Security leaders must address both internal and external risks, ranging from sophisticated cyberattacks to insider threats. At the same time, they must also adhere to an ever-growing list of regulations, including the General Data Protection Regulation (GDPR), the EU Cyber Resilience Acts (CRA) and industry-specific mandates like Payment Card Industry Data Security Standard (PCI DSS) and the Digital Operational Resilience Act (DORA). Balancing these concerns requires a strategic approach that integrates security and compliance without compromising operational efficiency.External threatsCybercr

Security leaders must address both internal and external risks, ranging from sophisticated cyberattacks to insider threats. At the same time, they must also adhere to an ever-growing list of regulations, including the General Data Protection Regulation (GDPR), the EU Cyber Resilience Acts (CRA) and industry-specific mandates like Payment Card Industry Data Security Standard (PCI DSS) and the Digital Operational Resilience Act (DORA). Balancing these concerns requires a strategic approach that integrates security and compliance without compromising operational efficiency.

**External threats**

Cybercriminals change up their tactics continuously, leveraging ransomware, phishing and software supply chain attacks to exploit known or emerging vulnerabilities. High-profile security breaches, such as those impacting financial institutions and healthcare organizations, highlight the need for robust cybersecurity measures. Security leaders must implement strong access controls, real-time threat detection and incident response strategies to mitigate risks.

**Internal threats**

Not all threats originate from external actors. Insider threats, whether malicious or accidental, also pose a significant risk. Employees may mishandle sensitive data, click on phishing links or abuse their access privileges. Organizations must deploy user behavior analytics (UBA) and data loss prevention (DLP) tools to monitor and help prevent these and other internal risks.

Here are some ways you can use technology to better address some security and compliance challenges:

**Artificial intelligence (AI)**

AI-driven security tools enhance threat detection by analyzing patterns in real time, identifying anomalies and predicting potential cyberattacks before they occur. Machine learning (ML) models can also help organizations comply with regulations by automating data classification and enforcing data protection measures.

While AI can help protect against attacks, it is also being used by cybercriminals, including novice threat actors, to execute sophisticated attacks with minimal expertise. AI-powered phishing campaigns and chatbots can craft highly convincing emails that evade traditional detection systems. It’s also feasible for AI-generated deepfakes  to be used for identity fraud attempts, as they can enable  attackers to potentially bypass authentication systems relying on various physical characteristics

**Zero trust security model**

A zero trust security framework is one in which no user or device is inherently trusted (“never trust, always verify”). By implementing strict access controls, continuous authentication and network segmentation, organizations can reduce both external and internal threats while simplifying compliance maintenance.

**Automated compliance management**

Regulatory compliance is a continuous process that requires consistent monitoring and reporting. Compliance automation platforms streamline policy enforcement, audit readiness and risk assessments, reducing the burden on security teams and minimizing the risk of non-compliance penalties.

**Why CISOs are deprioritizing generative AI**

Despite the rapid advancements in AI technology, many Chief Information Security Officers (CISOs) are deprioritizing generative AI (gen AI) due to a lack of proven value in security operations.Additionally, CISOs are wary of the risks associated with AI-generated content, including misinformation, adversarial attacks and compliance errors. Without clear regulatory frameworks and proven security use cases, many security leaders prefer to focus on more established technologies.

**What you can do**

Here are some ideas about how you can mitigate some of these issues.

**Invest in automation**

Organizations should explore automated security solutions such as Red Hat Ansible Automation Platform and Event-Driven Ansible that can streamline compliance reporting, detect threats in real time, and reduce human error in security operations.

**Adopt Kubernetes for security and scalability**

Containerized applications running on Kubernetes platforms, such as Red Hat OpenShift, provide greater operational resilience and security capabilities, enabling organizations to deploy scalable security controls and isolate workloads more effectively.

**Utilize AI for threat detection, not just compliance**

AI-driven security tools are increasingly critical for real-time anomaly detection, predictive threat intelligence and automated incident response.

