For the first time in a long while, the federal government and the software sector alike finally have the tools and resources needed to do security well — consistently and cost-effectively.

Source: Vladimir Stanisic via Alamy Stock Photo

COMMENTARY

The federal government is often slow moving when it comes to various technology modernization efforts (thanks to the obstacles posed by resourcing, staffing, and politics), so it's no surprise that a lack of cybersecurity awareness and action has caused federal infrastructure to reach new levels of criticality. 

Year after year we see data breaches become more commonplace, with ransomware plaguing organizations and agencies of all sizes, while foreign adversaries continue to work their way into our networks and most high-value infrastructure. There's a good reason why trust has been slowly eroding across our federal institutions over the past 20 years. But aptly timed in this tumultuous era — and released during his final days in office — is the Biden administration's executive order on Strengthening and Promoting Innovation in the Nation's Cybersecurity. 

My take is that it's certainly good. And it's certainly needed. There's clearly a problem in shoring up our national supply chain. Our adversaries are getting stronger every day, and they're exploiting gaps and weaknesses in our interconnected systems in a way that's very real and urgent. Plus, as our workforce (federal and private) continues to modernize, digitalize, and work from anywhere, our inability to reconcile secure-by-design development with fast work-from-anywhere productivity has created a harsh reality. 

The takeaways from this executive order are the same as ever. People have long deprioritized getting the basics right when it comes to cybersecurity. A history of sporadic and continuous investment in legacy IT has left organizations ripe for and open to attacks. In fact, 90% of organizations lack visibility over all their endpoints at any given time, and in 2024, breaches caused by the successful exploitation of vulnerabilities went up 180% year over year. There remains an evident education, enforcement, and skills gap in cyber. How much longer will it take us to recognize and make the necessary changes to overcome these issues? 

But there are some positives. In my mind, here's why this executive order is different: It comes at a time when there's an actual, viable solution readily available to help the US federal government — and the larger software supply chain — overcome the challenges that have long stifled our collective resilience efforts. AI and automation pose a real and lasting way for the US federal government to shore up resilience, improve the integrity of the software supply chain, and upskill the federal workforce. AI allows organizations working with the federal government to reach a balance between productivity, growth, and security in a way that's never before been possible. 

As written in the executive order, "Artificial intelligence (AI) has the potential to transform cyber defense by rapidly identifying new vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense." AI, when used strategically to analyze, synthesize, and inform security actions — particularly in areas like patch management and vulnerability assessment — not only presents the opportunity to help the federal government achieve resilience, solidifying infrastructure and streamlining operations in the process, but also frees up critical talent to reach new goals and mission critical resilience objectives as they evolve. 

For the first time in a long while, the federal government and the software sector alike finally have the tools and resources needed to do security well — consistently and cost-effectively. Though like anything else in technology, not all of AI is created equal, and thoughtful adoption in addition to rigorous coding, testing, and transparent disclosure practices will be essential to ensure that we as a community and as a software supply chain continue to implement, grow, and refine accordingly. 

Even if this executive order gets overturned, mandates like these serve as a helpful reminder of all that is important — and possible — to prioritize and achieve in this new AI era. While utilizing AI won't be without its challenges, and no development program will ever be perfect, AI offers organizations a unique opportunity to strive for more, strengthen development and compliance practices, and grow, while upskilling the next crop of cybersecurity talent to more proactively get ahead of the next generation of threats. 

**About the Author**

Chief Trust Officer, NinjaOne

Mike Arrowsmith is the Chief Trust Officer at Ninjaone where he leads the organization’s IT, security, and support infrastructure to ensure NinjaOne meets customers’ security and data privacy demands as it scales. Prior to NinjaOne, Arrowsmith held top security roles at Guardant Health and Splunk, where he focused on managing and scaling IT and security teams. Arrowsmith brings a deep understanding of how high-value, fast-growth companies can navigate security challenges, embed a culture of security, and bake in data ethics to everything they do. Most of all, Arrowsmith has an unrelenting focus on customer experiences and is heavily involved in product development at NinjaOne, bringing a "company zero" mentality to his team.

Strengthening Our National Security in the AI Era

PRESS RELEASE

AUSTIN, TX, Jan. 21, 2025 (GLOBE NEWSWIRE) -- Automox launches FastAgent, a breakthrough in modern agent technology designed to deliver unprecedented speed, reliability, and control for IT professionals. 

With reimagined communication protocols, infrastructure, and user-facing functionality, FastAgent modernizes endpoint management to meet the evolving demands of secure enterprise environments.

"FastAgent represents a significant leap forward for IT teams seeking uncompromising reliability and empowered endpoint control," said Jason Kikta, CISO/VP of Product at Automox. "This innovation demonstrates our commitment to simplifying IT operations without sacrificing security or speed."

Key Innovations of FastAgent:

*   Industry-Leading Reliability: Agent-aware command tracking and hyper-efficient backend communication protocols ensure consistent, secure, device-centric management across Windows, macOS, and Linux systems. Persistent outgoing response queuing enables the agent to operate intelligently, even in high-traffic or intermittent connectivity situations. 
    
