Risky Bulletin: Trump Orders Investigation into Former CISA Director Chris Krebs
Released on April 11, 2025

Introduction
In this episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the latest cybersecurity developments. Prepared by Catalyn Kimpanu, the bulletin covers a range of critical issues from high-profile investigations to emerging cyber threats.

1. Trump Orders Investigation into Former CISA Director Chris Krebs

At the forefront of today's cybersecurity news, former President Donald Trump has directed the Department of Justice (DOJ) to launch an investigation into Chris Krebs, the ex-Director of the Cybersecurity and Infrastructure Security Agency (CISA).

Claire Aird [00:04]: "Trump claims Krebs censored conservative viewpoints through CISA's anti misinformation work and improperly described the 2020 election as the most secure election in American history."

This investigation has led to the suspension of Krebs' security clearances, alongside those of all employees at his current employer, Sentinel One. The company has reported that only ten employees are affected by this suspension. Trump’s allegations focus on Krebs' role in combating misinformation and his assertions regarding the integrity of the 2020 election results, positioning them as potential overreaches that may have influenced political narratives.

2. DOJ Disbands National Cryptocurrency Enforcement Team

In a significant shift in cryptocurrency regulation, the DOJ has announced the dismantling of its National Cryptocurrency Enforcement Team, established in 2022 to tackle crypto-related crimes.

Claire Aird [Timestamp]: "From here on out, the DOJ will only focus on the use of crypto by terrorists and drug cartels."

The team’s most notable achievement was its investigation into Binance, resulting in a $4.3 billion settlement over money laundering and sanctions violations. Moving forward, the DOJ will narrow its focus, concentrating exclusively on the use of cryptocurrencies by illicit actors such as terrorists and drug cartels, potentially leaving other areas of crypto-related crime less scrutinized.

3. NSO Group’s New Lobbying Efforts Amid Sanctions

Israeli spyware manufacturer NSO Group is ramping up its lobbying efforts in an attempt to have US sanctions lifted. The company has enlisted a new team of lobbyists with connections to the Republican Party and the Trump administration.

Claire Aird [Timestamp]: "Ahead of the 2024 election, NSO spent at least $1.8 million on a lobbying effort targeting Texas lawmakers."

This strategic move comes after the Biden administration placed NSO on the Commerce Department's entity list in 2022, restricting US entities from collaborating with the company. Despite these sanctions, court documents have revealed NSO’s extensive use of a WhatsApp exploit in 2019, targeting over 1,200 accounts across 51 countries. Notably, a third of these victims were in Mexico, alongside significant numbers in India and Bahrain. In response to reports of abuse, NSO has ceased operations with ten government clients, though investigations continue, including an ongoing probe by the Dutch government into data breaches at three ministries.

4. Data Breaches and Cyberattacks Affect Multiple Sectors

a. Dutch Government Ministries Targeted

The Dutch government is currently investigating a data breach affecting the Ministries of the Interior, Economic Affairs, and Climate and Green Growth. Officials have characterized the incident as a privacy breach, with investigations underway to determine the full scope and impact.

b. NetJets Suffers Customer Data Theft

Last month, hackers successfully phished an employee at NetJets, a private jet operator owned by Warren Buffett's Berkshire Hathaway. This breach resulted in the theft of customer information, though the company has stated that only a small number of owners were impacted.

c. South Korean AI Service Exposes Sensitive Data

A South Korean AI service specializing in face swapping and nude generation inadvertently exposed an unsecured database online. The exposed data, belonging to Genomis by AI Nomis, included over 93,000 generated images, some of which involved minors, raising significant privacy and ethical concerns.

5. Law Enforcement Actions Against Cybercrime Services

a. Europol's Crackdown on Malware Installation Services

European law enforcement has detained five individuals linked to a cybercrime service that facilitated the installation of malware through the Smoke Loader botnet. Europol utilized data seized in May to identify and dismantle the service, underscoring ongoing efforts to combat sophisticated cyber threats.

b. SentinelOne Identifies Exploitative AI-Powered Cybercrime Tools

SentinelOne has uncovered an underground service, Akira Bot, which leverages OpenAI tools to bypass CAPTCHAs, enabling the posting of SEO spam across more than 80,000 websites since its inception in September. This exploitation highlights the evolving nature of cyber tools and the increasing integration of AI in malicious activities.

6. Emerging Cyber Threats and Vulnerabilities

a. Zero-Day Vulnerability in Gladinet Servers

Threat actors are exploiting a zero-day vulnerability in Gladinet centerstack file-sharing servers. This attack method utilizes a hard-coded cryptographic key, facilitating both deserialization and code execution. Although Gladinet released a patch last week following the initial attacks in March, customers unable to apply the patch are advised to change the cryptographic key to mitigate risks.

b. WordPress Vulnerabilities Remain Pervasive

According to the Wordfence annual WordPress security report, over 8,000 vulnerabilities were disclosed in the past year, with a quarter still unpatched. The majority of these vulnerabilities affect plugins, posing significant risks to WordPress sites. Only five of these issues impacted the core WordPress system.

c. Rise of Slop Squatting in Supply Chain Attacks

Security researchers have identified a new supply chain attack technique known as "slop squatting," inspired by AI slop and typo squatting. This method involves registering software package names generated erroneously by generative AI coding tools, exploiting the tendency of developers to use these AI-suggested names without verification. Academic research indicates that one in five AI-suggested package names do not exist, providing ample opportunities for malicious actors to infiltrate software dependencies.

Claire Aird [Timestamp]: "Slop squatting involves threat actors registering software package names hallucinated by generative AI coding tools."

Conclusion
Today's Risky Bulletin underscores the dynamic and multifaceted nature of cybersecurity threats and the evolving landscape of regulatory and enforcement actions. From high-stakes political investigations and significant data breaches to the emergence of innovative cyber attack techniques, staying informed and vigilant remains paramount. As always, Risky Business continues to monitor these developments to provide timely and insightful updates to its audience.

This summary was crafted based on the transcript provided and reflects the key points discussed in the April 11, 2025 episode of Risky Bulletin.