**Implement a zero trust architecture**

Organizations should move towards a zero trust framework to enforce strict access controls and continuously validate the security posture of users and devices. Your operating system is the foundation for your IT environment and zero trust architecture, providing essential security features, controlling user and application access, encrypting sensitive information and protecting secrets to establish and maintain a security-focused computing environment.

To implement a zero trust architecture, your operating system must be able to isolate and control access to resources on an individual basis. Red Hat Enterprise Linux (RHEL) includes built-in mandatory access controls (MAC) with Security-Enhanced Linux (SELinux), a technology that manages access using centralized security policies.

**Continuously monitor and improve**

Cyber threats and compliance requirements are constantly evolving. Businesses should regularly audit security postures, refine security automation workflows, and stay updated on regulatory changes to maintain compliance and protect critical data assets.

Red Hat Advanced Cluster Security for Kubernetes helps you build, deploy and run cloud-native applications with an enhanced security posture. It helps protect containerized Kubernetes workloads in all major clouds, on premises and across hybrid platforms, including Red Hat OpenShift, Amazon Elastic Kubernetes Service (EKS), Microsoft Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE).

**Final thoughts**

Security, risk and privacy leaders must strike a delicate balance between mitigating technical risks and adhering to regulatory compliance requirements. By using advanced technologies such as AI, zero trust, cloud security and compliance automation, organizations can enhance their security posture while maintaining regulatory compliance.

The dual challenge: Security and compliance

Cybercriminals are using fake Social Security Administration emails to distribute the ScreenConnect RAT (Remote Access Trojan) and compromise…

Cybercriminals are using fake Social Security Administration emails to distribute the ScreenConnect RAT (Remote Access Trojan) and compromise user computers.

Cybersecurity experts have uncovered ongoing schemes where criminals are exploiting the US Social Security Administration (SSA) to trick people into installing a dangerous Remote Access Trojan (RAT) called ScreenConnect on their computers. Once installed, this program gives the attackers complete remote control, allowing them to steal personal information and install more harmful software. 

Researchers at Malwarebytes first noticed these fake emails that inform people that their “Social Security Statement is now available” and urged them to download an attachment or click a link to view it. These emails are designed to look very real, making it hard for people to tell they are fake. 

Image credit: Malwarebytes

The links or attachments in these emails lead to the download of a file that installs the ScreenConnect client. To make people think it’s safe, these files are sometimes given misleading names, such as “ReceiptApirl2025Pdfc.exe” or “SSAstatment11April.exe.”

ScreenConnect itself is a real tool used by companies for IT support, letting technicians help users remotely. However, in the hands of criminals, it becomes very dangerous. Once they have control of a computer through ScreenConnect, they can look at files, run programs, and steal sensitive data like bank details and personal identification numbers. The criminals behind this, sometimes called the Molatori group, primarily want to commit financial fraud. 

Security experts at Cofense also reported similar phishing campaigns impersonating the SSA. The emails often claimed to provide an updated benefits statement, using mismatched links or hiding malicious links behind buttons.

“While the exact structure of the email changes from sample to sample, the campaign consistently delivers an embedded link to a ConnectWise RAT installer,” Cofense researchers noted in their flash alert.

Their findings indicated that these fake emails aimed to install a ConnectWise RAT, a tainted version of the legit software ConnectWise Control (formerly ScreenConnect). This campaign saw an increase in activity leading up to the 2024 US presidential elections, peaking around mid-November 2024.

What makes these attacks tricky to spot is how the criminals operate. They often send these phishing emails from websites that have been compromised, making the email addresses appear legitimate. They also frequently embed the email content as an image, which stops email filters from being able to read and block harmful messages. Furthermore, because ScreenConnect is a widely used program, regular antivirus software might not automatically flag it as a threat.

This isn’t the first time criminals have misused legitimate remote access tools. As Hackread.com previously reported, similar tactics have been used in fake LinkedIn emails to spread the ConnectWise RAT.

These fake messages mimicked real InMail notifications, using older designs to appear convincing. Cybercriminals are also using sophisticated phishing emails that mimic well-known brands to steal information.

For example, a recent campaign targeted Australian airline Qantas, with fake emails designed to look like real marketing messages from the airline. These emails, discovered by Cofense Intelligence, tricked users into giving away their credit card details and personal information.

