Newsletters

Founding CISA director Chris Krebs has been forced out of a senior executive position at SentinelOne by a presidential memorandum that targeted him by name. It's an extraordinary attack on a former public servant that makes Americans less safe.

President Donald Trump's memo last week ordered a federal investigation into Krebs and revoked his security clearance. It also targeted his employer by suspending all clearances held by SentinelOne employees. Krebs was chief intelligence and public policy officer there and has been a regular guest on the Risky Business podcast. 

While anecdotally there is broad support for Krebs, most cyber security firms have not stuck their heads above the parapet this week. It's disappointing, but we understand why. Unlike the legal profession, which has also been targeted by the Trump administration, the industry has no oath tying them to uphold the Constitution and the rights of citizens. There is no vital interest that they must defend. Most organisations feel there is simply more to lose than there is to gain.

The CA/Browser Forum passed a ballot to reduce the maximum validity of TLS certificates from the current 398 days to just 47 days by 2029.

The ballot passed without opposition, with 28 votes in favor and five abstainers.

The reduction will take place across three phases between March next year and March 2029.

A Chinese cyber-espionage group named MirrorFace (aka Earth Kasha, APT10) is abusing the Windows Sandbox virtual environment to hide the execution of its malware on infected systems.

Attacks incorporating Windows Sandbox have been taking place since 2023 and represent the first known case of Windows Sandbox abuse since its release in December 2018.

As the name hints, the feature allows Windows users to start an isolated sandbox where they can temporarily install/test apps and then shut down the virtual environment without impacting the main OS and their data.

Security firms, open-source experts, and academics are warning about a new supply chain vector they're calling slopsquatting.

The technique's name is a combination of terms like AI slop and typosquatting.

It revolves around the increasing use of AI coding tools to generate blocks of source code that may sometimes make their way into production systems.

The politically-motivated dismissal of the head of both NSA and US Cyber Command will be extremely damaging to the agencies, their relationships with allies and for US national security.

General Timothy Haugh was sacked last Thursday from his leadership positions at NSA and Cyber Command after a far-right conspiracy theorist urged his removal in a meeting with President Donald Trump. The NSA's civilian deputy, Wendy Noble, was also removed together with five National Security Council Staff. Per The Washington Post:

On X, Loomer claimed Trump responded to her call for the firings:

An unnamed hacker (or maybe a hacker group, who knows) has leaked internal data from Media Land, one of today's largest bulletproof web hosting providers.

The leaked files contain information on the company's past customers, what type of services they contracted, and what was hosted on the platform.

Threat intel firm Prodaft believes the attacker is the same threat actor that hacked and leaked internal chats from the BlackBasta ransomware group in mid-February.

A wave of credential-stuffing attacks targeted Australian pension funds last week, resulting in the theft of some customer retirement funds.

The attacks targeted superannuation accounts, a private pension fund system used in Australia where employees store money that is made available to them when they retire.

Five major superannuation pension funds confirmed the attacks.

Google has been secretly working on a new super-secure mode for Android that's inspired by Apple's iPhone Lockdown Mode.

According to a placeholder documentation page and based on analysis of Android beta images, the new feature is named the Android Advanced Protection Mode (AAPM).

Just like Lockdown Mode, the AAPM is not intended for regular Android users and was specifically designed for high-risk individuals who may face threats from oppressive regimes, advanced spyware, and rogue network surveillance attacks.

Fraudulent North Korean IT workers are pivoting into new regions as it becomes more difficult for them to get jobs in the United States. The bad news is they are also employing new tactics that make them more dangerous. 

For several years North Korea has used IT workers to raise revenue for the regime in addition to its cryptocurrency hacking efforts. These workers use fake identities and seek legitimate remote jobs across a range of industries. They are paid wages, but also leverage their privileged access to enable cyber intrusions. 

In a report released this week Google's Threat Intelligence Group said North Korean IT workers were widening their global operations, with a "notable focus" on Europe. This report, and similar research from insider risk management firm DTEX, were covered by Catalin Cimpanu in our sister publication Risky Bulletin. Catalin's write-up covers the history of the IT worker scam, who has been affected and resources to help identify potential North Korean workers.

North Korean IT worker schemes have expanded globally and are now heavily targeting European companies after a crackdown from US authorities last year.

Towards the end of 2024, North Korean workers started creating fake personas tailored for the European job market and seeking IT jobs at European small and large tech giants.

In a report this week, Google's security teams say they've spotted at least 12 fake personas linked to the Pyongyang regime.