*   Unparalleled Scalability and Control: FastAgent enhances reliability without compromising security policies. With dynamic reconnection delay, configuration IT teams can tailor agent reconnection attempts for environments with strict network policies, such as those using network access control (NAC) solutions, to maximize reliability and connectivity between Automox and devices. 
    
*   Intuitive User Experience with Automox Tray: Automox Tray provides end users with an intuitive, familiar, and friendly interface for managing system updates and device reboots. This innovative experience maintains security SLAs while delivering transparency and control to end users. 
    

FastAgent's advanced capabilities are built to scale, offering IT decision-makers certainty in maintaining secure, efficient, and consistent configurations across all their Windows, macOS, and Linux endpoints.

Up Next: End-User Empowerment with Automox Tray

Automox Tray redefines the end-user experience between IT and the workforce with an approachable, modern notification system for Windows, macOS, and third-party updates. IT teams can implement deadline-based notifications to streamline updates and reboot processes while ensuring business-critical systems stay compliant and secure.

Enhanced IT Efficiency with Automox FastAgent

FastAgent brings a comprehensive set of industry-leading capabilities:

1.  Redesigned Backend Protocols ensure scalability and low latency. 
    
2.  Persistent Response Queuing enables command delivery under any network condition. 
    
3.  Enhanced Security Controls allow configurable reconnection delays to improve stability in highly controlled environments. 
    

By combining enhanced functionality with industry-leading automation, FastAgent empowers organizations to address key IT challenges, maintain compliance, and improve operational efficiency.

About Automox

Automox is the IT automation platform for modern organizations. Policy-driven human-controlled automation empowers IT professionals to prove vulnerabilities are fixed, slash cost and complexity, win back hours in their days, and delight end users. 360+ Automox Worklet automation scripts make it easy for IT to save time, reduce risk, and thoughtfully automate OS, third-party software, and configuration updates on Windows, macOS, and Linux desktops, laptops, and servers.

Join thousands of IT heroes automating confidence across millions of endpoints with Automox. Learn more at www.automox.com, connect with the Automox Community, or connect with us on Twitter/X, Threads, LinkedIn, Facebook, Reddit, or Instagram.

Automox Releases Endpoint Management With FastAgent

Cybersecurity firm ESET uncovers PlushDaemon, a previously unknown APT group targeting South Korea, deploying a SlowStepper backdoor. This…

Cybersecurity firm ESET uncovers PlushDaemon, a previously unknown APT group targeting South Korea, deploying a SlowStepper backdoor. This article analyses the attack techniques, the capabilities of the SlowStepper malware, and the growing threat posed by this sophisticated APT group. 

Cybersecurity firm ESET has identified a new China-aligned Advanced Persistent Threat (APT) group, dubbed “PlushDaemon,” behind a cyber espionage operation targeting South Korea.

The attack camaign nvolved a **supply chain compromise**, where attackers infiltrated the legitimate update channels of IPany, a popular South Korean VPN software. PlushDaemon then replaced genuine installers with trojanized versions, which upon download and execution, deployed both the legitimate IPany VPN software and a custom backdoor named SlowStepper.

This means, by replacing the genuine installer with a trojanized version, PlushDaemon successfully embedded a malicious backdoor within the software. As per ESET’s **research**, SlowStepper is a feature-rich backdoor boasting over 30 modules. It is designed for extensive surveillance and data collection.

Written in C++, Python, and Go, the malware possesses a wide range of capabilities, including stealing sensitive data such as system information, user credentials, and network configurations, recording audio and video, enabling attackers to monitor their targets’ activities, and gathering detailed information about the victim’s network environment.

Webpage on the IPany site where the malicious installer was available for download (Via ESET)

In addition, the backdoor features advanced persistence mechanisms, such as deploying files that ensure the continued presence of SlowStepper on infected systems and utilizing legitimate tools to sideload malicious code. The trojanized installer utilize advanced communication methods to connect with command-and-control (C&C) servers.

Instead of embedding IP addresses directly within the malware, SlowStepper crafts DNS queries to retrieve TXT records containing base64-encoded, AES-encrypted C&C server addresses. This multi-layered approach makes detection more challenging.

While ESET telemetry revealed manual downloads of the compromised software, suggesting a broad targeting strategy, the attack specifically focused on entities within South Korea’s critical semiconductor and software industries. The timely intervention of ESET, which alerted IPany to the compromised installer, prevented further widespread infection. 

Although only recently discovered, researchers believe the PlushDaemon APT has been active since 2019, consistently building a diverse and powerful arsenal of tools. The sophistication of SlowStepper and the successful execution of this supply chain attack highlight the growing threat posed by this actor. 

To stay safe from these cyber espionage groups there is an urgent need for continuous monitoring. Organizations must prioritize software update channel security and implement stringent verification procedures to ensure the integrity of all updates. Additionally, proactive **threat intelligence** sharing are vital for identifying and mitigating such attacks before they inflict damage.

1.  **Hackers cloned NordVPN website to drop banking trojan**
2.  **Hackers clone ProtonVPN website with password stealer**
3.  **Fake VPN website delivering password-stealing malware**
4.  **N. Korean APT37 Unleashes Dolphin Backdoor on S. Korea**
5.  **Dark web hackers selling S. Korean, US payment card data**

Chinese PlushDaemon APT Targets S. Korean IPany VPN with Backdoor

Abnormal Security uncovers GhostGPT, an uncensored AI chatbot built for cybercrime. Learn how it boosts cybercriminals’ abilities, makes…

Abnormal Security uncovers GhostGPT, an uncensored AI chatbot built for cybercrime. Learn how it boosts cybercriminals’ abilities, makes malicious activities easier to execute, and creates serious challenges for cybersecurity experts.

