Podcasts
CyberWire Daily
Ep 2581
The CyberWire Daily Podcast 6.26.26
Ep 2581 | 6.26.26

Factory reset required.

Show Notes
Transcript

Tata Electronics and Bajaj Auto continue recovery from cyberattacks. FCC tightens undersea cable rules to bolster national security. CISA warns of actively exploited PTC vulnerability. Gamaredon expands toolkit, hides behind legitimate services. Iran-linked hackers turn public warning systems into psychological weapons. Threat actors target critical infrastructure across Southeast Asia. DCloud framework behind global scam economy. Polish police disrupt SIM-swapping gang. French statistics agency reports cyberattack affecting nearly 13,000 staff. Our guest is Michael Fanning, CISO at Splunk, discussing how AI doesn’t create problems, it exposes them. And an open-book exam for hackers.

Today is June 26th, 2026. I’m Maria Varmazis in for Dave Bittner this week. And this is your CyberWire Intel Briefing.

Tata Electronics and Bajaj Auto continue recovery from cyberattacks.

Mumbai-headquartered Tata Electronics, a key supplier to Apple, Tesla, and leading chip manufacturers, has tightened internal security controls following a data breach that came to light earlier this week. The World Leaks ransomware group leaked more than 200,000 files allegedly stolen from the company, including what appear to be internal design papers from Apple and Tesla. The authenticity of this data has not been independently verified, and Tata hasn't commented on the contents of the leak. Reuters says the company has since restricted remote access to ​sensitive internal tools, and Apple's security team is working with Tata on near- and long-term security measures.

Another Indian manufacturing giant, Bajaj Auto, has resumed operations after sustaining a ransomware attack this week. The company says its manufacturing, sales, and service activities are now operating normally.

FCC tightens undersea cable rules to bolster national security.

The Federal Communications Commission has approved new rules aimed at strengthening the security of the undersea cables that carry roughly 99 percent of international internet traffic. The measures create new licensing requirements for submarine cable terminal equipment, tighten oversight of foreign involvement, and establish a fast-track approval process for trusted operators that meet strict national security standards. The FCC says the changes are designed to reduce espionage and sabotage risks, particularly from Chinese-linked companies, while accelerating deployment of critical communications infrastructure.

CISA warns of actively exploited PTC vulnerability.

The US Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) Catalog has listed a critical vulnerability affecting PTC's product lifecycle management tools Windchill and FlexPLM, SecurityWeek reports. The vulnerability (CVE-2026-12569) is an improper input validation flaw that can lead to remote code execution.

The agency also added a high-severity server-side request forgery (SSRF) vulnerability (CVE-2026-20230) in Cisco Unified Communications Manager that was observed being exploited this past weekend. Cisco released fixes for this flaw on June 3rd.

CISA has ordered Federal agencies to apply patches for both vulnerabilities by Sunday, June 28th.

Gamaredon expands toolkit, hides behind legitimate services.

ESET researchers say the Russia-aligned Gamaredon threat group remained highly active throughout 2025, exclusively targeting Ukrainian government and military organizations. The group developed new PowerShell-based malware, expanded its use of cloud storage for data theft, and increasingly relied on legitimate messaging, blogging, and file-sharing services to conceal command-and-control infrastructure and exfiltrate stolen information. ESET also observed Gamaredon collaborating with other Russia-linked threat actors, underscoring a growing trend of operational cooperation among Kremlin-aligned cyber espionage groups targeting Ukraine.

Iran-linked hackers turn public warning systems into psychological weapons.

Researchers at Claroty's Team82 have uncovered an Iran-linked campaign targeting internet-connected public warning systems—not to destroy them, but to manipulate public perception and sow fear. The attackers compromised sirens and emergency alert infrastructure, displaying false or politically charged messages designed to undermine trust in official communications. The researchers describe the activity as a cyber psychological operation, using operational technology as a tool for influence rather than disruption.

