You're listening to the Cyber Wire Network, powered by N2K. No, it's not your imagination. Risk and regulation are ramping up, and customers expect proof of security just to do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk, and customer trust together on one AI-powered platform. Whether you're preparing for a SOC 2 or managing an enterprise GRC program, Vanta helps keep you secure and your deals moving. Companies like Ramp and Rider report spending 82% less time on audits. That's not just faster compliance, that's more time to focus on growth. When I look around the industry, I see over 10,000 companies from startups to big enterprises trusting Vanta. Get started at vanta.com slash cyber. CISO warns copy fail is under active exploitation. Attackers compromise installers for a widely used disk imaging utility. Muddy Water masks cyber espionage as ransomware. Attackers spread malware through a fake open claw plugin. Researchers ID a new Linux rat. Vimeo blames a third-party provider for a recent breach. Palo Alto's captive portal is under attack. The FTC settles with a data broker over location sharing. A former Conti gang member gets jail time. Our guest is Dov Yoran, CEO of Command Zero, discussing how cybersecurity teams are fighting AI with AI. And geo-targeting turns creepy. It's Wednesday, May 6th, 2026. I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. CISA is warning that a newly disclosed Linux kernel flaw called copyfail is already being exploited days after researchers released a working root-level exploit. The bug allows low-privileged users to gain full root access on vulnerable Linux systems, Cybersecurity consultancy Fiori says its AI-powered testing platform, Exint, discovered the flaw and reported it in March. The company later released a proof-of-concept exploit that works against Ubuntu, Amazon Linux, Red Hat Enterprise Linux, and SUSE Systems. Researchers warned most mainstream Linux kernels released since 2017 may be vulnerable. The attack requires minimal access and no user interaction, making it useful for attackers who already have an initial foothold. CISA has added the flaw to its known exploited vulnerabilities catalog and ordered federal agencies to patch by May 15th. Microsoft says it is already observing early exploitation activity following the exploit's release. Researchers at Kaspersky say attackers compromised installers for daemon tools, a widely used disk imaging utility, and distributed malware through the software's official website in a global supply chain attack. The malicious installers affected multiple versions and were first observed in early April. Kaspersky says thousands of infection attempts have been recorded across more than 100 countries. Most victims received a basic information-stealing payload, while a smaller number of targets in government, science, manufacturing, and retail sectors received more advanced malware, including a backdoor linked to QuickRat. Trusted software distribution channels remain a high-value target for attackers. Supply chain compromises can bypass traditional trust controls and quickly scale across organizations using legitimate software updates. Disksoft, the Latvia-based developer behind Daemon Tools, says it is investigating. Researchers at Rapid7 say the Iran-linked threat group Muddy Water conducted an intrusion that appeared to be ransomware, but operated more like a cyber espionage campaign. The attackers reportedly used Microsoft Teams social engineering to gain access through screen-sharing sessions, then harvested credentials, manipulated multi-factor authentication protections, and deployed remote access tools, including AnyDesk and DW Agent. Rapid 7 says the group conducted reconnaissance moved laterally and exfiltrated data but never deployed file-encrypting ransomware. Instead, the attackers used chaos ransomware branding and extortion emails as apparent false flags while maintaining persistence in the victim environment. The operation blurred the line between espionage and financially motivated cybercrime, potentially delaying incident response and attribution efforts. Rapid7 linked the activity to muddy water with moderate confidence based on infrastructure, malware, and operational patterns associated with previous campaigns tied to Iran's Ministry of Intelligence and Security. Researchers at Zscaler Threat Labs say attackers are abusing the OpenClaw AI automation framework to distribute malware through a fake plug-in called DeepSeek Claw. The campaign targeted developers and autonomous AI agents by embedding malicious instructions into plug files downloaded from public repositories On Windows systems the malware chain deployed the Remcos remote access trojan using DLL sideloading with a legitimate GoToMeeting executable. On macOS and Linux, attackers used obfuscated Node.js scripts and fake password prompts to steal credentials, SSH keys, cryptocurrency wallets, and cloud API tokens. Zscaler says the campaign also delivered the ghostloader information stealer. The operation highlights growing risks tied to high-privileged AI tools and third-party AI plugins. Researchers warn that autonomous AI agents introduce new attack services with broad system access, making supply chain vetting and behavioral monitoring increasingly important for enterprise defenders. Researchers at Trend Micro have identified a Linux remote access trojan called QLNX that appears designed to steal developer credentials and compromise software supply chains. The malware targets Amazon Web Services credentials, Kubernetes tokens, Docker Hub logins, Git access tokens, NPM authentication tokens, and PyPy API keys. Trend Micro says attackers could use the stolen credentials to publish malicious software updates or pivot into cloud environments. QLNX includes multiple stealth features, including memory-only execution, rootkit functionality, log clearing, and six separate persistence mechanisms. The malware also deploys pluggable authentication module backdoors to harvest credentials and supports dozens of commands for remote control, file manipulation, and data theft. Researchers warn the malware's danger comes from how its capabilities work together to establish long-term stealth and persistent access inside developer environments. A successful compromise of a software maintainer could expose downstream users through poisoned packages and altered build pipelines. Vimeo says a breach