Artificial intelligence (AI) has revolutionized countless industries, but its potential for misuse is undeniable. While **AI models like ChatGPT** have shown immense promise in various fields, their power can be easily exploited by threat actors through malicious AI chatbots like GhostGPT.

In late 2024, AI-powered email security solutions provider Abnormal Security uncovered this new AI chatbot designed specifically for cybercriminal activities. Dubbed GhostGPT, this malicious AI tool, readily available through platforms like Telegram, empowers cybercriminals with unprecedented capabilities, from crafting sophisticated phishing emails to developing sophisticated malware.

Unlike **traditional AI models** constrained by ethical guidelines and safety measures, GhostGPT operates without such restrictions. This unfettered access to powerful AI capabilities allows cybercriminals to generate malicious content, such as sophisticated phishing emails and malicious code, with unprecedented speed and ease. 

According to Abnormal Security’s analysis, GhostGPT is likely designed using a wrapper to connect to a **jailbroken version of ChatGPT** or an open-source LLM, removing ethical safeguards. This allows GhostGPT to provide direct, unfiltered answers to sensitive or harmful queries that traditional AI systems would block or flag.

This tool significantly lowers the barrier to entry for cybercrime. No longer requiring specialized skills or extensive technical knowledge, even less experienced actors can leverage the power of AI for malicious activities and launch more sophisticated and impactful attacks with greater efficiency.

Furthermore, GhostGPT prioritizes user anonymity, claiming that user activity is not recorded. This feature appeals to cybercriminals seeking to conceal their illegal activities and evade detection.

“GhostGPT is marketed for a range of malicious activities, including coding, malware creation, and exploit development. It can also be used to write convincing emails for business email compromise (BEC) scams, making it a convenient tool for committing cybercrime,” Abnormal Security’s **blog post** revealed.

GhostGPT’s easy availability on Telegram makes it highly convenient for cybercriminals. With a simple subscription, they can immediately start using the tool without the need for complex setups or technical expertise.

Abnormal Security researchers tested GhostGPT’s capabilities by creating a convincing **Docusign phishing** email template. The chatbot demonstrated its ability to trick potential victims, making it a powerful tool for anyone intending to use AI for malicious purposes.

GhostGPT on Telegram (left) – GhostGPT’s ad (right) – (Credit: Abnormal Security)

This is not the first time a chatbot has been created for malicious purposes. In 2023, researchers identified two other harmful chatbots, **WormGPT** and **FraudGPT**, which were used for criminal activities and caused serious concerns within the cybersecurity community.

Nevertheless, the rise in GhostGPT popularity, evidenced by thousands of views on online forums, indicates a growing **interest in AI by cybercriminals**, and the need for innovative cybersecurity measures. The cybersecurity community must continuously innovate and evolve its defences to stay ahead of the curve.

1.  **Malicious Abrax666 AI Chatbot Exposed as Potential Scam**
2.  **AI Generated Fake Obituary Websites Target Grieving Users**
3.  **Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack**
4.  **Facebook Phishing Scam: Messenger Chatbots Stealing Logins**
5.  **Mozilla 0Din Warns of ChatGPT Flaws Enabling Python Execution**

Meet GhostGPT: The Malicious AI Chatbot Fueling Cybercrime and Scams

Joe shares his recent experience presenting at the 32nd Crop Insurance Conference and how it's important to stay curious, be a forever student, and keep learning.

Thursday, January 23, 2025 14:05

Welcome to this week’s edition of the Threat Source newsletter.

Hello friends! Joe here again! I have just returned from the frozen northern tundra of Fargo, North Dakota. This was my first real visit to the frigid climates of the Midwest, and I have to say, they take cold to a new level. I was invited to present on cybersecurity at the 32nd Crop Insurance Conference, hosted by North Dakota State University (go Bisons!).

If you’re wondering why I or anyone would care to discuss cybersecurity in such a niche industry, the answer is simple: Everything is connected to security, even something you wouldn’t think would nominally matter. Agriculture and adjacent industries are roughly 6 percent of our GDP and account for about 10 percent of all U.S. jobs. The trillions of dollars that industry generates are targets for cyber-crime-motivated threat actors and nation-states who would seek to degrade it.

Agriculture is also a deeply underserved community and industry with regard to cybersecurity. And that’s both in general security literacy and security investments. So, I have a soft spot for folks up against threat actors who seek to exploit the most vulnerable, like agriculture industries. If the knowledge I can share will help them and their businesses stay more secure, it’s always worth it.

Pro-tip: If you ever find yourself at a conference, maybe to give a presentation, stay and listen beyond your time on the stage. For security conferences, sure, but for super niche or industry-specific conferences? Even better. I’m not a farmer or in agriculture, but I learned a lot in North Dakota. So, sit through other presentations – the further away from cyber security it is, the better. There’s more to this industry than malware analysis, threat actor cluster tracking, and incident response. For example, at this conference, I learned about climate change affecting agriculture, trade tariffs, agronomics, and insurance. You never know when that knowledge will pay dividends down the road for cybersecurity research. Stay curious, be a forever student, and keep learning.

