Proposed cuts put CISA in focus.

CISA faces a $700 million budget cut. Russian and Iranian cyber cooperation raises concerns. New BPFDoor variants emerge. Cybercrime losses climb again. Researchers advance a GPU Rowhammer attack. Northern Ireland schools go offline after a breach. An alleged hacker-for-hire faces U.S. charges. And German police name the suspected REvil mastermind. Our guest is John Anthony Smith, Founder and Chief Security Officer at Fenix24, explaining why more technology hasn't made us more secure. A frustrated researcher drops the hammer.

Today is Tuesday April 7th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Trump’s new budget cuts over seven hundred million dollars from CISA.

The Trump administration has proposed a $707 million cut to the Cybersecurity and Infrastructure Security Agency’s (CISA) fiscal year 2027 budget, reducing it to about $2 billion. According to the Office of Management and Budget, the move is intended to refocus CISA on protecting federal networks and critical infrastructure while eliminating what the administration describes as “weaponization and waste.” The proposal would remove programs considered redundant, including school safety initiatives, and dissolve offices handling international affairs, stakeholder engagement, and efforts to counter misinformation. Similar cuts proposed in 2025 were reduced by Congress. The plan follows earlier workforce reductions of roughly 1,000 staff, even as CISA now seeks to hire more than 300 mission-critical employees. Nick Andersen is serving as acting director, and Sean Plankey has been renominated for director.

Ukrainian intelligence highlights Russian and Iranian collaboration. 

A Ukrainian intelligence assessment reviewed by Reuters alleges that Russian satellites conducted at least 24 imagery surveys of 46 military and infrastructure sites across 11 Middle Eastern countries between March 21 and 31, with intelligence shared to support Iranian strikes on U.S. and regional targets. According to the assessment, several surveyed sites were hit by Iranian missiles and drones within days, suggesting a coordinated pattern. A Western military source and a regional security source also reported increased Russian satellite activity. The report further claims Russian and Iranian hacker groups collaborated on cyber operations targeting regional infrastructure, including Israeli energy systems. Reuters could not independently verify the assessment. U.S. officials downplayed the operational impact, while Russia and Iran did not comment. The findings reflect deepening security cooperation under a bilateral strategic partnership agreement.

Researchers identify seven new BPFDoor variants. 

Advanced persistent threat actors are adapting the BPFDoor malware after widespread deployment of static indicators of compromise forced changes to their tactics. Rapid7 Labs identified seven new BPFDoor variants, including httpShell and icmpShell, which enhance stealth and persistence. The kernel-level backdoor uses Berkeley Packet Filters to monitor traffic inside the operating system and activates through specially crafted “magic packets.” The variants enable stateless command-and-control routing and ICMP relays, allowing attackers to evade advanced defenses and maintain covert access in global telecommunications infrastructure.

The FBI’s annual cyber crime report tracks increased losses. 

The FBI’s Internet Crime Complaint Center (IC3) reported continued growth in cyber-enabled crime activity in 2025, highlighting ongoing financial losses from scams, fraud, and account-takeover schemes. Since January 2025, IC3 received more than 5,100 complaints tied to financial account-takeover fraud alone, with losses exceeding $262 million. The report also notes continued impersonation campaigns targeting victims through messages claiming to originate from IC3 officials, as well as spoofed websites designed to harvest sensitive data. Mail-theft-enabled check fraud and infrastructure-focused cyber incidents remain active concerns. Overall, IC3 reporting emphasizes that social engineering, credential theft, and impersonation continue to drive losses across sectors. The data underscores the importance of rapid incident reporting to support law enforcement response and trend tracking across evolving cybercrime campaigns.

Researchers demonstrate a new Rowhammer-based attack. 

Researchers at the University of Toronto have demonstrated a new Rowhammer-based attack called GPUBreach that enables privilege escalation by targeting GPU memory. Rowhammer exploits electrical interference from repeated memory access to trigger bit flips, historically affecting CPU memory. The team previously showed GPUHammer, which degraded deep neural network accuracy by flipping bits in Nvidia GPU memory. Their latest work shows attackers can corrupt GDDR6 GPU page tables to gain arbitrary read-write access to memory. Combined with memory-safety flaws in Nvidia drivers, the attack can escalate privileges to root-level system compromise. The technique poses particular risk in cloud environments where GPUs are shared among users and requires only GPU code execution privileges, not physical access. Nvidia, Microsoft, AWS, and Google were notified. Researchers recommend enabling error-correcting code memory, though it is not a complete mitigation.

Northern Ireland’s centralized school district suffers a cyberattack. 

A cyberattack on Northern Ireland’s centralized C2K school IT network has disrupted access to digital learning systems used by most schools across the region, affecting services relied on by roughly 300,000 students and 20,000 teachers. The Education Authority (EA) said it detected the incident last week and shut down system access to contain the breach. Officials report the investigation remains ongoing and it is not yet confirmed whether personal data was compromised, though there is currently no evidence of data loss or corruption. The EA is working with service provider Capita and an incident response firm to assess the situation and restore access. Recovery efforts are underway, with some schools already back online and priority given to students preparing for exams. Authorities say restoration will continue over the coming days.

The operator of an alleged hacking-for-hire operation is extradited to the U.S. 

Amit Forlit has been extradited from the United Kingdom to New York to face U.S. charges tied to an alleged hacking-for-hire operation targeting environmental groups and other entities. Prosecutors say Forlit led a global enterprise from 2012 to 2019 that generated tens of millions of dollars through computer-hacking and wire-fraud schemes. He is charged with conspiracy to commit computer hacking and wire fraud, offenses carrying potential sentences of up to 45 years. The indictment also links him to previously convicted hacker Aviram Azari and identifies lobbying firm DCI Group, working for Exxon Mobil, among the operation’s clients.

German authorities unmask the leader behind the GandCrab and REvil ransomware operations. 

Germany’s Federal Criminal Police Office, BKA, has identified Russian national Daniil Maksimovich Shchukin as the alleged leader behind the GandCrab and REvil ransomware operations between 2019 and 2021. Authorities link him to 130 extortion attempts, including 25 ransom payments totaling more than $2 million, with overall damages estimated above $40 million. Operating under a ransomware-as-a-service model, the groups targeted enterprises and public institutions. Shchukin, also known by several aliases, is believed to remain in Russia and has previously been linked to REvil by U.S. authorities and investigative reporting.

 

A frustrated researcher drops the hammer. 

Exploit code has appeared online for an unpatched Windows privilege escalation flaw known as BlueHammer, after a frustrated researcher decided to skip further polite conversation with Microsoft and go straight to GitHub. The vulnerability, now a zero-day by Microsoft’s definition, can let a local attacker access the Security Account Manager database and potentially promote themselves all the way to SYSTEM privileges, effectively taking over the machine.

The researcher, posting as Chaotic Eclipse, declined to explain the exploit in detail, suggesting others could “figure it out,” while also thanking Microsoft’s response process for the inspiration. Analysts confirmed the technique combines timing and path confusion flaws, though the proof-of-concept code is reportedly buggy and unreliable in some environments.

Microsoft says it is investigating. Meanwhile, defenders are reminded that “local access required” is often less reassuring than it sounds, especially once attackers arrive locally by other means.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.