Summary8 min read

Risky Bulletin: Chris Krebs Resigns, Vows to Fight – Episode Summary

Podcast Title: Risky Bulletin
Host: risky.biz
Episode Title: Risky Bulletin: Chris Krebs resigns, vows to fight
Release Date: April 18, 2025

In this compelling episode of Risky Bulletin, host Claire Aird delves into significant developments within the cybersecurity landscape. From high-profile resignations to sophisticated cyber attacks, the episode offers a comprehensive overview of the latest threats and institutional responses shaping the digital frontier. Below is a detailed summary of the key topics discussed, enriched with notable quotes and insights from the episode.

1. Chris Krebs Resigns from SentinelOne Amid Legal Battles

The episode opens with breaking news about Chris Krebs, the former CISA Director, who has recently resigned from his position at SentinelOne to engage in a legal battle against the White House. This move follows intense scrutiny and actions taken by the U.S. President regarding Krebs' efforts in securing the 2020 U.S. elections.

Claire Aird [00:04]: "Former CISA Director Chris Krebs has resigned from SentinelOne to mount a legal battle against the White House."

Krebs' resignation comes after the President ordered a DOJ investigation into his work and revoked his security clearance. Additionally, an immediate suspension of security clearances for SentinelOne staff was mandated.

Claire Aird [00:15]: "In an email to SentinelOne staff, Krebs says he intends to fight the order, but that the battle was his and not the company's."

Joining SentinelOne in 2023 as the Chief Intelligence and Public Policy Officer, Krebs' departure marks a significant shift within the organization and highlights ongoing tensions between cybersecurity officials and governmental authorities.

2. Thailand's Military Engages in Online Doxxing Campaign Against Pro-Democracy Protesters

The podcast highlights alarming activities by Thailand's army and police forces, who orchestrated a social media campaign aimed at doxxing and harassing pro-democracy dissidents.

Claire Aird [02:30]: "Thailand's army and police were behind a social media campaign that doxxed and harassed pro-democracy protesters online."

This campaign, initiated in 2020, saw authorities using fake personas to harass dissidents and encourage followers to report them to the police. The joint cyber team, established in 2023, coordinated these efforts, which remained concealed until the leak of confidential military and police documents revealed the extent of the operation.

Claire Aird [03:10]: "The campaign was unearthed when confidential military and police documents were leaked online last month."

3. CISA Extends Mitre's CVE Database Management Contract

Amidst potential uncertainties, the Cybersecurity and Infrastructure Security Agency (CISA) announced the extension of Mitre’s contract to manage the Common Vulnerabilities and Exposures (CVE) database.

Claire Aird [04:20]: "CISA has extended Mitre's contract to manage the CVE database. The extension came hours before the current contract was due to expire."

Valued at $57.8 million, the contract extension ensures continuity in managing critical vulnerability information, which is vital for national cybersecurity efforts.

However, prior to the extension, Mitre had warned partner organizations about possible disruptions due to contract uncertainty.

Claire Aird [04:50]: "Mitre warned partner organizations that the contract had not been renewed and that there could be disruptions."

The new contract is set to conclude on March 16, 2026, providing a more stable framework for managing and disseminating vulnerability data.

4. Closure of the U.S. State Department's Office Countering Foreign Disinformation

A significant organizational change was discussed regarding the U.S. State Department’s Office of Counter Foreign Information Manipulation and Interference, formerly known as the Global Engagement Centre.

Claire Aird [05:45]: "The U.S. State Department office that counters foreign disinformation efforts is being shut down."

Secretary of State Marco Rubio criticized the office, alleging that it had been involved in silencing and censoring American voices, a claim refuted by the office's previous activities in exposing Russian and Chinese disinformation operations.

Claire Aird [06:05]: "Secretary of State Marco Rubio claimed the office silenced and censored the voices of Americans. The centre previously exposed Russian and Chinese disinformation operations and there's no evidence it censored Americans."

The office's closure follows its defunding by Congress in December of the previous year, raising concerns about the continuity of efforts to combat foreign disinformation.

5. Oklahoma Cybersecurity CEO Arrested for Alleged Malware Installation on Hospital Network

The episode reports on the arrest of Geoffrey Bowie, CEO of a cybersecurity firm, by Oklahoma police for allegedly installing malware on a local hospital network.

Claire Aird [07:30]: "Oklahoma police have arrested the CEO of a cyber security company for allegedly installing malware on a local hospital network."

Security footage from St. Anthony Hospital shows Bowie accessing an unattended computer in August of the previous year, where he is accused of deploying malware that captured screenshots every 20 minutes and sent them to an external IP address.

Claire Aird [07:50]: "Officials claim Bowie installed malware designed to take a screenshot every 20 minutes and forward the image to an external IP address."

The full extent of Bowie’s intentions remains unclear, as it has not been confirmed whether he was contracted by the hospital for security testing or acted independently.