**The one big thing**

Remember the old meme ‘Good luck, I’m behind seven proxies? Well, it still holds up in this Talos blog post. Proxy chains are something that hit our radar as old as VPNFilter, back in 2018. It’s a smart way to do business if your obscurity is your primary goal. TOR or other proxy solutions may have weaknesses that expose your operations to risk, and that’s why they’re getting more and more crafty about it. And we’ve moved far past generic VPN services for obscurity. Network defenders can find themselves between a rock and a hard place forensically when determining malicious connections to their networks.

**Why do I care?**

This is always going to be a sore point for network defenders. Adversaries are absolutely going to use and abuse any kind of proxy service to launch their attacks from. It’s an absolute given. It goes off the rails when it’s your own employees too. As per the blog post “Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly.”

**So now what?**

Using additional controls and forensic data is a must here. Identity and access management, combined with a mobile device management/application solution is key here. Control as much of your ecosystem as you absolutely can. This isn’t cheap, but it’s most certainly a step up from implementing MFA and hoping for the best.

**Top security headlines of the week**

*   Hold onto your seats – Mirai came in super-hot with a massive 5.6 Tbps DDoS attack. So far, the largest ever recorded. (Hacker News)
*   Here’s some sobering statistics about healthcare data breaches. “Between 2009 and 2023, 5,887 healthcare data breaches of 500 or more records were reported to OCR \[sic\] Office of Civil Rights. Those breaches have resulted in the exposure or impermissible disclosure of 519,935,970 healthcare records. That equates to more than 1.5x the population of the United States.” (HIPAA Journal) 
*   Businesses are folding a lot more due to cyber-attacks, and mostly at small and medium-sized businesses, which absolutely jives with what we see at Talos. Ransomware cartels love to target the small business. Cyber Insurance may be the saving grace here. (Bloomberg Law) 

**Can’t get enough Talos?**

*   My colleague Martin Lee did an amazing Net Academy series on threat intelligence 101. If you’re a NetAcad member, I highly suggest you watch it! And if not, sign up. It’s free!
*   In running the biggest scam ever, I still get to be on Talos podcasts. Listen to myself and my colleagues discuss crossword puzzles and why Pauly Shore gets a bad rap.

**Upcoming events where you can find Talos **

Cisco Live EMEA (February 9-14, 2025)   
Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86  
**VirusTotal:** https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
**Typical Filename:** endpoint.query  
**Claimed Product:** Endpoint-Collector  
**Detection Name:** W32.File.MalParent

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**VirusTotal:** https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**Typical Filename:** VID001.exe  
**Detection Name:** Simple\_Custom\_Detection

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**MD5:** 71fea034b422e4a17ebb06022532fdde  
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Coinminer:MBT.26mw.in14.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

Everything is connected to security

While employees want to take advantage of the increased efficiency of GenAI and LLMs, CISOs and IT teams must be diligent and stay on top of the most up-to-date security regulations.

Anuj Jaiswal, Chief Product Officer, Fortanix

January 23, 2025

3 Min Read

Source: LuckyStep48 via Alamy Stock Vector

COMMENTARY

The rapid rise of artificial intelligence (AI) has cast a long shadow, but its immense promise comes with a significant risk: shadow AI.

Shadow AI refers to the use of AI technologies, including AI models and generative AI (GenAI) tools outside of a company's IT-sanctioned governance. As more people use tools like ChatGPT to increase their efficiency at work, many organizations are banning publicly available GenAI for internal use. Among the organizations looking to prevent unnecessary security risks are those in the financial services and healthcare sectors, as well as technology companies like Apple, Amazon, and Samsung.

Unfortunately, enforcing such a policy is an uphill battle. According to a recent report, non-corporate accounts make up 74% of ChatGPT use and 74% of Gemini and Bard use at work. Employees can easily skirt corporate policies to continue their AI use for work, potentially opening up security risks.

The greatest among these is the lack of protection for sensitive data. As of March 2024, 27.4% of data inputted into AI tools would be considered sensitive, an increase from 10.7% at the same time last year. Protecting this information once it is put into a GenAI tool is virtually impossible.

The uncontrolled risk of shadow AI usage reveals the need for stringent privacy and security practices when employees use AI.

It all boils down to data. Data is the fuel of AI, but it is also the most valuable asset to organizations. Stolen, leaked, or corrupted data causes real, tangible harm to a business — regulatory fines from leaking personally identifiable information (PII), costs associated with leaked proprietary information like source code, and an increase in severe security breaches like hacks and malware.

To mitigate risk, organizations must secure their data while it's at rest, in transit, and in use. The counter to risky shadow AI use is having fine control over the information employees feed into large language models (LLMs).

**How Can CISOs Secure GenAI and Company Data?**

Securing sensitive company data is a challenging balancing act for chief information security officers (CISOs) as they weigh the desire for their organizations to take advantage of the perceived value of GenAI while also protecting the sole asset that makes these benefits possible — their data.

