Risky Bulletin: Trump orders investigation into former CISA director Chris Krebs - Risky Bulletin

Summary5 min read

Risky Bulletin: Trump Orders Investigation into Former CISA Director Chris Krebs
Released on April 11, 2025

Introduction
In this episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the latest cybersecurity developments. Prepared by Catalyn Kimpanu, the bulletin covers a range of critical issues from high-profile investigations to emerging cyber threats.

1. Trump Orders Investigation into Former CISA Director Chris Krebs

At the forefront of today's cybersecurity news, former President Donald Trump has directed the Department of Justice (DOJ) to launch an investigation into Chris Krebs, the ex-Director of the Cybersecurity and Infrastructure Security Agency (CISA).

Claire Aird [00:04]: "Trump claims Krebs censored conservative viewpoints through CISA's anti misinformation work and improperly described the 2020 election as the most secure election in American history."

This investigation has led to the suspension of Krebs' security clearances, alongside those of all employees at his current employer, Sentinel One. The company has reported that only ten employees are affected by this suspension. Trump’s allegations focus on Krebs' role in combating misinformation and his assertions regarding the integrity of the 2020 election results, positioning them as potential overreaches that may have influenced political narratives.

2. DOJ Disbands National Cryptocurrency Enforcement Team

In a significant shift in cryptocurrency regulation, the DOJ has announced the dismantling of its National Cryptocurrency Enforcement Team, established in 2022 to tackle crypto-related crimes.

Claire Aird [Timestamp]: "From here on out, the DOJ will only focus on the use of crypto by terrorists and drug cartels."

The team’s most notable achievement was its investigation into Binance, resulting in a $4.3 billion settlement over money laundering and sanctions violations. Moving forward, the DOJ will narrow its focus, concentrating exclusively on the use of cryptocurrencies by illicit actors such as terrorists and drug cartels, potentially leaving other areas of crypto-related crime less scrutinized.

3. NSO Group’s New Lobbying Efforts Amid Sanctions

Israeli spyware manufacturer NSO Group is ramping up its lobbying efforts in an attempt to have US sanctions lifted. The company has enlisted a new team of lobbyists with connections to the Republican Party and the Trump administration.

Claire Aird [Timestamp]: "Ahead of the 2024 election, NSO spent at least $1.8 million on a lobbying effort targeting Texas lawmakers."

This strategic move comes after the Biden administration placed NSO on the Commerce Department's entity list in 2022, restricting US entities from collaborating with the company. Despite these sanctions, court documents have revealed NSO’s extensive use of a WhatsApp exploit in 2019, targeting over 1,200 accounts across 51 countries. Notably, a third of these victims were in Mexico, alongside significant numbers in India and Bahrain. In response to reports of abuse, NSO has ceased operations with ten government clients, though investigations continue, including an ongoing probe by the Dutch government into data breaches at three ministries.

4. Data Breaches and Cyberattacks Affect Multiple Sectors

a. Dutch Government Ministries Targeted

The Dutch government is currently investigating a data breach affecting the Ministries of the Interior, Economic Affairs, and Climate and Green Growth. Officials have characterized the incident as a privacy breach, with investigations underway to determine the full scope and impact.

b. NetJets Suffers Customer Data Theft

Last month, hackers successfully phished an employee at NetJets, a private jet operator owned by Warren Buffett's Berkshire Hathaway. This breach resulted in the theft of customer information, though the company has stated that only a small number of owners were impacted.

c. South Korean AI Service Exposes Sensitive Data

A South Korean AI service specializing in face swapping and nude generation inadvertently exposed an unsecured database online. The exposed data, belonging to Genomis by AI Nomis, included over 93,000 generated images, some of which involved minors, raising significant privacy and ethical concerns.

5. Law Enforcement Actions Against Cybercrime Services

a. Europol's Crackdown on Malware Installation Services

European law enforcement has detained five individuals linked to a cybercrime service that facilitated the installation of malware through the Smoke Loader botnet. Europol utilized data seized in May to identify and dismantle the service, underscoring ongoing efforts to combat sophisticated cyber threats.

b. SentinelOne Identifies Exploitative AI-Powered Cybercrime Tools

SentinelOne has uncovered an underground service, Akira Bot, which leverages OpenAI tools to bypass CAPTCHAs, enabling the posting of SEO spam across more than 80,000 websites since its inception in September. This exploitation highlights the evolving nature of cyber tools and the increasing integration of AI in malicious activities.

6. Emerging Cyber Threats and Vulnerabilities

a. Zero-Day Vulnerability in Gladinet Servers

Threat actors are exploiting a zero-day vulnerability in Gladinet centerstack file-sharing servers. This attack method utilizes a hard-coded cryptographic key, facilitating both deserialization and code execution. Although Gladinet released a patch last week following the initial attacks in March, customers unable to apply the patch are advised to change the cryptographic key to mitigate risks.

b. WordPress Vulnerabilities Remain Pervasive

According to the Wordfence annual WordPress security report, over 8,000 vulnerabilities were disclosed in the past year, with a quarter still unpatched. The majority of these vulnerabilities affect plugins, posing significant risks to WordPress sites. Only five of these issues impacted the core WordPress system.

c. Rise of Slop Squatting in Supply Chain Attacks

Security researchers have identified a new supply chain attack technique known as "slop squatting," inspired by AI slop and typo squatting. This method involves registering software package names generated erroneously by generative AI coding tools, exploiting the tendency of developers to use these AI-suggested names without verification. Academic research indicates that one in five AI-suggested package names do not exist, providing ample opportunities for malicious actors to infiltrate software dependencies.