Fake SSA Emails Trick Users into Installing ScreenConnect RAT

A new analysis of TM Signal’s source code appears to show that the app sends users’ message logs in plaintext. At least one top Trump administration official used the app.

The communication app TeleMessage Signal, used by at least one top Trump administration official to archive messages, has already reportedly suffered breaches that illustrate concerning security flaws and resulted in its parent company imposing a service pause this week pending investigation. Now, according to detailed new findings from the journalist and security researcher Micah Lee, TM Signal's archiving feature appears to fundamentally undermine Signal's flagship security guarantees, sending messages between the app and a user's message archive without end-to-end encryption, thus making users' communications accessible to TeleMessage.

Lee conducted a detailed analysis of TM Signal's Android source code to assess the app's design and security. In collaboration with 404 Media, he had previously reported on a hack of TM Signal over the weekend, which revealed some user messages and other data—a clear sign that at least some data was being sent unencrypted, or as plaintext, at least some of the time within the service. This alone would seem to contradict TeleMessage's marketing claims that TM Signal offers “End-to-End encryption from the mobile phone through to the corporate archive.” But Lee says that his latest findings show that TM Signal is not end-to-end encrypted and that the company could access the contents of users' chats.

“The fact that there are plaintext logs confirms my hypothesis,” Lee tells WIRED. “The fact that the archive server was so trivial for someone to hack, and that TM Signal had such an incredible lack of basic security, that was worse than I expected.”

TeleMessage is an Israeli company that completed its acquisition last year by the US-based digital communications archiving company Smarsh. TeleMessage is a federal contractor, but the consumer apps it offers are not approved for use under the US government's Federal Risk and Authorization Management Program, or FedRAMP.

Smarsh did not return WIRED's requests for comment about Lee's findings. The company said on Monday, “TeleMessage is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation.”

Lee's findings are likely significant for all TeleMessage users but have particular significance given that TM Signal was used by President Donald Trump's now-former national security adviser Mike Waltz. He was photographed last week using the service during a cabinet meeting, and the photo appeared to show that he was communicating with other high-ranking officials, including Vice President JD Vance, US Director of National Intelligence Tulsi Gabbard, and what appears to be US Secretary of State Marco Rubio. TM Signal is compatible with Signal and would expose messages sent in a chat with someone using TM Signal, whether all participants are using it or some are using the genuine Signal app.

Lee found that TM Signal is designed to save Signal communication data in a local database on a user's device and then send this to an archive server for long-term retention. The messages, he says, are sent directly to the archive server, seemingly as plaintext chat logs in the cases examined by Lee. Conducting the analysis, he says, “confirmed the archive server has access to plaintext chat logs.”

Data taken from the TeleMessage archive server in the hack included chat logs, usernames and plaintext passwords, and even private encryption keys.

In a letter on Tuesday, US senator Ron Wyden called for the Department of Justice to investigate TeleMessage, alleging that it is “a serious threat to US national security.”

“The government agencies that have adopted TeleMessage Archiver have chosen the worst possible option,” Wyden wrote. “They have given their users something that looks and feels like Signal, the most widely trusted secure communications app. But instead, senior government officials have been provided with a shoddy Signal knockoff that poses a number of serious security and counterintelligence threats. The security threat posed by TeleMessage Archiver is not theoretical.”

The Signal Clone Mike Waltz Was Caught Using Has Direct Access to User Chats

Now the US director of national intelligence, Gabbard failed to follow basic cybersecurity practices on several of her personal accounts, leaked records reviewed by WIRED reveal.

Tulsi Gabbard, the director of national intelligence, used the same easily cracked password for different online accounts over a period of years, according to leaked records reviewed by WIRED. Following her participation in a Signal group chat in which sensitive details of a military operation were unwittingly shared with a journalist, the revelation raises further questions about the security practices of the US spy chief.