So, the question becomes: How do you do this? How do you get the balance right? How do you extract positive business outcomes while protecting the enterprise's most valuable asset?

At a high level, CISOs should look at protecting data through its entire life cycle. This includes:

*   Protecting the data before it is even ingested into the GenAI model
    

*   Ensuring that the data output is completely secured, as this new data will drive the business outcomes and create true value
    

If the data life cycle isn't secure, this becomes a business-critical exposure.

More specifically, a multifaceted approach is necessary to protect sensitive data from being leaked, and though it starts with limiting shadow AI as much as possible, it is just as important to preserve data security and privacy with some basic best practices:

*   Encryption: Data encryption across its life cycle is vital, but it's equally important to manage and store encryption keys securely and separately from the data itself.
    
*   Obfuscation: Use data tokenization to anonymize any sensitive or PII data that could be fed to an LLM. This prevents data that enters the AI pipeline from being corrupted or leaked.
    
*   Access: Apply granular, role-based access controls to data so that only authorized users can see and use the data in plain text.
    
*   Governance: Commit to ethical business practices, embed data privacy across all operations, and remain current on data privacy regulations.
    

As is often the case with most tech advancements, GenAI's ease and convenience come with some fallbacks. While employees want to take advantage of the increased efficiency of GenAI and LLMs for work, CISOs and IT teams must be diligent and stay on top of the most up-to-date security regulations to prevent sensitive data from entering the AI system. Along with making sure workers know the importance of data protection, it is key to mitigate potential risks by taking all measures to encrypt and secure data from the start.

**About the Author**

Chief Product Officer, Fortanix

Anuj Jaiswal is chief product officer at Fortanixa. He is seasoned product and engineering leader with an impressive track record spanning more than 20 years. Anuj previously served as vice president of engineering at Embrace.io and was a pivotal figure at Arkin, a company that caught the attention of VMware and was subsequently acquired in 2016. During his time at Arkin, Anuj played a critical role in the acquisition process, showcasing his strategic vision and technical insight. Before Arkin, Anuj worked as a senior leader at FrontRange Solutions (acquired by Ivanti) and DBO2 (acquired by Predictive Solutions).

Anuj's domain knowledge is extensive, covering crucial areas such as cloud security, network security, cybersecurity, data security and application performance monitoring (APM) for both cloud and mobile applications. His approach to product management — vision, strategy, customer-centric, roadmapping, partnerships, and UX — has consistently resulted in products that drive revenue and growth for organizations while meeting customer needs. Anuj holds a master's degree in computer applications and a bachelor's degree in business administration.

The Security Risk of Rampant Shadow AI

Chinese hacks, rampant ransomware, and Donald Trump’s budget cuts all threaten US security. In an exit interview with WIRED, former CISA head Jen Easterly argues for her agency’s survival.

When I walk into Jen Easterly’s office on a bright January day in Arlington, Virginia, I’m greeted by a giant shark head lurking on the floor. I instantly spot a Rubik’s Cube—an Easterly hallmark—emblazoned with the logo of the organization she’s run for the past three and a half years—the Cybersecurity and Infrastructure Security Agency, or CISA, which President Donald Trump created during his first term.

Easterly, who is 56 years old, jumps to her feet to greet me. The first thing that hits me is her denim pants, which have a dragon on one leg and a serpent on the other. Then she launches into updates on CISA’s animated “Secure Our World” video series and, in the same breath, laments that she hasn’t had time for a private guitar lesson in weeks. Seemingly a regular day on the job for her, except for one thing. As of January 20, Inauguration Day, Easterly’s time at CISA would be over. Trump had fired the agency’s first director, Chris Krebs, after CISA refused to question the integrity of the 2020 election, and Easterly now says she wasn’t asked to stay. Rumors are swirling that CISA programs—or even the entire agency—may soon be on Trump’s chopping block.

The timing couldn’t be worse for the nation to lose its top cybersecurity cop. A Beijing-linked group called Salt Typhoon spent months last year rampaging through American telecoms and siphoning call logs, recordings, text messages, and even potentially location data. Many experts have called it the biggest hack in US telecom history. Easterly and her agency unknowingly detected Salt Typhoon activity in federal networks early last year—warning signs that ultimately sped up the unraveling of the espionage campaign.

The work of banishing Chinese spies from victim networks isn’t over, but the walls are already closing in on CISA. Trump's nominee to run the Department of Homeland Security, Kristi Noem, told a senate committee last week that CISA needs to be “smaller” and “more nimble.” And a day after the inauguration, all members of the Cyber Safety Review Board—who were appointed by Easterly and were actively investigating the Salt Typhoon breaches—were let go.

When Easterly officially became the agency’s second director, in 2021, the government was still reeling from a different blockbuster hack—SolarWinds. Kremlin-backed intruders had compromised widely used software to infiltrate the networks of US agencies and other targets. Helping US institutions defend themselves became an even more urgent and daunting project. CISA doesn’t enforce laws or collect intelligence; its job is to evangelize digital security measures and offer free services, so institutions can see what they need to do to not get hacked or—more realistically—get hacked less badly. Easterly got to work building relationships across the federal government and with state and local officials, corporate executives, and utility managers. In crises like the Salt Typhoon campaign, these relationships are crucial to quickly containing the damage.

