Read Time: 9 minutes

Brought to you by:

Howdy friends!

“Before RSA” is the phrase of the week. “Hey can we get this done before RSA?” In just a few days the phrase will be “After RSA” as in “let’s circle up after RSA on this.” - Hope you’re all hanging in.

Crazy news week, let’s get into it.

ICYMI

🖊️ Something I wrote: A thread as I went through the DOGE whistleblower testimony (Bsky, X, Threads, pick your poison)

🎧️ Something I heard: Nicole Perlroth’s new podcast - To Catch a Thief - was a jarringly accurate time warp for me back to the beginning of my career and the birth of the Chinese APT movement. I remember vividly some of the stories she tells. Highly recommend.

🎤 Something I said: they hacked a car via bluetooth. could even steer it while moving.

🔖 Something I read: I know I’ve said this in the last 2 newsletters already, but I’m still absolutely obsessed and now on book 6 of Dungeon Crawler Carl. Just blowing me away, especially pairing it with the audiobook.

📣 Something I think you’ll dig: I’m doing a webinar with a neuroscientist… Yes really! - The Science Behind Alert Fatigue in Security Teams — and How to Beat It - I’m super excited about this one, thanks to Ox Security for putting this together and having me. *Sponsored

Vulnerable News

Government IT whistleblower calls out DOGE, says he was threatened at home

A government tech worker just blew the whistle on some seriously sketchy stuff happening with Musk's DOGE team at the National Labor Relations Board. Daniel Berulis, a DevSecOps architect at NLRB, claims DOGE members were given god-mode access to sensitive systems, way beyond what they'd need to "analyze agency operations."

The most damming accusation IMO: Within minutes of DOGE accounts being created, someone in Russia was trying to log in with those exact credentials. Berulis spotted about 10GB of data being exfiltrated, observed suspicious containers and tokens designed to hide activity, and found altered security policies.

When Berulis raised concerns, managers initially took them seriously and started weekly insider threat meetings. But just as they were preparing to report the breach to US-CERT, higher-ups suddenly ordered them to drop the investigation entirely.

Days later, Berulis found a threatening note taped to his door with drone photos of him walking in his neighborhood. The NLRB officially denies any breach occurred, but Rep. Gerry Connolly has called for an investigation, noting the obvious conflict of interest since Musk's companies face enforcement actions from the very agency his team infiltrated.

I have more questions than answers about this one, and I wanted it to be more DOGE noise, but the testimony is very detailed and sounds horrible.

Also kudos to the awesome report that broke this out of NPR (read more)

Take the fear out of phishing response with automation*

Human factors play a role in 74% of breaches. That’s why many organizations are turning to automation for their phishing detection and response; not only to reduce errors, but also to save time and strengthen their organization's overall defense.

On April 22, join Tines and Material Security for Take the fear out of phishing response: Lessons from Material Security. During this webinar, you’ll learn:

• The evolution and current landscape of phishing attacks

• The key role of automation and AI in phishing response

• Tips for fostering a phishing-resistant culture in your organization

Register now!

*Sponsored

SentinelOne and Chris Krebs Saga

Too many stories to link to put this all under one heading.

The White House announces Trump will be taking action against Chris Krebs, the former head of CISA who famously declared the 2020 election secure and legitimate.

White House Statement: https://www.whitehouse.gov/presidential-actions/2025/04/addressing-risks-from-chris-krebs-and-government-censorship/ and https://www.whitehouse.gov/fact-sheets/2025/04/fact-sheet-president-donald-j-trump-addresses-risks-from-chris-krebs-and-government-censorship/ - These statements say they are removing the security clearance of not only Chris, but all of his coworkers at SentinelOne, where he now works after leaving public service. They also say this is to “ensure loyalty” - so I read this as a threat to anyone moving against this administration, you can be labeled disloyal and you and your entire company will be not allowed to work on government contracts.