affecting more than 119,000 users originated through third-party analytics provider Anadot, not Vimeo's own systems. According to Have I Been Pwned, attackers accessed customer email addresses and some associated names. Vimeo says the stolen data also included video titles and metadata, but not video content, login credentials, or payment card information. The company linked the incident to compromised Anodot integrations and says it has since disabled the connection, revoked credentials, and launched an investigation with outside security support. Researchers and breach analysts warn that exposed email lists tied to contextual account data can fuel targeted phishing campaigns for years after a breach. Palo Alto Networks is warning customers that attackers are exploiting a critical zero-day flaw in the PanOS User ID Authentication Portal, also known as the Captive Portal. The buffer overflow vulnerability allows unauthenticated attackers to execute arbitrary code with root privileges on exposed PA series and VM series firewalls. Halo Alto says limited exploitation has already been observed against internet-facing systems. The company has not yet released a patch and is urging customers to restrict portal access to trusted internal networks or disable the feature entirely. Shadow Server says more than 5,800 vulnerable VM series firewalls remain exposed online. The Federal Trade Commission and data broker Kochava have reached a proposed settlement that would bar the company from selling or sharing sensitive location data without explicit consumer consent. The FTC accused Kochava in a 2023 complaint of collecting and selling detailed geolocation data, mobile device identifiers, app usage information, and income data. Regulators said the company's data could reveal visits to places like health clinics and houses of worship without users' knowledge. Under the agreement, Kochava must implement programs to track sensitive locations, verify consent from data suppliers, limit data retention, and allow consumers to withdraw consent or request information about data sales. The case highlights growing regulatory pressure on the location data industry and the risks tied to large-scale collection of precise consumer movement data. Kochava says the settlement reflects its commitment to privacy and responsible data practices. A Latvian national accused of working with former members of the Conti ransomware group has been sentenced to 102 months in prison for conspiracy involving wire fraud and money laundering. U.S. authorities say Denis Zola Tarzhov participated in ransomware operations between 2021 and 2023 that targeted more than 54 organizations using malware families, including Conti, Akira, Royal, and Karakurt. Investigators say the attacks caused hundreds of millions of dollars in losses and involved the theft of sensitive personal and health information. Zola Tarzhoff was arrested in Georgia in 2023, extradited to the U.S. in 2024, and pleaded guilty last year. The case underscores continued international cooperation against ransomware operators and highlights how former Conti affiliates continue to appear across multiple ransomware-as-a-service operations years after the group's original disruption. Coming up after the break, my conversation with Dov Yoran, CEO of Command Zero, discussing how cybersecurity teams are fighting AI with AI. And geo-targeting turns creepy. Stay with us. Thank you. And now a word from our sponsor, the Center for Cyber Health and Hazard Strategies, also known as CHHS. Looking for a graduate degree that will give you an edge on your professional career? Earn a Master of Science in Law at University of Maryland Cary School of Law. This part-time, two-year online graduate degree program is designed for experienced professionals to understand laws and policies that impact your industry. Learn from CHHS faculty who are experts in their field. No GRE required. Learn how you can master the law without a JD at law.umaryland.edu. Dov Yoran is CEO of Command Zero. I recently got together with him to learn how cybersecurity teams are fighting AI with AI. So today we're talking about AI and how folks are kind of fighting fire with fire when it comes to AI. Can we start off with some high-level stuff? Can you give us a little bit of the history and background of what led us to this particular place where we find ourselves when it comes to AI and how people are using it in their SOCs? Yeah, it's been a gradual process. Always refining and helping SOC analysts move forward and continue to increase their productivity given technology gains, cloud, SaaS, and other things. And AI is really the next revolution in that series. So that's something that's been a gradual step up, if you will. And now with the advent of AI, it's been an incredible catapult moving forward to really level the playing game amongst analysts of different experience levels and different size organizations and so on and so forth. So where do we stand right now when it comes to the threat actors adopting these AI tools? Attackers have moved pretty fast and they're unencumbered by, you know, procurements and the legal process, right? So the clearest examples are in automation and skill, right? You know, AI lets adversaries chain tools together autonomously, reconnaissance, you know, lateral movement, exfiltration, right, with the speed and precision that wasn't really possible before. So they're effectively leveraging and operating with LLM speed. So while we're also seeing AI used to craft more convincing phishing and social engineering attacks at volume and at scale, so what we used to require a skilled human now takes, yeah, just a few moments to generalize or to generate and personalize at scale. And that's obviously a big concern, right? AI is lowering that barrier of attack, that sophistication. You don't need nation-state teams and technologies and resources to run advanced operations anymore. That's asymmetrical. Defenders are still largely doing manual parts and trying to increase their SOC efficiencies. But that's a pretty core problem that we're trying to solve. right now in the industry. And so on the defender's side, what sorts of tools are available to them to help ward off these AI threats? Yeah, the most immediate impact is investigation speed, what we hope, right? You know, platforms such as Command Zero, right? You know, being able to have a thorough alert investigation