It takes a determined person, and perhaps a charismatic one, to build rapport with such a wide-ranging group of people. Easterly has the background for it: She has worked in the Army (with multiple deployments), the National Security Agency, and the National Security Council under Barack Obama, and she spent nearly five years in charge of Morgan Stanley’s global cybersecurity. She also helped establish US Cyber Command within the Department of Defense. Somehow, though, she’s chill. To break the ice, and probably to make an impression, Easterly has leaned into her passions while in office, cubing and jamming with executives and utility operators around the country. And, yes, there’s her eclectic style—high fashion (by cybersecurity standards, anyway) mixed with bell-bottoms and Birkenstocks—but also her quiet, intense obsession with trying to solve the puzzle that is digital defense.

_This interview has been edited for length and clarity, combining on-camera and off-camera portions. Check out_ WIRED’_s YouTube channel_ _for the video._

**You’re in your last days as the director of CISA. How's it going?**

It's a little bittersweet.

**Why are you leaving?**

Well, at the end of the day, I'm a Senate-confirmed political appointee. We serve at the pleasure of the president. I've not been asked to stay.

**There are signs that the Trump administration may be hostile to some of CISA’s goals. Do you think the agency has proven it's valuable?**

We are America's cyberdefense agency, but our budget is less than $3 billion. I think the American people are getting an incredible return on investment. Anybody who looks at it will see that there's been an enormous amount of progress made in reducing risk to the critical infrastructure Americans rely on every hour of every day. We're talking water, power, transportation, communication, finance. It's not a political or partisan issue, and these threats are only getting more complicated, more dangerous. Any stepping back of what we've put in place will be to the detriment of the safety and security of the American people.

**One threat that’s top of mind is Salt Typhoon. How have past foreign espionage campaigns, like Russia’s SolarWinds attacks, informed the work you all are doing?**

What we saw in December 2020, with the revelations about the Russian intrusions into US federal government networks, as well as businesses around the world, was a pretty sophisticated supply-chain espionage operation. I would say the bumper sticker was to finally allow CISA to manage the .gov federal digital assets as one enterprise, not as a disparate tribe of a hundred separate departments and agencies. It's still a work in progress, but what we've put in place across the government over the past three and a half years has given us enormous visibility and has allowed us to detect intrusions much more rapidly, to be able to remediate them and to get ahead of future intrusions.

**It’s concerning how difficult it seems to have been for the telecoms to eradicate the Chinese hackers from their networks.** **Has there been progress in terms of that transparency and insight you're talking about?**

After the revelations of these breaches, we stood up what's called a unified coordination group. So we're responding, the FBI is investigating, folks like the National Security Agency are using what we see in the intelligence to understand the extent and the depth of this intrusion. And we're coming together to work with the victims. We've been doing that for months. This has unfortunately been out in the press a lot—

**I would say fortunately!**

Anything that gets out there has the downside of having adversaries change their tactics. So, while I think the transparency to consumers is important, it also makes it more difficult to then find these actors within the network. I don't expect it to be remediated in the short term.

**What about in the long term?**

Everybody should assume that our adversaries, in particular China, are attempting to go after our critical infrastructure. The private sector, they are on the front lines of this fight, because they own and operate the vast majority of our critical infrastructure. It's why companies need to put collaboration over self-preservation.

I want a future where something like a ransomware attack is a shocking anomaly. Where damaging software vulnerabilities exploited by nation-state actors are as infrequent as plane crashes. A world where the technology that we've come to rely on every hour of every day is first and foremost secure.

**It feels like hackers always find new ways to get where they want to go. Can you win at defense?**

I mean, you're right. Defense is hard. I say that as America's cyber head goalie. And that's why it has to be a team. As much as we work to hunt for and eradicate Chinese actors, our partners need to hold those actors accountable, whether that's through offensive cyber capabilities or indictments or sanctions. But, yes, we're on the defensive side, and it's a challenge.

Former CISA director Jen Easterly left office on Inauguration Day as rumors swirled about the fate of the agency.Photograph: Dana Scruggs

**Right now is a very scary and precarious time in cyberspace.**

I spent a lot of time in counterterrorism, and people would often say, “What keeps you up at night?” But it's really not what keeps me up at night. It's all about what gets you up in the morning. I love my team. I love the mission. Not every day is the best day ever, but you work through the issues, you stay resilient, you stay focused.

**Probably a necessary attitude for this type of work. But I just have to be that guy who asks you one more time: What keeps you up at night?**

A major conflict in Asia—the potential invasion or blockade of Taiwan by the People’s Republic of China—could have very real consequences here in the US. You could see pipelines and water being affected, telecommunications being severed, rail lines, power. That is all part of a very deliberate effort by the People’s Republic of China to incite what they call “societal panic” and to deter our ability to marshal military might and citizen will. We have to acknowledge that disruption may occur.

**Is the public paying too much attention to espionage campaigns like Salt Typhoon? Should we all be more worried about threats to critical infrastructure, like China’s Volt Typhoon?**

We are very focused overall on PRC cyber actors. CISA is one of the few agencies in the government that has been able to find both Volt Typhoon within critical infrastructure as well as Salt Typhoon. In fact, it was our work several months ago to find Salt Typhoon that then led to law enforcement identifying virtual private servers that were being leased by the adversaries, and then that unraveled the wider campaign.

