Plus: A nominee to lead CISA emerges, Elon Musk visits the NSA, a renowned crypto cracking firm’s secret (and problematic) cofounder is revealed, and more.

Knifings, firebombings, shootings, and murder-for-hire plots—all linked to a splinter group of the 764 crime network called “No Lives Matter.” According to its own manifesto, the group seeks to “purify mankind through endless attacks” and has released at least two “kill guides” tied to violent plots in the US and Europe. Intelligence documents reviewed by WIRED reveal growing concern among analysts, but experts remain unsure how to stop the group’s spread.

On Monday, X experienced intermittent outages after a botnet flooded the social network with junk traffic in an attempt to take down its system. Elon Musk stated that the distributed denial-of-service attack originated from Ukrainian IP addresses, implying that the country—already under siege by a Russian invasion and frequently mocked by the centibillionaire—may have been responsible. Security experts tell WIRED that this is not how DDoS attacks work.

Meanwhile, inside the Cybersecurity and Infrastructure Security Agency, mass layoffs are hurting US cyberdefense, weakening protections against foreign adversaries. Vital staff cuts have left employees overworked and strained international partnerships, according to interviews with staff at the agency that helps safeguard cities, businesses, and nonprofits from cyberattacks. “A lot of people are scared,” says one employee. “We’re waiting for that other shoe to drop. We don't know what's coming.” As WIRED takes you inside the agencies at the center of the uncertainty and chaos of the second Trump administration, we've updated our quick and easy guide to using Signal to help you get the most out of the messaging app’s end-to-end encryption.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Those “green bubbles,” the cross-platform text messages that annoy iPhone owners and keep Android users relegated to a group-chat underclass, aren’t just a cultural disconnect. They’re also a security issue: Text messages sent between Android and iOS devices—unlike blue-bubble iMessage texts or Android-to-Android messages—aren’t end-to-end encrypted, leaving them open to surveillance or interception. Now, that may finally be changing.

The GSM Association, responsible for many widely used telecom standards, this week announced that its Rich Communication Services (or RCS) protocol will now support end-to-end encryption for cross-platform texting, and Apple revealed that it will now integrate that feature of RCS into its iOS devices. Until now, Apple and Google had both supported RCS’s other features in texts sent between iOS and Android, but not end-to-end encryption, which ensures that only the devices sending and receiving messages can decrypt them and not any server or snoop that sees them in transit.

Neither Apple nor the GSMA has said exactly when the new privacy features are launching. Until then, anyone sending cross-platform messages would be wise to stick with apps like WhatsApp or Signal that have long provided end-to-end encryption—and have also helped Android and iPhone users avoid personal disputes over bubble colors.

**Sean Plankey Nominated as Head of CISA, America’s Top Cybersecurity Agency**

The White House has tapped Sean Plankey to run CISA, the agency within the Department of Homeland Security primarily responsible for American digital defense. Plankey, long considered the leading contender for the role, served in multiple cybersecurity positions in the first Trump administration and previously held senior roles in US Cyber Command. In that DOD agency focused on cyber offense, he served as a weapons and tactics branch chief and earned a Bronze Star for hacking operations in Afghanistan. CISA, like many federal agencies, has faced hundreds of personnel cuts in recent weeks, and its previous director, Chris Krebs, came under harsh criticism under the previous Trump administration for the agency’s work to counter disinformation and secure elections. Krebs was fired in a Trump tweet near the end of his term after CISA described the 2020 election, whose results Trump baselessly contested, as the “most secure in American history.”

**Elon Musk Visits the National Security Agency**

Not even the National Security Agency has been spared from Elon Musk’s scorched-earth campaign to gut the federal government. On Wednesday, The Wall Street Journal reported that Musk had visited the intelligence agency in Fort Meade, meeting with leadership to discuss staff reductions and operational changes, according to current and former US officials who spoke to the Journal.

Despite being one of the most insulated branches of US intelligence, the NSA has still found itself pulled into Musk’s orbit. The visit to Fort Meade is another sign of the sweeping nature of his influence and the extraordinary access the world’s richest man has been granted over even the most secretive federal operations.