that used to consume an analyst's entire day, with AI agents, that same investigation can be completed in minutes. So you're pulling context from various platforms in the environment, from your endpoints, from your identity, from your email, from your cloud, threat intel, so on and so forth. And you're delivering really a more comprehensive report with a verdict. And speed is certainly a high mark, but that's really only part of it. The deeper value is the consistency and thoroughness. Human analysts have good days and bad days, but AI agents don't. Every investigation follows similar methodologies, asks the same levels of questions, the same standards, the same consistencies. That manual processes can really have a tough time delivering that skill. So, you know, at Command Zero, we're seeing AI compress that skills gap that I mentioned earlier between your junior or your lesser experienced folks and your more experienced teams. And so those tasks that once required just senior analysts, because they needed that experience, that knowledge of different applications across different platforms, can now be done, you know, in a much simpler way and in a much more consistent way across that entire team. That, we think, is that big sea change and structurally changing how SOX operate today, you know, leveraging AI as part of that solution. Can you share with us what the onboarding process is like? As people adjust to the new reality of these tools, is there a period of time where they're kind of gaining trust with them? They're getting used to them, you know, seeing how the changes are going to be implemented in their world? Our experience is incredibly short, right? It's a matter of days, sometimes a week or two, right? It's understanding the environment is deploying. It's a cloud-only solution set. So having access to some of the data elements, enabling that takes minutes and auto-generating content, usually within a few hours. And the team can rock and roll. So they're looking at the events, they being guided through and shown investigations they looking at conclusions and all the varying underlying data that comprises of those conclusions and even subordinate conclusions that weren finalized all those things really make for a rich experience And it really up-levels all those analysts in our client base, right? The more experienced tier three folks have the ability to leverage and replicate their investigations to more junior folks. And, you know, showing that ability, not only ability, but that comprehensive outlook on what was discovered and what remediation and conclusions are given from that. as opposed to or in addition to the more junior team members now being able to ask questions and follow and auto-prompt and auto-generate investigations on data sources that they wouldn't normally be able to master without more experience. How are we ensuring that appropriate guardrails are put on these systems to make sure that they don't stray beyond what we want them to do? Yeah, that's a great point. And that's, I think, a major concern enterprises should be mindful of. What we do to keep tabs on that is we have very specific and very limited use of agents and how they're being deployed, the types of things that they have access to, the types of questions that they have in their arsenal and the types of information that they're collecting. From our standpoint, all of that is completely transparent, right? So you can see a full rap sheet on what was asked, how it was asked, the types of information that was drawn back. In my opinion, that trust in AI is built on this transparency and the auditability and the reproducibility of these investigations. So having these agents as part of a human investigation, collaborating deeply with the human, all these things are reproducible and more deterministic. I think all of those are helpful in the checks and balances of keeping a proper governance model on your agents as opposed to letting them just run wild in the environment. What is your sense for where we're headed with these things? I mean, I think it seems like certainly AI is our future here, but do you have any sense for where this might grow into? What are some of the things that people can look forward to? Yeah, I mean, listen, it is great. And even in the short term, even now, right, the mundane tasks and the tedious tasks that are even prone to error and user error because they're so repetitive. a lot of those things can be automatically pulled out and addressed by agents. So it is really up-leveling that human talent and enabling more creativity and more superhuman capabilities of leveraging better automation and agentic workflows into their environment. Honestly, I see it expanding to beyond just the pure security operations center into other adjacencies, into cyber, and into other domains of the CISO's charter and domain of control, span of control. Similarly, how that reflects AI in general, how we're seeing that transform and broaden its reach in and across society at large. So it's super exciting. That's Dov Yaron from Command Zero. And finally, a 19-year-old University of Tennessee student is suing the makers of the dating app Meet, that's M-E-E-T-E, alleging the company turned a harmless TikTok graduation video into an ad suggesting she was looking for friends with benefits. Then, Gio targeted the promotion to people near her dorm. College introductions can be awkward enough to begin with, but according to the lawsuit, she discovered it by people introducing themselves, saying, hey, I keep seeing your dating app ad on Snapchat. The complaint alleges Meet edited her video, added graphics and a voiceover, and used location-based targeting to serve the ads to nearby men without her consent. Her attorney says the campaign damaged her reputation and created real safety concerns by falsely implying she endorsed the app and was soliciting hookups. The case highlights how simple editing tools and ad targeting systems can weaponize someone's likeness without sophisticated AI. Snap says it's investigating, while Meats listed publisher, which advertises safety and respect first, has not publicly responded. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. N2K's lead producer is Liz Stokes. Remixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazis. Our executive producer is Jennifer Ivan. Peter Kilty is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