WIRED reviewed Gabbard's passwords using databases of material leaked online created by the open-source intelligence firms District 4 Labs and Constella Intelligence. Gabbard served in Congress from 2013 to 2021, during which time she sat on the Armed Services Committee, its Subcommittee on Intelligence and Special Operations, and the Foreign Affairs Committee, giving her access to sensitive information. Material from breaches shows that during a portion of this period, she used the same password across multiple email addresses and online accounts, in contravention of well-established best practices for online security. (There is no indication that she used the password on government accounts.)

Two collections of breached records published in 2017 (but breached at some previous unknown date), known as “combolists,” reveal a password that was used for an email account associated with her personal website; that same password, according to a combolist published in 2019, was used with her Gmail account. That same password was used, according to records dating to 2012, for Dropbox and LinkedIn accounts associated with the email address tied to her personal website. According to records dating to 2018 breaches, she also used it on a MyFitnessPal account associated with a me.com email address and an account at HauteLook, a now-defunct ecommerce site then owned by Nordstrom.

Records of these breaches have been available online for years and are accessible in commercial databases.

The password associated with all of the accounts in question includes the word “shraddha,” which appears to have personal significance to Gabbard: Earlier this year, The Wall Street Journal reported that she had been initiated into the Science of Identity Foundation, an offshoot of the Hare Krishna movement into which she was reportedly born and which former members have accused of being a cult. Several former adherents told The Journal that they believe Gabbard received the name “Shraddha Dasi” when she was allegedly received into the group. Gabbard’s deputy chief of staff, Alexa Henning, responded to questions from The Journal at the time by posting them on X and accusing the news media of publicizing “Hinduphobic smears and other lies.”

“The data breaches you’re referring to occurred almost 10 years ago, and the passwords have changed multiple times since,” wrote Olivia Coleman, a Gabbard spokesperson, in response to questions from WIRED. “As our deputy chief of staff has already made clear on a number of occasions, the DNI has never and doesn’t have affiliation with that organization. Attempting to smear the DNI as being in a cult is bigoted behavior.“

“Your bigoted lies and smears of a cabinet member and your story fomenting hinduphobia is noted,” wrote Henning in response to a follow-up question about the probability of Gabbard’s password containing the same name she was reportedly received into Science of Identity Foundation with, given her denials that she has ever been affiliated with the group. “This was well litigated during her confirmation hearing so congrats on being about 6 months late to this story. Great job.”

Science of Identity did not respond to a request for comment.

Security experts advise people to never use the same password on different accounts precisely because people often do so. If a password for one account is revealed in a breach, hackers will often attempt to use it to access other accounts controlled by the same person. Reusing passwords is especially dangerous with email, because a compromised email account can be used to reset credentials for other accounts or systems.

The Cybersecurity Infrastructure and Security Agency, the top US government authority on digital security, advises members of the public to use a password manager to generate a different password of at least 16 characters, consisting of random strings of mixed-case numbers, letters, and symbols or at least four unrelated words, for every account they use.

As director of national intelligence, Gabbard oversees the 18 organizations comprising the US intelligence community, including the Central Intelligence Agency and the National Security Agency, and their budget of roughly $100 billion. By statute, she is the principal adviser to the president and the National Security Council on intelligence matters relating to national security, and so is charged with maintaining the security of much of the most sensitive information in the government. The Democratic National Committee, citing a 2019 statement that Syrian dictator Bashar al-Assad was “not the enemy of the United States,” news reports on the support she has enjoyed from Russian state media, and her ties to “conspiracy theorists,” has characterized Gabbard as a “direct threat to our national security.”

Gabbard addressed these criticisms during her Senate confirmation hearings in January.

“Those who oppose my nomination imply that I am loyal to something or someone other than God, my own conscience, and the constitution of the United States, accusing me of being Trump’s puppet, Putin’s puppet, Assad’s puppet, a guru’s puppet, Modi’s puppet, not recognizing the absurdity of simultaneously being the puppet of five different puppet masters,” she said. “The fact is, what truly unsettles my political opponents is I refuse to be their puppet.”

