're getting ready for a SOC 2 or managing an enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving. Companies like Ramp and Riders spend 82% less time on audits with Vanta. That means less time chasing paperwork and more time focused on growth. For me, it comes down to this. Over 10,000 companies, from startups to large enterprises, trust Vanta to help prove their security. Get started at vanta.com slash cyber. We'll be right back. blends into cloud services for espionage. Attackers poison AI with hidden web prompts. Apple patches lingering notification data. macOS admin tools become attacker pathways. CISA orders urgent fixes for a Microsoft Defender Zero Day and their director nominee withdraws. Our guests today are Johnny Hand and Justin Childs, host of Trend AI's AI Security Brief podcast. and a meteorological mystery meets market manipulation. It's Thursday, April 23rd, 2026. I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us here today. It is great, as always, to have you with us. Security researchers have uncovered two covert surveillance campaigns exploiting telecom signaling weaknesses to track individuals' locations worldwide. Citizen Lab reports the operators posed as legitimate cellular providers and abused access to global signaling systems to query subscriber location data. The campaigns exploited vulnerabilities in Signaling System 7, or SS7, and in Diameter, a newer protocol sometimes deployed without full protections. Researchers identified repeated use of infrastructure linked to O19 Mobile, Tango Networks UK, and Airtel Jersey. One campaign also used SimJacker-style hidden SMS commands against a high-profile target. Continued signaling layer abuse shows global mobile infrastructure still enables covert tracking at scale, creating persistent exposure for executives, activists, and government officials despite known risks. House Republicans have introduced two coordinated bills aimed at expanding nationwide privacy protections and strengthening consumer control over financial and personal data. The Secure Data Act would establish a national privacy and data security standard, create rights to access, delete, and limit use of personal data, and require consent for processing sensitive information. It would also impose disclosure and minimization requirements on companies and data brokers, with enforcement by the Federal Trade Commission and state attorneys general. The GARD Financial Data Act would modernize the Graham-Leach-Bliley Act by requiring opt-in consent before sharing sensitive financial data and allowing customers, including former customers, to access or delete stored information. The proposals signal a coordinated effort to reshape U.S. privacy governance and increase accountability for organizations handling sensitive consumer and financial data. International cybersecurity agencies warn that China-linked threat actors are increasingly using covert networks of compromised devices to disguise their operations and evade detection. The UK National Cybersecurity Center, part of GCHQ, and 15 international partners released joint guidance describing how attackers exploit vulnerable edge devices, such as home routers and smart devices, to route malicious traffic, steal data, and maintain persistent access to critical sectors. The advisory also highlights indicator of compromise extinction, where forensic clues disappear quickly, complicating detection and response. Experts say defenders must shift toward intelligence-driven monitoring and stronger baseline protections, as attackers scale infrastructure designed to obscure attribution and persistence across global networks. A leaked database from the RAMP Cybercrime Forum is offering rare insight into how ransomware operations function as structured criminal marketplaces rather than isolated attacks. According to Comparatex analysis, the leak includes records spanning November 2021 through January 24, covering over 7,700 users, over 1,700 forum threads, more than 340,000 IP logs, and nearly 1 private conversations The forum supported access sales to compromised corporate networks ransomware as a service recruitment and deal negotiations in private messages Listings targeted organizations across more than 20 countries, with the United States appearing in 40% of identified cases. The data illustrates how specialization across access brokers, malware operators, and affiliates enables ransomware campaigns to scale faster and become harder for defenders to disrupt. Researchers have identified a previously undocumented threat actor called Gopher Whisper, using legitimate cloud platforms to conduct espionage against government targets. According to ESET, the group has operated since at least 2023 and deployed a Go-based malware toolkit against a Mongolian government entity, compromising 12 systems and likely dozens more victims globally. The toolset includes multiple backdoors that use Slack, Discord, and the Microsoft Graph API through Microsoft 365 Outlook for command and control, plus a custom exfiltration utility that uploads stolen data to file.io. Analysis of command activity patterns and metadata linked to the activity to China. Blending command traffic into trusted enterprise services complicates detection and enables persistent access across sensitive government environments. Researchers warn that attackers are actively using indirect prompt injection techniques to manipulate large language models through hidden instructions embedded in ordinary websites. Forcepoint X-Labs reports threat actors concealed commands in web content using hidden text, metadata, and styling tricks that AI agents can read but users cannot see. Telemetry identified 10 live cases in April involving actions such as API key theft, fraudulent payment attempts, denial of service behavior, and data deletion commands. Researchers say the technique exploits LLM's inability to distinguish between data and instructions when processing external content. Organizations deploying AI assistants or coding agents may face new risks if models execute hidden web instructions as trusted commands during routine browsing or automation tasks. Apple has released security updates for iPhones and iPads to fix a notification logging flaw that allowed deleted app notifications to remain stored on devices. The vulnerability affected notification services and was addressed with improved data redaction in iOS and iPadOS updates. Signal confirmed the flaw enabled authorities to recover message notification content even after the Signal app was deleted, though Apple said it has no evidence of active exploitation. Residual notification data can expose