6. Bot Accounts Exploit Community College Financial Aid Systems

A worrying trend of fraudulent bot accounts enrolling in U.S. community college classes to illicitly obtain financial aid was examined.

Claire Aird [08:40]: "Fraudsters are using bot accounts to sign up for online community college classes in the US so they can receive financial aid."

These bots submit AI-generated work, aiming to remain undetected long enough for funds to be disbursed. Californian officials estimate that approximately 25% of community college applicants are bots, with fraudulent students collecting over $11 million in state and federal funds last year.

Claire Aird [09:00]: "Last year, bot students collected more than $11 million in state and federal funds."

7. Fortinet Devices Vulnerable Due to Backdoors Exposing Configuration Files

Shadowservice reported that over 17,000 Fortinet devices have been compromised through backdoor techniques that expose their configuration files.

Claire Aird [09:50]: "Shadowservice says more than 17,000 Fortinet devices have been backdoored and are exposing their configuration files."

Fortinet had previously alerted users about this vulnerability, which involves attackers creating symlinks that connect a publicly accessible folder from the device's web dashboard to the root directory. This allows adversaries to retrieve sensitive configuration data and reinfect devices, even post-patching.

Claire Aird [10:10]: "Attackers are creating symlinks that connect a publicly available folder from the device's web dashboard to the file system root directory."

Most affected devices are located in the U.S. and Japan, underscoring the global impact of such vulnerabilities.

8. Ransomware Attacks Leveraging Leaked AWS Credentials

The discussion covered a new ransomware tactic where threat actors utilize leaked AWS credentials to infiltrate servers, encrypt data, and demand ransoms.

Claire Aird [11:00]: "A threat actor is using leaked AWS credentials to access servers, encrypt data, and demand ransoms of $25,000."

Distinctively, the attackers employ Server-Side Encryption with Customer-Provided Keys (SSE-C), a native AWS feature, instead of developing custom ransomware solutions. This method was first observed in December last year and is attributed to a threat actor known as CodeFinger.

9. Apple Addresses Two Zero-Day Vulnerabilities in iOS

Apple has issued important security updates to patch two zero-day vulnerabilities in iOS that have been actively exploited in the wild.

Claire Aird [12:20]: "Apple has rolled out iOS security updates to fix two zero-days that are being exploited in the wild."

These vulnerabilities were delivered through malicious audio files and are considered highly sophisticated, targeting specific individuals. Both Apple and Google's security teams detected these attacks early, reflecting the collaborative efforts in cybersecurity defense.

Claire Aird [12:40]: "Apple says the attack is extremely sophisticated and is targeting specific individuals."

10. APT Group Exploits Patched Windows Vulnerability to Target Government Entities

A suspected Advanced Persistent Threat (APT) group has been exploiting a recently patched Windows vulnerability to target government organizations in Poland and Romania.

Claire Aird [13:05]: "A suspected APT group is exploiting a recently patched Windows vulnerability to target government organisations in Poland and Romania."

The exploitation involves malicious Windows library files that leak victims' NTLM hashes. According to Check Point, the attack is triggered when users navigate to the folder containing the malicious file, requiring no further interaction.

Claire Aird [13:25]: "The attack triggers when users navigate to the folder where the malicious file is stored. No other interaction is required."

11. Critical Vulnerability Found in Erlang's SSH Implementation

A 10 out of 10 severity vulnerability has been discovered in the Erlang implementation of SSH, allowing remote attackers to execute malicious code on the SSH server without authentication.

Claire Aird [14:00]: "A critical vulnerability has been discovered in the Erlang implementation of SSH. The vulnerability allows remote attackers to run malicious code on the SSH server without authentication."

This flaw affects any SSH server utilizing the Erlang OTP library, posing a significant threat to systems relying on this technology. The vulnerability was identified by a team of German academics, emphasizing the critical need for immediate patching and mitigation.

12. Russian TikTok Bot Network Attempts to Influence Ukrainian Public Opinion

The episode concludes with insights into a vast network of Russian TikTok accounts exploiting platform loopholes to sway public opinion in Ukraine.

Claire Aird [15:10]: "A network of thousands of Russian TikTok accounts are exploiting a loophole in the platform's algorithm in an attempt to influence public opinion in Ukraine."

These bot farms continuously create new accounts to bypass suspensions, leveraging TikTok’s algorithm that favors new accounts to go viral. Ukrainian reporters have observed that some accounts garner hundreds of thousands of views without any legitimate follower base.

Claire Aird [15:30]: "Russia used the same TikTok manipulation tactic to boost an unknown candidate to victory in the first round of Romania's cancelled presidential election last year."

This tactic underscores the evolving nature of digital influence operations and the challenges faced in combating misinformation on social media platforms.