Tulsi Gabbard Reused the Same Weak Password on Multiple Accounts for Years

Threat actors have been observed actively exploiting security flaws in GeoVision end-of-life (EoL) Internet of Things (IoT) devices to corral them into a Mirai botnet for conducting distributed denial-of-service (DDoS) attacks.
The activity, first observed by the Akamai Security Intelligence and Response Team (SIRT) in early April 2025, involves the exploitation of two operating system command

Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet

Cybersecurity researchers have lifted the lid on two threat actors that orchestrate investment scams through spoofed celebrity endorsements and conceal their activity through traffic distribution systems (TDSes).
The activity clusters have been codenamed Reckless Rabbit and Ruthless Rabbit by DNS threat intelligence firm Infoblox.
The attacks have been observed to lure victims with bogus

New Investment Scams Use Facebook Ads, RDGA Domains, and IP Checks to Filter Victims

New research shows Google Cloud and smaller providers have the highest cloud vulnerability rates as compared to AWS…

New research shows Google Cloud and smaller providers have the highest cloud vulnerability rates as compared to AWS and Azure.

A new report by CyCognito reveals wide differences in security across cloud providers, with Google Cloud and several smaller players showing significantly higher rates of vulnerable assets than Amazon Web Services (AWS) or Microsoft Azure.

The research, based on nearly five million internet-exposed assets, comes at a time when cloud security is top of mind for many organizations. Palo Alto Networks recently reported a 388% year-over-year spike in cloud security alerts, driven by the growing complexity of multi-cloud environments and the rising number of exposed online assets.

CyCognito, known for its attack surface management platform, analyzed assets hosted by the three largest cloud platforms including AWS, Azure, and Google Cloud, along with a group of smaller cloud providers and major hosting companies. The goal was to assess which environments are exposing customers to more risk through vulnerabilities and misconfigurations.

****Google Cloud Leads in Overall Exposure****

The study found that 38% of Google Cloud-hosted assets had at least one security issue, compared to just 15% for AWS and 27% for Azure. That puts Google Cloud more than twice as risky as AWS by this measure.

The same 38% figure also applied to smaller cloud providers like Oracle Cloud, DigitalOcean, and Linode. Meanwhile, major hosting companies like GoDaddy, Hetzner, and DreamHost came in at 33%.

When looking specifically at critical issues, defined by a CVSS score of 9.0 or higher, Azure showed the highest rate among the big three, at 0.07%. AWS and Google Cloud both registered 0.04%.

Though these numbers may seem small, they represent significant exposure at scale. Across millions of assets, even a fraction of a percent can translate to hundreds of weak points.

Smaller cloud platforms were more concerning in this category. Nearly 0.5% of assets hosted by non-major clouds had critical vulnerabilities, a rate more than ten times higher than that of AWS or Google Cloud. Hosting providers weren’t far behind, with 0.32% of their assets falling into this category.

****Easy Targets Still Common****

CyCognito also looked at how exploitable these vulnerabilities are, not just how severe they look on paper. The company factored in threat intelligence and attacker behaviour to assess which issues would be easiest for attackers to exploit.

Here again, smaller providers fared poorly. More than 13% of assets on smaller clouds had easily exploitable flaws. For hosting providers, the number was close to 10%.

Among the big three, Google Cloud again led with 5.35% of assets having issues classified as easy to exploit. That’s more than twice the rate of AWS (1.98%) or Azure (2.37%).

Image credit: CyCognito

****Combined Risk Still Low at Major Providers****

While each of these risk types matters on its own, CyCognito also measured where they overlap assets with issues that are both critical and easy to exploit. Less than 0.1% of AWS, Azure, and Google Cloud assets fell into this high-risk category.

But outside the big players, things were more concerning. Around 0.3% of assets hosted on smaller clouds and 0.25% of those on hosting providers were affected by both critical and easily exploitable vulnerabilities. That’s roughly ten times the rate seen on AWS.

****What Security Teams Should Do****

With more organizations spreading their infrastructure across multiple cloud environments, visibility has become a major concern. Assets get forgotten, misconfigured, or left out of internal inventories, creating shadow IT that attackers can find and exploit.

CyCognito recommends organizations go further than traditional inventory tools and adopt “seedless” discovery techniques that don’t rely on internal documentation. It also urges the use of dynamic security testing after applications are deployed, not just during development.