sensitive communications even after apps are removed, highlighting risks in mobile notification storage. Researchers at Cisco Talos warn that attackers can exploit built-in macOS administrative features to move laterally and execute code across enterprise environments without traditional malware. The study shows adversaries can repurpose native capabilities such as remote application scripting, AppleScript Spotlight metadata, and common utilities including SSH, SOCAT, Netcat, and SNMP to deliver payloads, transfer tools, and maintain persistence. Techniques include storing malicious code in Finder metadata and using legitimate inter-process communication channels that evade typical endpoint detection telemetry. Researchers say these living-off-the-land methods exploit gaps in macOS monitoring compared with Windows environments. Growing enterprise macOS adoption increases exposure to stealthy attacks that blend in to normal system activity and bypass conventional detection controls. CISA has ordered U.S. federal agencies to patch a Microsoft Defender privilege escalation vulnerability exploited in ongoing zero-day attacks within two weeks. The flaw allows low-privileged local attackers to gain system access on unpatched devices. Microsoft released fixes on April 14, and Huntress reported evidence of hands-on keyboard intrusion activity linked to the vulnerability. CISA added the issue to its known exploited vulnerabilities catalog with a May 7 remediation deadline. Additionally, Sean Plancky has withdrawn his nomination to lead CISA after more than a year without Senate confirmation. Plancky notified Homeland Security leadership and the White House that the Senate would not advance his nomination, which had been pending since March 2025, despite clearing committee review. His withdrawal follows reported opposition tied to an unrelated Coast Guard shipbuilding dispute and comes amid broader leadership turnover at CISA. Coming up after the break, my conversation with Johnny Hand and Dustin Childs, host of Trend AI's new AI Security Brief podcast, and a meteorological mystery meets market manipulation. Stay with us. Thank you. about it. That's where Nudge Security comes in. Nudge finds shadow AI apps, integrations, and agents on day one and helps you enforce policy without blocking productivity Try it free at nudgesecurity slash cyberwire Maybe that's an urgent message from your CEO, or maybe it's a deepfake trying to target your business. Doppel is the AI-native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back, from automatically dismantling cross-channel attacks to building team resilience and more. Doppel, outpacing what's next in social engineering. Learn more at doppel.com. That's D-O-P-P-E-L dot com. Johnny Hand and Dustin Childs are hosts of Trend AI's brand new AI Security Brief podcast right here on the N2K CyberWire network. I caught up with Johnny and Dustin for insights and a sneak peek at the show. Well, Johnny and Dustin, welcome to the show. It's great to have both of you with us here, and I appreciate you taking the time. No problem. Happy to be here. Yeah, thank you. Well, let's start out by learning a little bit about both of you. Dustin, can I start with you? Where did you get your start and what led you to where you are today? Oh, well, that's going to take me back. So I actually got my start in InfoSec back in 1997, believe it or not, when I was assigned to the Air Force unit designed to catch hackers. So that's where I, you know, learned everything back on ancient systems and everything else when we were happy to catch a port scan. But from there, I did that quite a while, worked for the government, then moved to Microsoft as part of their Microsoft Security Response Center. I did Patch Tuesday for about seven or eight years and, you know, did a lot of different things to take you back. If you remember Conficker, Stuxnet, a lot of those were my cases where I was a program manager for that and getting those updates out the door. And then at the beginning of 2015, I joined the Zero Day Initiative and have been here ever since. And it's a lot more fun on this side, receiving bugs and paying for bugs and running Pwn2Own than it is trying to fix everything. So, yeah, that's kind of been my journey in a real quick step. So it's been a lot of really actionable stuff, a lot of learning over the years. So it's been really great. No, that is quite a journey. Johnny, how about you? Very similar to Dustin. I started out in the U.S. Navy as a technologist and have pretty much been tasked with deploying and securing technology pretty much across every type of environment. Of course, obviously, naval ships, but I started working back in 2006 more focused on information security as an information assurance manager for the command that I was at. and then just fell in love with cyber operations in general. Moved around a little bit in the Navy and had experience to go as a technologist and as a leading technologist with the Naval Special Warfare Development Group. So working with SEAL teams and special operations and then transitioned from there into the Navy Cyber Defense Operations Command, really focusing on defensive cyber operations at scale for the DOD. And then once I got out of the military, I moved into the higher education space, had the opportunity to build a security program and start leading technology initiatives in the university landscape, which is definitely more interesting in many ways, especially from the viewpoint of having a large international student population. So it's always an interesting environment to secure. And then just really fell in love with the operations there and building out programs. And now have made the switch from being a customer of Trend AI into focusing on adoption and really innovation around AI. Well, the podcast is AI Security Brief. Let's start with some high-level stuff here. What prompted the creation of the show? I think as Trend AI, Trend Micro transitioned into Trend AI, we wanted to kind of highlight some of the work we're doing. And we wanted to see what work others were doing, not only just for our knowledge and notification, but to give our listeners some actionable stuff. There's so much hype around AI, and there's so little actionable takeaways that people really understand. So we're looking to bridge that and give an opportunity for real practitioners in the AI space to give CISOs and other security leaders things that they can really do and understand about how to defend their environment from potential AI threats and then how to use AI to defend their environment as well. So I think from my perspective, Johnny, I