More pieces on this - Cybersecurity industry falls silent as Trump turns ire on SentinelOne

Chris Krebs isn't a bad-faith actor, he's a patriot

An Official Statement in Response to the April 9, 2025 Executive Order from SentinelOne

Chris steps down from SentinelOne to try to spare his coworkers the splash damage, an absolute class act move - https://www.linkedin.com/posts/christopherckrebs_krebs-organizational-announcement-activity-7318394838817599489-9n62/

MITRE and CVE Saga

Slow news week? Here’s another one I can’t just give you one link on.

It started by Tib3rius breaking the news that MITRE was running out of funding due to a federal contract expiring and would no longer be able to support the CVE program

This would be wildly catastrophic as much of the industry tooling we all rely on, whether you realize it or not, is built upon data that starts in the CVE database or the National Vulnerability Database (NVD) that would’ve also been impacted by this.

MITRE-backed cyber vulnerability program to lose funding Wednesday

Then in the 11th hour, CISA extends the contract. I’m not celebrating this, it was a self own and self fix. This is the latest in a string of headlines that basically read to me “Disaster of own making delayed for some amount of time”

Simultaneously a new non profit emerged to try to diversify funding of CVE as its long overdue to receive more global support as the entire industry depends on it not just the US. Announcing the CVE Foundation.

Is 4chan Down? What We Know Amid Hack Reports

Low Level has a good video on this

Well, it finally happened. 4chan got properly hacked, and it's a doozy. The notorious image board has been down since Tuesday, with a hacker apparently having access to their systems for over a year. The damage includes screenshots of the site's backend, source code, and a list of the site's moderators and "janitors" (the lower-level mods who can delete posts but can't see IPs). One janitor confirmed to TechCrunch that the leaked data appears legit.

The hack also potentially exposed personal info of paying members. Given how many 4chan users pride themselves on anonymity while often "doxxing" others, there's a certain irony here. No official comment from 4chan yet. (read more)

Malvertising Campaign Deploys Node.js Malware

Microsoft's spotted a classic malvertising campaign but this time it's delivering Node.js-based malware via crypto-themed ads. The scheme leads victims through a series of fake ads to download what looks like legit software, but instead installs malware that sets up shop via a scheduled task. Once on your system, it gathers system info through WMI queries, creates PowerShell persistence, and even throws up a decoy window showing a legit crypto site while it works in the background. (read more)

Attackers Target FortiGate Devices With New Post-Exploit Technique

Do you think Fortinet got stoked to see CVE almost go away? No more CVEs!

They’ve got a serious situation on their hands - over 16,000 FortiGate devices are sporting an unwanted accessory in the form of a symlink backdoor. This isn't a fresh vulnerability but rather a clever persistence trick related to zero-days from 2023-2024. The attackers essentially created symbolic links in the language files folder that point to the root filesystem, giving them continued read-only access even after the original vulnerabilities were patched. Since these language files are accessible via SSL-VPN, the attackers could casually browse the folder and peek at sensitive files.

Fortinet has been quietly emailing affected customers and released updates to detect and remove these malicious symlinks. If your device shows up on the naughty list, you'll need to do some housekeeping - reset all credentials since the attackers likely had access to your config files with all those juicy passwords. (read more Additional coverage: Bleeping Computer)

Hertz confirms customer info, drivers' licenses stolen in data breach

Hertz breach includes drivers license info which is big for identity theft (ask me how I know) - We’re unsure of the numbers on this one. (read more)

Around the World in 90 Days: State-Sponsored Actors Try ClickFix

I’ve talked to a number of friends that are currently fighting a ton of incidents involving this ClickFix technique. Proofpoint has a good writeup here with a ton of examples.

They put together a report showing North Korean, Iranian, and Russian APT groups all experimenting with ClickFix - a gnarly social engineering technique where victims are tricked into copying and pasting malicious PowerShell commands. Over just three months, groups like TA427 (Kimsuky), TA450 (MuddyWater), and Russia's UNK_RemoteRogue all took it for a spin in their espionage campaigns, with targets ranging from think tanks to defense contractors.