New Cloud Vulnerability Data Shows Google Cloud Leads in Risk

Learn more about the framework Talos IR uses to conduct proactive threat hunts, and how we can help you stay one step ahead of emerging threats.

Tuesday, May 6, 2025 06:00

At Cisco Talos, we understand that effective cybersecurity isn’t just about responding to incidents — it’s about preventing them from happening in the first place. One of the most powerful ways we do this is through proactive threat hunting. Our Talos Incident Response (Talos IR) team works closely with organizations to not only address existing threats but to anticipate and mitigate potential future risks. A key component of our threat-hunting approach is the Splunk SURGe team’s PEAK Threat Hunting Framework, which enables us to conduct comprehensive and proactive hunts with precision.

**What is the PEAK Threat Hunting Framework?**

The PEAK Framework (Prepare, Execute, and Act with Knowledge) offers a structured methodology for conducting effective and focused threat hunts. It ensures that every hunt is aligned with an organization's specific needs and threat landscape. At the core of the PEAK framework are baseline hunts, which lay the foundation for proactive threat detection, alongside advanced techniques such as hypothesis-driven hunts and model-assisted threat hunts (M-ATH), which further enhance threat detection and mitigation.

**Baseline hunts: the foundation of proactive threat hunting**

Baseline hunts involve establishing a clear understanding of an organization’s normal operating environment in terms of user activity, network traffic and system processes. By documenting and analyzing this baseline, Talos IR can identify anomalous behavior that may signal malicious activity.

While these hunts can be a reactive measure, it's important to use them proactively to detect threats trying to blend in with regular operations, such as insider threats, advanced persistent threats (APTs) and even novel attack techniques that might otherwise go undetected.

The key steps in baseline hunts are:

1.  Defining Normal Activity: Understanding what “normal” looks like in your environment, using data from system logs, user behavior, and network traffic.
2.  Anomaly Detection: Proactively hunting for deviations from the baseline that could indicate potential threats.
3.  Refining the Baseline: Continuously improving and updating the baseline to account for emerging threats and changes in your infrastructure.

**Hypothesis-driven hunts: Testing assumptions about threats**

In addition to baseline hunts, Talos IR also uses hypothesis-driven hunts to proactively test assumptions about potential threats. These hunts are guided by specific hypotheses or educated guesses about what attackers might be doing in a given environment. Rather than relying on a static, one-size-fits-all approach without adjustments, hypothesis-driven hunts are dynamic, adapting to the specific questions and emerging threats that arise.

For example, a hypothesis-driven hunt might begin with the assumption that a particular group of users is being targeted by a phishing campaign. The hunt would focus on testing this assumption by looking for evidence of malicious emails, unusual login patterns or attempts to collect or exfiltrate data.

The key steps in hypothesis-driven hunts are:

1.  Forming Hypotheses: Based on threat intelligence and past incidents, teams generate specific hypotheses about possible attack vectors or adversary behaviors.
2.  Testing Hypotheses: Using data sources such as endpoint telemetry, authentication logs or network traffic, the hypothesis is tested to see if evidence supports the theory.
3.  Analyzing Results: If the hypothesis is validated, further investigation is done to understand the full scope of the potential threat.

**Model-assisted threat hunts: Leveraging machine learning to find hidden threats**

Another powerful tool in Talos IR’s proactive hunting approach is model-assisted threat hunts (M-ATHs). These hunts leverage machine learning and advanced statistical models to sift through vast amounts of data and identify patterns that may indicate hidden threats. M-ATHs allow our team to detect threats that would be difficult to find using traditional methods.

Machine learning models are trained to detect suspicious behavior across different domains — such as user activity, network traffic or system logs — by looking for deviations from typical patterns. Over time, as these models learn from new data and threat intelligence, they improve in their ability to detect emerging threats.

The key steps in M-ATHs are:

1.  Data Collection: Gathering large datasets from multiple sources, including network traffic, endpoint data, authentication logs, and more.
2.  Model Training: Using machine learning algorithms to identify patterns in normal and malicious behavior.
3.  Anomaly Detection: The trained model helps identify new, previously undetected anomalies or potential threats by looking for deviations from established patterns.
4.  Refinement: The model is refined as new data is collected and analyzed, improving its ability to detect subtle threats.

