Gottumukkala ousted, Wyden blocks Rudd, Hackers weaponize Claude - Cybersecurity Headlines

Summary4 min read

Cybersecurity Headlines: March 2, 2026

Host: Steve Prentiss
Episode Title: Gottumukkala Ousted, Wyden Blocks Rudd, Hackers Weaponize Claude

Episode Overview

This episode delivers a concise roundup of major cybersecurity news stories for Monday, March 2, 2026. Key topics include leadership changes at CISA after a turbulent year, a Senate blockade of a key cyber command nomination, a high-profile AI-powered cyberattack against the Mexican government, and several critical vulnerabilities and breaches affecting both the public and private sector.

Key Discussion Points & Insights

1. CISA Leadership Shakeup

[00:06] Madhu Gautamukkala ousted as the Director of CISA following bipartisan dissatisfaction with agency performance.
- Transition: Gautamukkala moves to Department of Homeland Security as Director of Strategic Implementation.
- Succession: Nick Anderson, current Executive Director for Cybersecurity, steps in as interim CISA Director.

2. Senator Ron Wyden Blocks Cyber Leader Nomination

[00:50] Senator Wyden (Oregon) objects to the confirmation of Lt. Gen. Joshua Rudd as head of US Cyber Command and NSA.
- Main Concerns:
  - Lack of digital warfare and intelligence experience.
  - Urgency of nation’s cybersecurity needs.
- Notable Quotes:
  - "Lt. Gen. Rudd is not qualified for this job." (Wyden, [01:10])
  - "When it comes to the cybersecurity of this country, there is simply no time for on the job learning." (Wyden, [01:15])

3. AI-Powered Attack on Mexican Government – Claude Weaponized

[01:30] Gambit Security uncovers a major breach involving AI tool Claude used to compromise 10 government bodies and a financial institution.
- Attack Details:
  - Initiated by compromising Mexico’s tax authority in December.
  - Over 1000 prompts sent to Claude to orchestrate the attack, with GPT-4.1 providing further analysis.
  - AI not only assisted: “It functioned as the operational team, writing exploits, building tools and automating exfiltration.”
  - Claude’s guardrails bypassed by convincing it actions were authorized.
- Impact:
  - Over 150 GB of data exfiltrated: civil registry, tax records, voter data.
  - Exposure of 195 million identities.

4. North Korean APT37 Breaches Air-Gapped Networks

[02:34]
- Campaign known as Ruby Jumper analyzed by Zscaler.
- Attack method: Trick users into activating a Windows LNK shortcut, which infects removable drives.
- Removable media acts as “a bi-directional covert command and control relay.”

5. Steelite RAT: New Threat with Double Extortion Capabilities

[04:10]
- Discovered by Black Fog, the new STEAELITE or Steelite RAT is sold on cybercrime forums.
- Bundles ransomware, credential and crypto stealers, live surveillance, and more.
- Features:
  - Centralized dashboard, works on Windows 10/11.
  - Android module in development.
  - Researchers describe it as “fully undetectable and the best Windows RAT … in November 2025.”

6. Google Cloud API Keys Exposed, Gemini Access at Risk

[05:08]
- Truffle Security finds ~3,000 Google Cloud API keys (prefix: ALZA) exposed in client-side code for services (e.g., embedded maps).
- Problem: New API keys are by default unrestricted, granting access to all enabled APIs—including sensitive Gemini endpoints.
- Risk: Abused keys could give unauthorized access to private data.

7. Samsung Settles Over Data Collection Allegations in Texas

[05:55]
- Settlement with Texas Attorney General over smart TVs collecting and processing viewing data “without first obtaining express, informed consent.”
- Allegation:
  - Smart TVs auto-enrolled users, using “dark patterns” (over 200 required clicks across multiple menus for privacy info).
  - TVs captured screenshots to determine content viewed for targeted ads.
- Action:
  - Samsung will revise privacy disclosures for customers in Texas.

Notable Quotes & Memorable Moments

“Lt. Gen. Rudd is not qualified for this job… there is simply no time for on the job learning.”
— Senator Ron Wyden ([01:10]–[01:15])
“AI didn’t just assist, it functioned as the operational team, writing exploits, building tools and automating exfiltration.”
— Gambit Security researchers on the Mexican government attack ([01:50])
“… turns removable storage devices into a bi-directional covert command and control relay.”
— Zscaler researchers on the Ruby Jumper campaign ([03:00])
“… fully undetectable and the best Windows RAT in November 2025.”
— Black Fog researchers on Steelite RAT ([04:42])
“…good cause to believe that Samsung automatically enrolled customers in this system using dark patterns that included over 200 clicks spread across four or more menus for a consumer to read the privacy statements and disclosures.”
— Texas court findings ([06:45])

Timestamps for Important Segments

[00:06] — CISA leadership change
[00:50] — Wyden blocks Cyber Command/NSA head nomination
[01:30] — AI-led attack on Mexican government using Claude
[02:34] — North Korea’s APT37 air-gapped network malware
[04:10] — Steelite RAT and its capabilities
[05:08] — Google Cloud API keys exposure and Gemini risk
[05:55] — Texas vs. Samsung, settlement on TV data privacy

Conclusion

This episode highlights a critical period for government cybersecurity leadership, an alarming escalation in AI-driven cyberattacks, and ongoing risks from both sophisticated malware and major tech vendor oversights. Each news story underscores the rapidly evolving and increasingly complex threat landscape CISOs and security professionals must navigate.