Threat actors target critical infrastructure across Southeast Asia

Palo Alto Networks' Unit 42 is tracking a cluster of threat activity operated by Chinese-speaking actors that's targeting critical infrastructure across Southeast Asia. The threat actors, tracked by Unit 42 as "CL-STA-1062," have been active since at least March 2022. The attackers have previously been observed targeting web hosting infrastructure in Taiwan, and Unit 42 says the latest campaign "highlights a broader long-term strategy in the Asia-Pacific region." The recent attacks focused on energy and government organizations.

The attackers deployed a newly documented Trojan dubbed "TinyRCT," a lightweight backdoor written in C# that enables attackers to "execute arbitrary system commands, exfiltrate files, capture screenshots, and remotely manage the infected host."

DCloud framework behind global scam economy.

Infoblox researchers say a legitimate Chinese development framework called DCloud Uni-App has become common infrastructure for a massive global scam ecosystem. The company identified more than 236,000 scam domains since 2022, supporting fake crypto exchanges, pig-butchering schemes, wallet drainers, gambling fraud, WhatsApp phishing, and brand impersonation. Researchers stress DCloud itself is not malicious, but its reusable templates and technical fingerprints help expose how decentralized fraud operators share scaffolding, infrastructure, and tactics across international scam campaigns.

Polish police disrupt SIM-swapping gang.

Polish police have arrested four alleged members of a cybercriminal gang known for targeting telecom vendors to conduct SIM-swapping attacks, BleepingComputer reports. The operation was led by the Polish Cybercrime Bureau (CBZC), supported by the US FBI and Homeland Security Investigations (HSI).

The suspects are accused of using SIM-swapping attacks to gain access to victims' cryptocurrency accounts. CBZC stated, "It is estimated that the total value of the funds laundered in this manner exceeds several tens of millions of Polish złoty" (at least US$5 million). The defendants are each facing up to 25 years in prison for charges related to money laundering, participation in an organized criminal gang, and hacking IT systems to commit theft.

French statistics agency reports cyberattack affecting nearly 13,000 staff.

France's national statistics agency, Insee, says a cyberattack exposed the personal data of about 12,800 current and former employees, along with members of related civil service organizations. According to the agency, the compromised information was limited to identities and professional contact details. Insee says no passwords, home addresses, banking information, social security numbers, or health records were accessed. 

 

 

Stick with us after the break, Dave Bittner sits down with Michael Fanning, CISO at Splunk, as they discuss how AI doesn’t create problems, it exposes them. And an open-book exam for hackers. Stay with us. 

Dave Bittner recently sat down with CISO at Splunk Michael Fanning, they sat down to discuss how AI doesn’t create problems, it exposes them. Here is their conversation. 

That was Dave Bittner and Michael Fanning, CISO at Splunk talking about how AI doesn’t create problems, it exposes them.

An open-book exam for hackers.

A UK school is serving as the latest example of how simple security mistakes can create enormous risk.

A former student says he discovered that connecting to the school's Active Directory domain required no administrator authentication, giving him visibility into domain controller tools and policy maps. Things got even worse when he found the domain administrator account—and its password sitting in the account's description field in plain text.

With those credentials, the student said he could access staff and student data, remotely connect to servers and domain controllers, manage classroom software, view Google Workspace mailboxes, and even access firewall settings and keystroke histories. Despite having what he described as "God mode," he says he never abused the access and graduated without reporting the issue.

The story is a textbook reminder that security doesn't always fail because of advanced attackers. Sometimes it fails because someone leaves the answers on the test.

Fortunately, in this case, the student who found them appears to have been more interested in graduating than administering the network.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
Be sure to check out Research Saturday this week where Dave Bittner sits down with Daniel Schwalbe, Chief Information Security Officer & Head of Investigations at DomainTools, as they discuss their work on "ZionSiphon OT Malware First Attempts? Psyops? Both?" That’s research Saturday check it out. 

And on Sunday's T-Minus: Space-Cyber Briefing, we’re talking about strengthening the space industrial supply chain with PwC’s Principal Partner Doug Anderson and AIA’s Vice President Space Systems Division Steve Jordan Tomaszewski. That's Sunday on T-Minus, don't miss it. 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.