**Empowering threat hunts with Talos Threat Intelligence**

A crucial element that enriches and empowers every Talos IR threat hunt is Talos Threat Intelligence. By integrating up-to-date, high-fidelity threat intelligence into our hunts, we enhance the accuracy, relevance, and speed of our investigations. Talos Threat Intelligence provides a continuous stream of data on emerging threats, attack trends and adversary tactics, which helps us refine hypotheses, adjust baselines and improve our machine learning models.

This intelligence is not just a complement to our hunting process; it is embedded in every stage. It helps guide our hypothesis-driven hunts, sharpens our baseline detections and feeds into the models we use for anomaly detection. With Talos Threat Intelligence, we ensure that every hunt is aligned with the latest threat landscape, empowering your team with the knowledge needed to stay one step ahead of attackers.

**Proactive engagements for IR Retainer customers**

For Talos IR Retainer customers, baseline hunts, hypothesis-driven hunts, and model-assisted threat hunts provide a valuable layer of ongoing, proactive support. These hunts help organizations detect and mitigate threats before they escalate into full-blown incidents. Our expert hunters work directly with your teams, ensuring that you stay ahead of evolving threats.

Some key benefits of these proactive engagements include:

*   Early Detection: Identifying abnormal activities that could signal a breach or malicious action, reducing the risk of an attack spreading.
*   Continuous Improvement: As we refine the baseline and hunting models, your security posture improves over time, allowing for faster and more accurate threat detection.
*   Actionable Insights: Proactive hunts deliver actionable intelligence that helps your teams strengthen their defenses, based on the latest threat trends and attack methods.

**Why it matters**

The cybersecurity landscape is constantly evolving, and traditional defensive methods alone are no longer sufficient. Threat actors are adept at blending malicious activity with normal operations, making it difficult to spot attacks using conventional means. By conducting baseline hunts, hypothesis-driven hunts and model-assisted threat hunts, Talos IR gives your organization the tools it needs to stay ahead of adversaries.

As new evidence is uncovered during a hunt, our team adapts and refines the investigation in real time — evolving the hypothesis, adjusting the scope or pivoting to new areas of focus based on what the data reveals.

If an active threat, adversary or malicious activity is detected during a hunt, Talos IR can dynamically pivot the engagement and escalate the situation to our 24/7 on-call Incident Response team. This ensures rapid response for containment, mitigation and eradication, effectively minimizing the potential impact of the threat.

Our Talos IR team collaborates seamlessly with the hunting team to deliver real-time support in identifying, isolating and neutralizing active threats. This integrated approach ensures your systems remain secure and prevents the threat from escalating further.

At Talos, our goal is to empower your team with the knowledge and tools to detect threats proactively, before they turn into incidents. Through our IR Retainer services, we provide continuous support to help you improve your security posture and stay one step ahead of emerging threats, all while leveraging the full power of Talos Threat Intelligence.

For more information about this service, download our At-a-Glance:

Proactive threat hunting with Talos IR

The communications app TeleMessage, which was spotted on former US national security adviser Mike Waltz's phone, has suspended “all services” as it investigates reports of at least one breach.

The messaging app used by at least one top Trump administration official has suspended its services following reports of hackers stealing data from the app. Smarsh, TeleMessage’s parent company, says it is now investigating the incident.

“TeleMessage is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation,” a Smarsh spokesperson told WIRED in a statement. “Out of an abundance of caution, all TeleMessage services have been temporarily suspended. All other Smarsh products and services remain fully operational.”

President Donald Trump's now-former national security adviser Mike Waltz was captured by a Reuters photographer last week using an unauthorized version of the secure communication app Signal—known as TeleMessage Signal or TM Signal—which allows users to archive their communications. Photos of Waltz using the app appear to show that he was communicating with other high-ranking officials, including Vice President JD Vance, US Director of National Intelligence Tulsi Gabbard, and US Secretary of State Marco Rubio.