Claire Aird [Timestamp]: "Slop squatting involves threat actors registering software package names hallucinated by generative AI coding tools."

Conclusion
Today's Risky Bulletin underscores the dynamic and multifaceted nature of cybersecurity threats and the evolving landscape of regulatory and enforcement actions. From high-stakes political investigations and significant data breaches to the emergence of innovative cyber attack techniques, staying informed and vigilant remains paramount. As always, Risky Business continues to monitor these developments to provide timely and insightful updates to its audience.

This summary was crafted based on the transcript provided and reflects the key points discussed in the April 11, 2025 episode of Risky Bulletin.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
Trump orders an investigation into former CISA director Chris Krebs. The US DOJ disbands its crypto crime team, NSO hires a new lobby team and researchers raise the alarm on something called slop squatting. This is the risky bulletin prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 11th of April. US President Donald Trump has ordered the Department of Justice to investigate former CISA Director Chris Krebs. Trump claims Krebs censored conservative viewpoints through CISA's anti misinformation work and improperly described the 2020 election as the most secure election in American history. Now the order has suspended CREB's security clearances as well as those of all employees at CREB's current employer, Sentinel One. The company has said that only 10 employees are impacted. The U.S. department of justice is dismantling its National Cryptocurrency Enforcement Team. The team was established in 2022 to investigate cryptocurrency crime. Its most significant investigation targeted binance over money laundering and sanction violations. The action resulted in a $4.3 billion settlement. From here on out, the DOJ will only focus on the use of crypto by terrorists and drug cartels. US Senator Ron Wyden has placed a hold on Sean Plenke's nomination as CISA Director. Wyden plans to block the nomination until CISA releases a 2022 report on the security of US telcos. Wyden says the report is unclassified, but CISA has repeatedly refused to release it. He believes the report exposes major security lapses at US Telcos, which may be implicated in China's salt typhoon hacking campaign. Israeli spyware maker NSO Group has hired new lobbyists to persuade the White House to lift sanctions against the company. According to Wired, the new team has ties to the Republican Party and the Trump administration. Ahead of the 2024 election, NSO spent at least $1.8 million on a lobbying effort targeting Texas lawmakers. In 2022, the Biden administration added NSO to the US Commerce Department's entity list, preventing any US organisation or government agency from working with the company and sticking with the NSO group. Court documents have shown that the company used a WhatsApp exploit against 1,200 accounts in a 2019 campaign. A third of the victims were located in Mexico, according to documents published during Meta's lawsuit against the Israeli spyware company. Other significant regions included India and Bahrain. In total, NSO customers deployed the WhatsApp exploit in 51 countries countries including the UK, the US, Spain and the Netherlands. The court documents also revealed that NSO cut off 10 government customers following reports of abuse. The Dutch government is investigating a data breach at three ministries. The incident is impacting the Ministry of the Interior, the Ministry of Economic affairs and the Ministry of Climate and Green Growth. Officials have described the incident as a privacy breach and said the situation is being investigated. Hackers have stolen customer information from private jet operator NetJets. The hack took place last month after an employee was phished. The company has said a small number of owners were impacted. NetJets is owned by Warren Buffett's Berkshire Hathaway Co. A South Korean AI face swapping and nude generator service left a database exposed on the Internet without a password. The database contained more than 93,000 generated images, according to the researcher who found it. The database allegedly belonged to the company Genomis by AI Nomis and contained pornographic images, including images of children. European law enforcement has detained five suspects linked to the superstar pay per install cybercrime service. The service allowed cybercrime groups to install their own malware on systems that had previously been infected with the Smoke Loader malware. Europol says it identified the service and its operators using data seized from the Smoke Loader botnet last May. SentinelOne has discovered an underground cybercrime service that abuses OpenAI tools to bypass CAPTCHAs. Akira Bot has posted spam on more than 80,000 websites since launching in September. Its primary use is posting SEO spam in the comments of higher ranked websites. Threat actors are exploiting a zero day vulnerability to take over Gladdenet centerstack file sharing servers. The attack relies on a hard coded cryptographic key which leads to deserialization and code execution. Gladinet released a patch last week following initial attacks in March. Customers who can't install the patch are advised to change the hard coded key. Security researchers disclosed more than 8,000 WordPress vulnerabilities last year, but a quarter of those have not received a patch, according to the Wordfence annual WordPress security report. More than 96% of the bugs affect plugins, which are the main risk to WordPress sites. Only five of the 8,000 issues disclosed disclosed last year impacted core WordPress. And finally, security researchers are warning about a new supply chain attack technique dubbed slop squatting. The technique is inspired by the terms AI slop and typo squatting. It involves threat actors registering software package names hallucinated by generative AI coding tools. Academic research published last month found that one in five package names suggested by AI Coding tools don't exist. And that is all for this podcast edition. Thanks, Sea Company.