**You and I have talked before about how Ukraine has faced years of punishing digital attacks and, of course, an ongoing kinetic war with Russia. CISA has partnered for a few years now with its counterpart agency in Ukraine. Do you have concerns that the Trump administration won't prioritize that relationship?**

Ukraine is under active assault by a very sophisticated threat actor. What we are learning from how they are dealing with those attacks actually helps us understand and mitigate similar threats to our own infrastructure. Cyber is a borderless space, and what our foreign partners see can absolutely benefit us. We need to ensure that all of us—from the vendors that create technology to companies that buy technology to citizens that consume technology—recognize our shared role in a collective defense of cyberspace and critical infrastructure.

**Do you feel that there are too many cooks in the US federal cybersecurity kitchen? Has that been an issue?**

It really has not. A lot of people have asked that question, but when the SolarWinds incident occurred I was looking at it as both the cyber policy lead for the Biden-Harris transition team and, perhaps more importantly, from my day job at Morgan Stanley. One advisory came out from CISA that was very SolarWinds-specific. We didn't have SolarWinds in our infrastructure. Another one came from NSA that was focused on VMware, and we did have VMware in our systems. It was not clear how these things were connected. And then you would see an FBI private-sector notice about something else. At this point I've already been in government for 27 years. I'd been in the military, the Department of Defense, the intelligence community, the White House. It's like, I know this. I thought I understood the government. And I couldn't make sense of what the government was trying to tell us about this Russian espionage campaign. It was one of the motivating things about coming to CISA. How do we bring together the federal cyber ecosystem?

The relationships with NSA, FBI, and CISA have never been better. Some of that is personalities, but I think we have actually developed institutional connective tissue, so that it will last. It's very, very clear what CISA’s role is. Now, you often talk about, what does the National Security Council do? What does the Office of the National Cyber Director do? I think we've sorted out the relationships at that level with policy and strategy, but really at the operational level where CISA lives, those relationships across the federal cyber ecosystem I think have never been better.

**You said that there is unfinished business as you prepare to leave CISA. Where do you wish you could have done more?**

There’s a lot of unfinished business. We have made an impact through our ransomware vulnerability warning pilot and our pre-ransomware notification initiative, and I’m really proud of that, because we work on preventing somebody from having their worst day. But ransomware is still a problem. We have been laser-focused on PRC cyber actors. That will continue to be a huge problem. I'm really proud of where we are, but there's much, much more work to be done. There are things that I think we can continue driving, that the next administration, I hope, will look at, because, frankly, cybersecurity is a national security issue.

**I have to ask you, there are rumors: Are you or are you not going on tour when you leave CISA?**

You know, I certainly hope to. I played piano and guitar when I was young, but I started taking up electric guitar, and that has become my passion, my obsession. So my big postretirement plan several years from now is to start a bar in lower Manhattan, to have a band. We're going to do magic. We're going to do improv. I'm going to be the bartender.

**And will there be Rubik's Cubes at every table?**

There will be Rubik's Cubes. I'm obsessed with the Rubik's Cube. When I was 11 these things were introduced across the world, and I was a huge puzzler and a video game person. I learned how to solve it, and then I would go to toy stores—I was this little kid with pigtails—and say, “Hey, if I can solve this in less than two minutes, will you give me a free one?” So I was able to amass this whole set of them.

**You must see some sort of connection between that and your day job.**

Ernő Rubik, who invented the thing, said something like, if you are curious, you will find puzzles around you. And if you are determined, you will solve them. And when I think about the incredible technical talent that we have here at CISA, it’s the intellectual curiosity, it’s the hacker mindset, it’s the problem solver. But it's also the determination, the relentless drive to solve the most complicated problems out there.

_Let us know what you think about this article. Submit a letter to the editor at_ _mail@wired.com._

Under Trump, US Cyberdefense Loses Its Head

Cybersecurity researchers have disclosed details of a new BackConnect (BC) malware that has been developed by threat actors linked to the infamous QakBot loader.
"BackConnect is a common feature or module utilized by threat actors to maintain persistence and perform tasks," Walmart's Cyber Intelligence team told The Hacker News. "The BackConnect(s) in use were 'DarkVNC' alongside the IcedID

 QakBot-Linked BC Malware Adds Enhanced DNS Tunneling and Remote Access Features

The AI-powered work platform helps organizations securely identify and access internal enterprise data as part of business processes and workflows.

Source: YAY Media AS via Alamy Stock Photo

NEWS BRIEF

All organizations, regardless of size or industry, are experiencing a data boom, with information being stored in multiple applications, such as Confluence, GitLab, Jira, Monday, Slack, Salesforce, and Zendesk. In turn, the ability to search through the mountains of data to find what they need has become increasingly more difficult. Enterprise search is an area where artificial intelligence (AI) can shine, with tools that take questions from users and them look through various information sources to provide relevant answers quickly.

The challenge, however, is delivering those answers without compromising data security. AI's ability to look at all of an organization's data means that an unauthorized actor could potentially manipulate the system to obtain information that they should not be able to access or use in a manner they should not. Doti AI, an AI-powered enterprise work platform that emerged from stealth today, promises to secure the organization's data while giving employees the ability to find information as part of existing workflows. For example, customer support teams can resolve issues faster by retrieving relevant knowledge base articles or identifying similar past cases without searching across multiple systems, the company said in a statement.