Experts told WIRED on Friday that, by definition, TM Signal's archiving feature undermined the end-to-end encryption that makes the actual Signal communication app secure and private. 404 Media and independent journalist Micah Lee reported on Sunday that the app had been breached by a hacker. NBC News reported on Monday that it had reviewed evidence of an additional breach.

TeleMessage was founded in Israel in 1999 and was acquired last year by the US-based digital communications archiving company Smarsh. TeleMessage makes apparently unauthorized versions of popular communications apps that include archiving features for institutional compliance. But the company claims that its look-alikes have the same digital defenses as their legitimate counterparts, potentially giving users a false sense of security.

Waltz's app usage came under intense scrutiny last month after he appeared to have added the editor in chief of The Atlantic to a Signal group chat in which Trump administration officials discussed plans for a military operation. Dubbed SignalGate, the scandal ultimately preceded Waltz's ouster as national security adviser. President Trump said last week that he plans to nominate him to be ambassador to the United Nations.

TeleMessage apps are not approved for use under the US government's Federal Risk and Authorization Management Program, or FedRAMP, and yet they seem to be proliferating. Leaked data reportedly from TM Signal indicates that multiple US Customs and Border Protection agents may be using the Signal look-alike. When asked about the breach and whether CBP officers use TM Signal, the agency told WIRED, “We're looking into this.”

After a number of reports by Lee and 404 Media over the weekend, TeleMessage removed all content from its website on Saturday and took down its archiving service on Sunday.

“We are committed to transparency and will share updates as we are able,” the Smarsh statement adds. “We thank our customers and partners for their trust and patience during this time.”

Since the revelation last week that Waltz appeared to be using TM Signal, experts have feared that information shared on the app could jeopardize US national security.

Signal Clone Used by Mike Waltz Pauses Service After Reports It Got Hacked

This week on the Lock and Code podcast, we speak with Emanuel Maiberg and Jason Koebler about Overwatch, an AI chatbot tool sold to US police.

_This week on the Lock and Code podcast_…

“Heidi” is a 36-year-old, San Francisco-born, divorced activist who is lonely, outspoken, and active on social media. “Jason” is a shy, bilingual teenager whose parents immigrated from Ecuador who likes anime, gaming, comic books, and hiking.

Neither of them is real. Both are supposed to fight crime.

Heidi and Jason are examples of “AI personas” that are being pitched by the company Massive Blue for its lead product, Overwatch. Already in use at police departments across the United States, Overwatch can allegedly help with the identification, investigation, and arrest of criminal suspects.

Understanding exactly how the technology works, however, is difficult—both Massive Blue and the police departments that have paid Massive Blue have remained rather secretive about Overwatch’s inner workings. But, according to an investigation last month by 404 Media, Overwatch is a mix of a few currently available technologies packaged into one software suite. Overwatch can scan social media sites for alleged criminal activity, and it can deploy “AI personas”—which have their own social media accounts and AI-generated profile pictures—to gather intelligence by chatting online with suspected criminals.

According to an Overwatch marketing deck obtained by 404 Media, the software’s AI personas are “highly customizable and immediately deployable across all digital channels” and can take on the personalities of escorts, money launderers, sextortionists, and college protesters (who, in real life, engage in activity protected by the First Amendment).

Despite the variety of applications, 404 Media revealed that Overwatch has sparked interest from police departments investigating immigration and human trafficking. But the success rate, so far, is non-existent: Overwatch has reportedly not been used in the arrest of a single criminal suspect.

Today, on the Lock and Code podcast with host David Ruiz, we speak with 404 Media journalists and co-founders Emanuel Maiberg and Jason Koebler about Overwatch’s capabilities, why police departments are attracted to the technology, and why the murkiness around human trafficking may actually invite unproven solutions like AI chatbots.

 ”Nobody is going to buy that—that if you throw an AI chatbot into the mix, that’s somehow going to reduce gun crime in Americ,” Maiberg said. “But if you apply it to human trafficking, maybe somebody is willing to entertain that because, well, what is the actual problem with human trafficking? Where is it actually happening? Who is getting hurt by it? Who is actually committing it?”

He continued:

> “Maybe there you’re willing to entertain a high tech science fiction solution.”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Tag

#intel