Last month, staff at the intelligence agency received emails offering deferred resignations, signaling impending changes. Then, a week ahead of his visit, Musk publicly called for an overhaul of the intelligence and cybersecurity agency. Posting to his social media site X, Musk wrote, “The NSA needs an overhaul,” alongside an apparent agency recruitment graphic featuring a group of college-aged people of color and a list of universities where the NSA was conducting outreach—seemingly mocking the agency’s recruitment efforts.

**A Buzzy Crypto Cracking Firm Had a Hidden CoFounder Accused of Sexual Assault**

The cryptocurrency recovery firm Unciphered has made headlines with its feats of whitehat wallet cracking on behalf of customers who have lost access to their cryptocurrency fortunes. In the fall of 2023, for instance, the company cracked a model of encrypted IronKey USB drive believed to hold 7,000-plus bitcoins now worth well over half a billion dollars. Now, The Washington Post reports that one of the cofounders of that company was Morgan Marquis-Boire, a once-lauded hacker and security researcher for Google and Citizen Lab who was later accused of sexually assaulting multiple women. The reported involvement of Marquis-Boire, who has largely disappeared from the cybersecurity world after facing the sex crime accusations in 2017, was kept secret from even many of the startup’s staff, and the revelations of his role have left the company in “disarray,” according to the Post.

**A Reporter Behind an Indian Hacker-for-Hire Story Is Fighting to Regain His Citizenship**

In November of 2023, Raphael Satter was one of a team of Reuters reporters who published an in-depth feature on Appin Technology, a startup that allegedly hacked numerous celebrity and civil society targets on behalf of clients. A group with a similar name responded by suing, and obtained a court ruling that for a time successfully censored Reuters’ story—a remarkable case of an Indian judge restricting free speech internationally. Satter is now fighting a different battle following publication of that story. In late 2023, his Overseas Citizen of India (OCI) card—a kind of international citizenship extended to foreign citizens of Indian origin and those married to Indians—was revoked around the same time as the judge filed the injunction. A letter sent to Satter in December of that year accused him of “maliciously creating adverse and biased opinion against Indian institutions in the international arena.” Satter is now petitioning a Delhi court to reverse that revocation, which has prevented him from entering India to visit family there.

End-to-End Encrypted Texts Between Android and iPhone Are Coming

The UK, France, Sweden, and EU have made fresh attacks on end-to-end encryption. Some of the attacks are more “crude” than those in recent years, experts say.

Over the past decade, encrypted communication has become the norm for billions of people. Every day, Signal, iMessage, and WhatsApp keep billions of messages, photos, videos, and calls private by using end-to-end encryption by default—while Zoom, Discord, and various other services all have options to enable the protection. But despite the technology’s mainstream rise, long-standing threats to weaken encryption keep piling up.

Over the past few months, there has been a surge in government and law enforcement efforts that would effectively undermine encryption, privacy advocates and experts say, with some of the emerging threats being the most “blunt” and aggressive of those in recent memory. Officials in the UK, France, and Sweden have all made moves since the start of 2025 that could undermine or eliminate the protections of end-to-end encryption, adding to a multiyear European Union plan to scan private chats and Indian efforts that could damage encryption.

These latest assaults on encryption come as intelligence agencies and law enforcement officials in the United States have recently backtracked on years of anti-encryption attitudes and now recommend that people use encrypted communication platforms whenever they can. The drastic shift in attitude followed the China-backed Salt Typhoon hacker group’s widespread breach of major US telecoms, and it comes as the second Trump administration ramps up potential surveillance of millions of undocumented migrants living in the US. Simultaneously, the administration has been straining longtime, crucial international intelligence-sharing agreements and partnerships.

“The trend is bleak,” says Carmela Troncoso, a longtime privacy and cryptography researcher and the scientific director at the Max-Planck Institute for Security and Privacy in Germany. “We see these new policies coming up as mushrooms trying to undermine encryption.”

End-to-end encryption is designed so only the sender and receiver of messages have access to their contents—governments, tech companies, and telecom providers can’t snoop on what people are saying. Those privacy and security guarantees have made encryption a target for law enforcement and governments for decades, because officials claim that the protection makes it prohibitively difficult to investigate urgent threats such as child sexual abuse material and terrorism.