These nation-state actors are essentially doing A/B testing with ClickFix - most tried it once, then went back to their regular tactics, though North Korea's crew came back for seconds months later. The technique itself isn't revolutionary - it's just replacing the installation/execution stages in their existing infection chains - but it shows how quickly state actors adopt new tricks from the criminal underground. The report suggests Chinese APTs are conspicuously missing from the ClickFix party, but Proofpoint thinks that's probably just a visibility issue rather than them sitting this one out. (read more)

Hacked crosswalks in Bay Area play deepfake-style messages from tech billionaires

Someone just pulled off the nerdiest prank of 2025 in the Bay Area. Crosswalk buttons across Palo Alto, Menlo Park and Redwood City were hacked to spout deepfake-style rants from tech billionaires Elon Musk and Mark Zuckerberg. Instead of the usual "wait" messages, pedestrians got treated to a fake Zuck talking about "forcefully inserting AI into every facet of your conscious experience" and a mock Musk lamenting "God knows I've tried" to buy happiness. (read more)

Apple says zero-day bugs exploited against ‘specific targeted individuals’ using iOS

Apple just dropped some urgent updates after discovering that hackers were actively exploiting two zero-day vulnerabilities against "specific targeted individuals" on iOS. One bug lets attackers execute malicious code through specially crafted audio files, while the other bypasses Apple's pointer authentication security feature. The fact that Google's Threat Analysis Group discovered one of these bugs strongly suggests this isn't just some random hacker group - we're likely looking at nation-state level activity.

If you've got Apple devices, now would be a good time to update them. The patches are available for iOS (18.4.1), macOS Sequoia (15.4.1), Apple TV, and Vision Pro. Apple hasn't shared details on who was targeted or whether the attacks were successful, but the language about "extremely sophisticated" attacks against "specific targeted individuals" is classic PR-speak for "government spyware." These kinds of targeted zero-days are typically used for high-value surveillance rather than mass exploitation, so average users probably weren't in the crosshairs. (read more)

Midnight Blizzard deploys new GrapeLoader malware in embassy phishing

Russian hackers at Midnight Blizzard (aka Cozy Bear/APT29) have been targeting European embassies since January with fake wine-tasting invites that deliver a brand new malware loader called "GrapeLoader." Check Point researchers found this loader is significantly stealthier than their previous tools, using DLL sideloading with legit PowerPoint files and fancy memory protection tricks to dodge detection.

The new variant uses advanced obfuscation that breaks automated analysis tools, and since it runs entirely in memory, researchers couldn't even retrieve the full payload. (read more)

Florida draft law mandating encryption backdoors for social media accounts billed ‘dangerous and dumb’

How many times do I have to say it? There is no such thing as a backdoor for only the “good guys” - and those quotes are doing heavy lifting there as law enforcement has proven they will abuse them.

Florida lawmakers are pushing a bill that would force social media companies to create encryption backdoors for law enforcement - and it just cleared committee with unanimous support. The "Social Media Use by Minors" bill would require platforms to decrypt users' end-to-end encrypted messages when served with a subpoena, give parents access to their kids' accounts, and ban disappearing messages for minors. It's basically the encryption backdoor debate all over again, and once again focused on the "think of the children" angle.

The EFF is calling the idea "dangerous and dumb" and pointing out the obvious paradox - you can't protect kids by making their communications less secure. Tech companies like Apple, Meta, and Google have been moving toward more encryption, not less, specifically so they can't access user content even if they wanted to. There's also the concerning detail that the bill might only require a subpoena (which doesn't need a judge's approval) rather than a proper warrant. The bill builds on Florida's previous attempts to restrict social media for under-16s, which are currently tied up in court challenges. (read more)

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay