Newsletters

The politically-motivated dismissal of the head of both NSA and US Cyber Command will be extremely damaging to the agencies, their relationships with allies and for US national security.

General Timothy Haugh was sacked last Thursday from his leadership positions at NSA and Cyber Command after a far-right conspiracy theorist urged his removal in a meeting with President Donald Trump. The NSA's civilian deputy, Wendy Noble, was also removed together with five National Security Council Staff. Per The Washington Post:

On X, Loomer claimed Trump responded to her call for the firings:

An unnamed hacker (or maybe a hacker group, who knows) has leaked internal data from Media Land, one of today's largest bulletproof web hosting providers.

The leaked files contain information on the company's past customers, what type of services they contracted, and what was hosted on the platform.

Threat intel firm Prodaft believes the attacker is the same threat actor that hacked and leaked internal chats from the BlackBasta ransomware group in mid-February.

A wave of credential-stuffing attacks targeted Australian pension funds last week, resulting in the theft of some customer retirement funds.

The attacks targeted superannuation accounts, a private pension fund system used in Australia where employees store money that is made available to them when they retire.

Five major superannuation pension funds confirmed the attacks.

Google has been secretly working on a new super-secure mode for Android that's inspired by Apple's iPhone Lockdown Mode.

According to a placeholder documentation page and based on analysis of Android beta images, the new feature is named the Android Advanced Protection Mode (AAPM).

Just like Lockdown Mode, the AAPM is not intended for regular Android users and was specifically designed for high-risk individuals who may face threats from oppressive regimes, advanced spyware, and rogue network surveillance attacks.

Fraudulent North Korean IT workers are pivoting into new regions as it becomes more difficult for them to get jobs in the United States. The bad news is they are also employing new tactics that make them more dangerous. 

For several years North Korea has used IT workers to raise revenue for the regime in addition to its cryptocurrency hacking efforts. These workers use fake identities and seek legitimate remote jobs across a range of industries. They are paid wages, but also leverage their privileged access to enable cyber intrusions. 

In a report released this week Google's Threat Intelligence Group said North Korean IT workers were widening their global operations, with a "notable focus" on Europe. This report, and similar research from insider risk management firm DTEX, were covered by Catalin Cimpanu in our sister publication Risky Bulletin. Catalin's write-up covers the history of the IT worker scam, who has been affected and resources to help identify potential North Korean workers.

North Korean IT worker schemes have expanded globally and are now heavily targeting European companies after a crackdown from US authorities last year.

Towards the end of 2024, North Korean workers started creating fake personas tailored for the European job market and seeking IT jobs at European small and large tech giants.

In a report this week, Google's security teams say they've spotted at least 12 fake personas linked to the Pyongyang regime.

Hackers are abusing a little-known WordPress feature named Must Use Plugins to install and hide malware from site administrators.

Also known as mu-plugins, the Must Use Plugins feature was added to the WordPress CMS in 2022.

Plugins placed in a special folder named /mu-plugins are automatically installed and enabled on a website without users needing to manually approve them.

The French government conducted last week a large-scale phishing test on over 2.5 million middle and high school students.

The test included a link in their school's digital workspace that advertised cheats and cracked games that redirected students to a phishing awareness video.

According to CNIL, France's privacy watchdog, over 210,000 students clicked the link, representing roughly one in twelve students.

The Trump Administration's cavalier disregard for common sense security protocols is blatantly inviting serious security breaches. This week exposed the absence of any kind of security culture at the highest levels of the US national security community.

The story of how The Atlantic editor in chief was inadvertently added to a high-level US national security discussion covering plans for military action against Houthi rebels in Yemen has been well covered in the media, so we won't rehash it all.

In short, The Atlantic's Jeffrey Goldberg was added to a Signal group chat in which senior US officials discussed plans for military action against Houthi rebels in Yemen. The group chat included Vice President J.D. Vance, Defence Secretary Pete Hegseth, CIA Director John Ratcliffe and Director of National Intelligence Tulsi Gabbard, among others. 

Ukraine's state railway company says that a "massive targeted cyber attack" has taken down its online ticketing system over the weekend.

The incident took place on Sunday night. In a Facebook post, Ukrzaliznytsia blamed the incident on "the enemy," a term Ukrainians use to describe Russia.

The company's website is currently down, and officials are restoring from backups. The incident was very likely a data wiper attack, which Russian hackers have employed on numerous occasions since Russia's invasion in February 2022.