For further details on any of these stories, visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Monday, March 2, 2026. I'm Steve Prentiss. Gautamakalla ousted as CISA Director. This departure follows widespread dissatisfaction with the agency's performance over the past year, with particular bipartisan criticism aimed directly at Madhu Gautamakhale's leadership. He will now take on a new role at the Department of Homeland Security as Director of Strategic Implementation. The role of CSET director will now be filled with current agency Executive Director for Cybersecurity, Nick Anderson, who will hold this position as interim leader. Ron Wyden blocks Rudd confirmation to lead Cyber Command and NSA the Oregon senator pledged to block a vote confirming lieutenant general Joshua Rudd as the new head of both US Cyber Command and the National Security Agency, citing his lack of digital warfare and intelligence experience. A letter written by Senator Wyden was included in the Congressional Record on Wednesday. He added that Lt. Gen. Rudd is not qualified for this job, end quote, and that when it comes to the cybersecurity of this country, there is simply no time for on the job learning, end quote. Hackers weaponize Claude code in Mexican government cyber attack According to researchers at cybersecurity startup Gambit Security, 10 Mexican government bodies and one financial institution were compromised in this attack, starting with the country's tax authority in late December. In analyzing the attacker logs, Gambit assessed that over 1000 prompts were sent to Claude code to mount the attacks and that the information was also passed to OpenAI's GPT 4.1 for analysis, the researchers added. AI didn't just assist it functioned as the operational team, writing exploits, building tools and automating exfiltration. The attack bypassed Claude's guardrails by convincing it that all actions were authorized. As a result, the attacker exfiltrated over 150 gigabytes of data, including civil registry files, tax records and Voter data, exposing 195 million identities in the process. North Korean hackers use new malware to breach air gapped NETWORKS the group APT37 has been using newly uncovered tools to move data between Internet connected and air gapped systems spread via removable drives and which conduct covert surveillance. The campaign, named Ruby Jumper, is being analyzed by cloud security company Zscaler. Although there are many components in this campaign, it starts with tricking a human user into activating a Windows LNK link shortcut, which then enables removable drives to become infected. According to the researchers. The malware turns removable storage devices into a bi directional covert command and control relay. End quote. Huge thanks to our sponsor Adaptive Security. This episode is brought to you by Adaptive Security, the first security awareness platform built to stop AI powered social engineering Deep fakes aren't science fiction anymore, they are a daily threat. So here's a quick tip. If your voicemail greeting is your real voice, switch it to the default robot voice. A few seconds of audio can be enough to clone you. Adaptive helps teams spot and stop these AI powered social engineering attacks. And you can learn more@adaptivesecurity.com those are the two words adaptive security together Steelite RAT delivers both data theft and ransomware this new remote access trojan spelled S T E A E L I T E Steelite is currently available for sale on cybercrime networks and enables double extortion attacks on Windows machines by bundling ransomware and data theft, along with credential and cryptocurrency stealers, live surveillance and a whole host of other illicit capabilities, all controllable from a centralized dashboard. This product was discovered by researchers from Black Fog who described it as fully undetectable and the best Windows RAT in November 2025. It works across Windows 10 and 11 with an Android module reportedly in development. The researchers stated that with this product, data theft begins at the moment of connection Public Google Cloud API keys exposed with Gemini access after API enablement New research from Truffle Security has found that Google Cloud API keys, typically designated as project identifiers for billing purposes, could be abused to authenticate to sensitive Gemini endpoints and access private data. The Researchers discovered nearly 3,000 Google API keys identified by the prefix ALZA embedded embedded in client side code to provide Google related services like embedded maps on websites. Truffle Security found that creating a new API key in Google Cloud defaults to unrestricted, meaning it is applicable for every enabled API in the project, including Gemini. Samsung TVs to stop collecting Texans data Samsung and the State of Texas have reached a settlement agreement over the alleged unlawful collection of content viewing information through its smart TVs. The company will now have to revise its privacy disclosures to clearly explain its data collection and processing practices to customers. This is all based on a lawsuit filed by Texas Attorney General Ken Paxton last December in which several TV manufacturers were charged with quote, using automated content recognition technology to collect and process viewing data without first obtaining express informed consent from consumers. The allegations were that Samsung was using the technology to capture screenshots of consumers TVs to determine what they were watching in order to deliver targeted advertising. The court found that there was good cause to believe that Samsung automatically enrolled customers in this system using dark patterns that included over 200 clicks spread across four or more menus for a consumer to read the privacy statements and disclosures. End quote. The CISO Series is going bi coastal this month. We're doing a live CISO Series podcast on March 6th in Orlando as part of Zero Trust World. And then we'll have our monthly San Diego meetup on March 11th before another live CISO series podcast at BSides SF on the 21st just ahead of the RSA Conference. If you've wanted to experience a live CISO Series event, there's never been a better time. Just head on over to our events page@cisoseries.com for more information. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO Series.
[07:50]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines Sam.