"Doti creates a centralized 'organizational brain' that empowers employees to find accurate, relevant information quickly and effortlessly," the company said.

The platform consolidates data from multiple business applications and sources and presents a single interface to the organization's data, the company said. Because it can handle both structured and unstructured data, users can use the platform to analyze codebases, draft communications, retrieve historical project context, and answer policy questions.

It can be deployed on-premises or in the cloud, and gives organizations robust security controls, including real-time permissions enforcement, hybrid deployment options, and granular access controls. Doti's approach to tenant segregation means customers have "complete flexibility and control over their data." The software-as-a-service customers get a dedicated database. Organizations can deploy the platform locally within their environment in either a fully on-premise or hybrid setup.

If someone compromises the organization, that actor will have only limited access to a limited subset of all the data the platform can see. Doti enforces document-level permissions at the data source. Each resource Doti retrieves is checked every time to ensure the user is allowed to access that information. Doti also developed a layer called "spaces," where specific data is bound to specific users. This means only the intended users can access that information.

The platform has both direct and indirect prompt injection guardrails to prevent leakage of unauthorized information.

As part of the launch, Doti AI also raised $7 million in seed funding led by F2 Venture Capital and several angel investors. Doti AI was founded in January 2024 by Matan Cohen and Opher Hofshi, who have experience in enterprise software and cybersecurity. They were both at Wix — where Cohen was the former software group manager and Hofshi was the former security architects team leader — where they saw firsthand the impact of "organizational information chaos" in large, fast-paced organizations.

**About the Author**

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Doti AI Launches Platform to Securely Find Enterprise Data

The new administration moved quickly to remove any constraints on AI development and collected $500 billion in investment pledges for an American-owned AI joint venture.

Source: Andrey Popov via Alamy Stock Photo

President Donald Trump revoked former President Joe Biden's 2023 executive order aimed at putting security guardrails around artificial intelligence (AI) systems and their potential impact to national security, giving a major boost to private sector companies like OpenAI, Oracle, and Softbank. They responded in kind with collective pledges to spend up to $600 billion on building out AI infrastructure in the US.

Biden's AI executive order required developers of AI and large language models (LLMs) like ChatGPT to develop safety standards and share results with the federal government to help prevent AI-powered cyberattacks against citizens, critical infrastructure, dangerous biological weapons, and other areas affecting US national security.

**Artificial Intelligence Private Sector Ponies Up**

Fast on the heels of that revocation, the Trump administration unveiled Project Stargate, which is intended to funnel hundreds of billions into AI infrastructure in the US. The Stargate event at the White House was attended by SoftBank CEO Masayoshi Son, who had already pledged $100 billion to the fund. OpenAI CEO Sam Altman and Oracle co-founder Larry Ellison each pledged an initial $100 billion, all of which will be used to set up a separate company committed to US AI infrastructure. Microsoft, Nvidia, and semiconductor company Arm are also involved as technology partners.

During the ceremony, Ellison said there are already data centers in Texas under construction as part of Project Stargate.

Leading AI CEOs, including Marty Sprinzen, CEO of Vantiq, were delighted by the news.

"As I sit here at the World Economic Forum in Davos, Switzerland, the atmosphere is charged with enthusiasm following President Trump's announcement of the Stargate initiative — a collaboration between OpenAI, SoftBank, and Oracle to invest up to $500 billion in artificial intelligence infrastructure," Sprinzen said in a statement.

One outlier with less enthusiasm for Project Stargate is Elon Musk, who claimed the companies don't have the cash to cover the pledges.

**Trump Administration's AI Cybersecurity Plan**

It's still not completely clear this means if or how there will be any federal oversight of AI technology or its development.

The Biden AI executive order was far from perfect, according to Max Shier, CISO at Optiv, but he still would like to see some federal oversight of AI development.

"I don't disagree with the reversal per se, as I don't think the EO that Biden signed was adequate and it had its flaws," Shier says. "However, I would hope that they replace it with one that levies more appropriate controls on the industry that are not as overbearing as the previous EO and still allows for innovation."

Shier anticipates standards developed by the National Institute for Standards and Technology (NIST) and the International Organization for Standardization (ISO) will help "provide guardrails for ethical and responsible use."

For now, the new administration is ready to leave the task of developing AI with adequate safety controls in private sector hands. Adam Kentosh at Digital.ai says he is confident they are up to the task.

"The rapid pace of AI development makes it essential to strike a balance between innovation and security. While this balance is critical, the responsibility likely falls more on individual corporations than on the federal government to ensure that industries adopt thoughtful, secure practices in AI development," Kentosh says. "By doing so, we can avoid a scenario where government intervention becomes necessary."

That might not be enough, according to Shier.

"Private enterprise should not be allowed to govern themselves or be trusted to develop under their own standards for ethical use," he stresses. "There has to be guardrails provided that don't stifle smaller companies from participating in innovation but still allow for some oversight and accountability. This is especially true in instances where public safety or national security is at risk or has the potential to cause risk."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Tag

#intel