Why Insider Threats and Zero-Days Are Rising in 2026 [Prime Cyber Insights]

[00:00] Announcer: From Neural Newscast, this is Prime Cyber Insights, [00:03] Announcer: Intelligence for Defenders, Leaders, and Decision Makers. [00:11] Announcer: I'm Aaron. Welcome to Prime Cyber Insights for March 6, 2026, [00:17] Announcer: Today, we're examining a tightening vice on the enterprise perimeter, driven by both state-sponsored actors and a significant rise in internal risk. [00:26] Aaron Cole: And I'm Lauren. We're starting with a report from Mimecast that suggests the traditional distinction between accidental negligence and malicious intent is blurring, with both now presenting an equal threat to the bottom line. [00:40] Announcer: The data is stark, Lauren. [00:42] Announcer: Mindcast surveyed 2,500 decision makers across nine countries [00:47] Announcer: and found that 42% reported an increase in malicious insider threats, [00:52] Announcer: matching the exact same percentage of reported increases in negligent incidents. [00:57] Announcer: This isn't just a volume problem. It is an impact problem. [01:01] Announcer: These incidents now average $13.1 million each, with firms seeing six of them every month. [01:07] Aaron Cole: It is a fundamental shift, Aaron. [01:10] Aaron Cole: We're moving from simple errors to a reality where disgruntled employees or individuals bribed by threat actors are causing equivalent damage. [01:19] Aaron Cole: The report notes that AI is making it easier for these insiders to exfiltrate data at scale, meaning the window to stop a leak is narrowing. [01:30] Announcer: That tightening window is also evident in the zero-day market. According to the Google Threat Intelligence team, 90 zero-day exploits were tracked in 2025. [01:39] Announcer: While that is down from the record 100 we saw in 2023, the real story is where these exploits [01:45] Announcer: are landing. [01:46] Announcer: We are seeing a structural shift away from browser-based attacks toward enterprise technology. [01:52] Aaron Cole: Exactly, Aaron. [01:54] Aaron Cole: Enterprise exploitation accounted for 48% of all zero days last year. [01:59] Aaron Cole: Attackers are prioritizing networking and security appliances because they provide a direct [02:04] Aaron Cole: path for initial access into the core of the network. [02:07] Aaron Cole: As you mentioned, AI is accelerating the recon and discovery phase, making agentic defense tools essential for catching these flaws before they are weaponized. [02:18] Announcer: Speaking of weaponization, we have new intelligence from Cisco Talos on a China-linked group tracked as UAT 9244. [02:26] Announcer: They've been hitting South American telecommunications infrastructure since 2024 using three specific [02:33] Announcer: undocumented implants, Turndoor for Windows, PeerTime for Linux, and Brute Entry for Edge [02:39] Announcer: devices. [02:39] Aaron Cole: The technical sophistication here is notable, Aaron. [02:43] Aaron Cole: PeerTime is a peer-to-peer backdoor that uses the BitTorrent protocol to communicate with [02:48] Aaron Cole: its command and control, which makes detection significantly harder in high-traffic telecom [02:53] Aaron Cole: environments. [02:55] Aaron Cole: It is... [02:54] Aaron Cole: It is written in both C++ and Rust, targeting ARM and MIPS architectures to ensure it can persist on almost any embedded system in the network. [03:04] Announcer: Telos notes tactical overlaps between this group and Salt Typhoon, which is well known for telecom espionage. [03:11] Announcer: When you combine this with TernDor's use of DLL side loading through legitimate executables, [03:16] Announcer: it highlights that these groups are becoming even more precise in their targeting of critical regional infrastructure. [03:22] Aaron Cole: The through line here, Aaron, is that human risk and technical zero days are converging. [03:27] Aaron Cole: Whether it is an insider being exploited as an entry point or a zero day in a VPN appliance, [03:33] Aaron Cole: the goal is high-level persistence. [03:36] Aaron Cole: Organizations must move toward adaptive controls that identify high-risk actions in real time. [03:42] Announcer: Practical takeaway for the briefing room. [03:44] Announcer: Prepare for the when, not the if. [03:46] Announcer: Verify your telemetry on edge devices and ensure your insider threat programs are looking at data access patterns, [03:53] Announcer: not just employee satisfaction. [03:55] Announcer: Lauren, final thoughts? [03:56] Aaron Cole: Resilience in 2026 is about reducing the friction for defenders while increasing it for anyone, internal or external, accessing sensitive data. [04:06] Aaron Cole: I'm Lauren Mitchell. [04:07] Announcer: And I'm Aaron. [04:08] Announcer: For more on these stories, visit pci.neuralnewscast.com. [04:12] Announcer: This has been Prime Cyber Insights. [04:14] Announcer: This podcast is for informational purposes and does not constitute professional advice. [04:18] Announcer: Neural Newscast is AI-assisted human-reviewed, VRAI Transparency Policy at NeuralNewscast.com. [04:23] Lauren Mitchell: This has been Prime Cyber Insights on Neural Newscast. [04:27] Lauren Mitchell: Intelligence for Defenders, Leaders, and Decision Makers. [04:31] Lauren Mitchell: Neural Newscast uses artificial intelligence in content creation, [04:34] Lauren Mitchell: with human editorial review prior to publication. [04:37] Lauren Mitchell: While we strive for factual, unbiased reporting, [04:40] Lauren Mitchell: AI-assisted content may occasionally contain errors. [04:44] Lauren Mitchell: Verify critical information with trusted sources. [04:47] Lauren Mitchell: Learn more at neuralnewscast.com.