Conclusion

In this episode of Risky Bulletin, Claire Aird provides an in-depth analysis of pivotal cybersecurity events, highlighting both institutional challenges and emerging threats. From high-stakes legal battles involving key cybersecurity figures to sophisticated cyber-attacks exploiting platform vulnerabilities, the episode underscores the dynamic and often precarious nature of the cybersecurity landscape. Listeners gain valuable insights into how these developments may shape future security strategies and the broader implications for national and global cybersecurity efforts.

For more updates and in-depth analysis, subscribe to Risky Bulletin on your preferred podcast platform.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
Chris Krebs resigns from Sentinel 1 and vows to fight the Thai army and police doxxed pro democracy dissidents CISA extends Mitre's CVE Contract and Apple patches 2 iOS 0 days this is the risky bulletin prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 18th of April and this podcast episode is brought to you by application. Allow listing software maker Airlock Digital Former CISA Director Chris Krebs has resigned from Sentinel 1 to Mount A legal battle against the White House. Last week the US President ordered a DOJ investigation of Krebs work on securing the 2020 US elections as CISA director and revoked his security clearance. He also ordered an immediate suspension of security clearances held by SentinelOne staff. In an email to SentinelOne staff, Krebs says he intends to fight the order, but that the battle was his and not the company's Krebs Jo joined Sentinel 1 in 2023 and was its chief Intelligence and Public Policy officer. In other news, Thailand's army and police were behind a social media campaign that doxxed and harassed pro democracy protesters online. Personas being operated by the authorities doxxed and harassed dissidents and instructed their followers to report them to the police. This campaign started in 2020, but the Thai army and police set up a so called joint cyber team to coordinate the efforts in 2023. The campaign was unearthed when confidential military and police documents were leaked online last month. CISA has extended Mitre's contract to manage the CVE database. The extension came hours before the current contract was due to expire on Wednesday. It will now expire on March 16 next year. The contract is worth $57.8 million. On Tuesday, Mitre warned partner organisations that the contract had not been renewed and that there could be disrupt. The U.S. state Department office that counters foreign disinformation efforts is being shut down. The Office of Counter Foreign Information Manipulation and Interference was previously known as the Global Engagement Centre. Secretary of State Marco Rubio claimed the office silenced and censored the voices of Americans. The centre previously exposed Russian and Chinese disinformation operations and there's no evidence it censored Americans. Congress defunded the office in December last year. Oklahoma police have arrested the CEO of a cyber security company for allegedly installing malware on a local hospital network. Security footage shows Geoffrey bowie entering the St Anthony Hospital last August and attempting to enter offices before he eventually found an unattended computer. Officials claim Bowie installed malware designed to take a screenshot every 20 minutes and forward the image to an external IP address. Reports have not said if Bowie had been contracted by the hospital to carry out security testing. Fraudsters are using bot accounts to sign up for online community college classes in the US So they can receive financial aid. They submit AI generated work and attempt to remain unnoticed long enough for the funds to be disbursed. Officials in California estimate that roughly one quarter of community college applicants are bots. Last year, BOT students collected more than $11 million in state and federal funds. Shadowservice says more than 17,000 Fortinet devices have been backdoored and are exposing their configuration files. Fortinet warned about the technique in a security advisory last week. Attackers are creating symlinks that connect a publicly available folder from the device's web dashboard to the file system root directory. They can then use this to retrieve configuration files and reinfect the device, even if the original security flaws are patched. Most of the backdoored devices are located in the US and Japan. A threat actor is using leaked AWS credentials to access servers, encrypt data, and demand ransoms of $25,000. The attacker is encrypting the data using a native AWS feature named Server side Encryption with Customer Provided keys rather than custom ransomware. The technique was first used in December last year by a threat actor named CodeFinger. Apple has rolled out iOS security updates to fix two zero days that are being exploited in the wild. The zero days appear to have been used together and were delivered as malicious audio files. Apple says the attack is extremely sophisticated and is targeting specific individuals. The attacks were spotted by both Apple and Google's security teams. A suspected APT group is exploiting a recently patched Windows vulnerability to target government organisations in Poland and Romania. The attacks use malicious Windows library files to leak victims NTLM hashes. According to Check point. The attack triggers when users navigate to the folder where the malicious file is stored. No other interaction is required. A critical vulnerability has been discovered in the Erlang implementation of ssh. The vulnerability allows remote attackers to run malicious code on the SSH server without authentication. Any SSH server using the Erlang OTP library is likely affected. The vulnerability was discovered by a team of German academics and has been given a 10 out of 10 severity rating. And finally, a network of thousands of Russian TikTok accounts are exploiting a loophole in the platform's algorithm in an attempt to influence public opinion in Ukraine. TikTok allows new accounts to go viral, so Russian bot farms are continuously registering new accounts when their old ones are suspended. Ukrainian reporters say some accounts receive hundreds of thousands of views even when they don't have any followers. Russia used the same TikTok manipulation tactic to boost an unknown candidate to victory in the first round of Romania's cancelled presidential election last year. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Airlock Digital. Find them@airlockdigital.com thanks for your company.