hope you get to chime in here as well. But that's really, I think, the goal of the podcast. Yeah, it's a great focus too, because I think that the ground has shifted for many of the security practitioners. And it's honestly really hard to keep up with the pace of innovation, but also the pace that the threat actors and adversaries are using AI against us as well. So we really wanted to take an approach where we looked at the innovation and really celebrated the innovation, but also looked at the opportunities to give, like Dustin said, those really foundational opportunities to secure your environment against the innovation that's happening at scale. You know, one of the things that I really enjoy about your show is in a world where there is so much noise around everything AI, you're having real conversations with real leaders in the space. Can you dig into that a little bit for me, Johnny? Who are the folks that you're talking to? When we started looking at the podcast as an opportunity to connect not only the challenges of today, but like where we're leading. We often talk about this as being for those security leaders that are looking out into the future, getting six months ahead of what's coming next. And so in order to do that, we're not just focused on the C-suite leaders like many people talk to. I think we've looked across and we want to talk to practitioners. We want to talk to those that are in the trenches every day, but also those that are at the board level that are being pressured in many ways to adopt AI and innovate And ultimately the conversations are centered around building confidence so that they can be excited and feel confident to innovate So we looking at and having those conversations with threat researchers and law enforcement and the security leaders, those CISOs and those CIOs, but also just looking across the landscape at everyone that has a touch point involved with AI security. Dustin, from your point of view, what's the value proposition here? What are you hoping people come away from the show with? Well, I think the number one thing is we want listeners to finish an episode thinking, I just learned something I want to share with my team, or I just learned something I want to go have a further conversation with about the people who I work with and how it impacts us. So whether it's where the AI threat landscape is heading or actionable advice that they can take and use immediately or clarity on just what is the latest thing that, you know, marketing is pitching to us that we need to really understand, but how to connect the AI security risk to business in a way that gets the board to listen. And that's really what I'm hoping that listeners will take away. Well, let's give our listeners a little preview here. I know you have a few episodes ready to roll here as the show launches. Can you give us a little sneak peek at what we can expect to hear? Sure, our first one is, how does AI change the economics of cybercrime? And that features Bob McArdle. He's the director of cybercrime research at Trend AI, and he has been working with law enforcement on cybercrime for over 20 years. He gave a talk at RSA about how AI is affecting the cost of cybercrime, and spoiler alert, it's lowering the cost. So the criminal service economy is being rebuilt around AI, and it's perfectly structured for it. So we have this great conversation about where the cybercrime folks are using AI and some actual items that people can do knowing that this is coming. Johnny, you want to pick up with us what else we have to look forward to? Yeah, we also had great conversations with Ashish Rajan who is a CISO author and a host of Cloud Security Podcast. He's also a co-host of the AI Security Podcast. So really great conversation and a practical conversation because we talked about the viability of the fact that really anyone can code now using AI and how that's going to impact the SaaS applications and the different secure applications that we have. And he did a really great job of diving into that subject and really talking about the impact that Vibe coding and those components are going to have on the SaaS industry. Yeah, I saw another one of your upcoming episodes has to do with AI and who's responsible when AI can make mistakes. Dustin, what can we look forward to there? Yeah, our next episode is entitled Who's Responsible When AI Starts Making Mistakes? And it features Sash and Jane, who's the president and CEO of Aventus Security. And it really looks at how do you talk to your board about the technical risk in a way that can translate into budgets for you to actually manage that risk. Johnny, who do you suppose your target audience is here? Who are you trying to reach? Our focus is really on those security leaders that are really struggling with adoption, trying to understand how to secure the AI that's in their environment. So we're focused on security leaders at the CISO level, those CIOs, those CTOs that are really trying to get their hands on what's happening, what's innovation at scale, and how can they secure that. All right. Well, the show is AI Security Brief. That is from Trend AI and the hosts are Dustin Childs and Johnny Hand. Gentlemen, best of luck with the new show and thanks so much for taking the time for us. You're very welcome and thank you for having us. Yep. Thank you. We've got a link to the first episode of the AI Security Brief podcast in our show notes. You can catch new episodes every other Thursday on your favorite podcast app. And finally, French authorities are investigating unusual temperature spikes at a Paris airport weather sensor after anomalies aligned with roughly $34,000 in prediction market payouts. Matteo France filed a complaint following two brief readings above 22 degrees Celsius at Charles de Gaulle Airport on April 6th and April 15th, each resolving Polymarket wagers in betters' favor. Meteorologist Paul Marquis said nearby stations showed no matching changes and concluded physical intervention with a heating device was the most plausible explanation. Polymarket later switched its Paris temperature data source to Les Bourges Airport. Markets that rely on a single physical sensor create incentives to influence that center, turning routine weather instrumentation into an unexpectedly lucrative target for creative forecasting. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights to keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. and UK's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazis. Our executive producer is Jennifer Iben. Peter Kilpie is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Transcription by CastingWords