As a result, governments around the world have frequently proposed technical mechanisms to bypass encryption and allow access to messages for investigations. Cryptographers and technologists have repeatedly and definitively warned, though, that any backdoor created to access end-to-end encrypted communications could be exploited by hackers or authoritarian governments, compromising everyone’s safety. Additionally, it is likely that criminals would find ways to continue to use self-made encryption tools to conceal their messages, meaning that backdoors in mainstream products would succeed at undermining protections for the public without eliminating its use by bad actors.

Broadly, the recent threats to encryption have come in three forms, says Namrata Maheshwari, the encryption policy lead at international nonprofit Access Now. First, there are those where governments or law enforcement agencies are asking for backdoors to be built into encrypted platforms to gain “lawful access” to content. At the end of February, for example, Apple pulled its encrypted iCloud backup system, called Advanced Data Protection, from use in the UK after the country’s lawmakers reportedly hit the Cupertino company with a secret order demanding Apple provide access to encrypted files. To do so, Apple would have had to create a backdoor. The order, which has been criticized by the Trump administration, is set to be challenged in a secret court hearing on March 14.

Meanwhile, lawmakers in Sweden are also considering legislation that would require encrypted messaging companies, such as Signal and WhatsApp, to keep copies of messages that people send on their platforms so they could allow law enforcement to access suspects’ histories. Signal has said it would pull out of Sweden if the potential law goes ahead. While in France earlier this year, a proposed amendment to a drug trafficking law outlined plans to require encrypted messaging services to hand over decrypted chat messages within 72 hours of a request or face fines of up to 2 percent of annual global revenue. This week, the proposal was reportedly scrapped, while some politicians said they supported the idea.

“We’re seeing some democracies revert back to very crude approaches to circumventing encryption that we maybe thought were something of the past,” Callum Voge, the director of governmental affairs and advocacy at nonprofit Internet Society, says of efforts that could require a backdoor to be created.

In January, the head of EU law enforcement agency Europol told the Financial Times that tech companies have a “social responsibility” to provide access to encrypted messages. “Anonymity is not a fundamental right,” Catherine De Bolle told the publication. The comments expanded upon a previous statement from European police chiefs saying “we do not accept that there need be a binary choice between cybersecurity or privacy on the one hand and public safety on the other.”

The second threat, Maheshwari says, relates to an increase in proposals related to a technology known as “client-side scanning.” The process, which is sometimes called “on-device scanning,” involves scanning messages locally on a person’s device before they are encrypted, and comparing them against a database of prohibited content that is held elsewhere. Client-side scanning is an effort to contort encryption backdoors into something more palatable to privacy proponents by keeping people’s personal data on their own devices.

Ultimately, though, cryptographers and digital rights advocates have repeatedly warned that client-side scanning does not sidestep the fundamental dangers posed by creating a way for a third party to access encrypted data. The Internet Society’s Voge describes such efforts as a more “sophisticated” way that democracies have been trying to circumvent encryption in recent years.

For instance, politicians in the EU have been fiercely debating plans to scan billions of messages for potential child sexual abuse material using client-side scanning for more than three years. The unresolved debates have proved highly controversial, with multiple countries pushing to weaken encryption. “Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types,” Apple officials said in a letter first reported by WIRED in August 2023, after the company ditched its own, separate plans to introduce a form of client-side scanning on iPhones.

“It’s very divided in Europe, \[there are\] countries strongly in favor of scanning and countries strongly against it as well,” Voge says of the EU’s long-running chat monitoring plans. In May 2023, WIRED obtained leaked documents that stated many European countries’ positions on encryption. At the time, Spanish officials said they would like to prevent end-to-end encryption entirely in the EU, while many others were in favor of scanning people’s messages. Other countries, such as Germany, were against weakening encryption. Dutch political documentation says the country’s intelligence agency, AIVD, considers client-side scanning to be “too great a security risk for the digital resilience of the Netherlands.”

Finally, Maheshwari says, there is always the looming threat of potential bans or blocks for encrypted services. Toward the end of 2024, Russian officials blocked access to Signal amid the country’s ongoing full-scale war against Ukraine and widescale efforts to censor and control information environments. India has an ongoing lawsuit against WhatsApp, which could threaten its ability to operate in the country or necessitate that the platform retreat from end-to-end encryption in that market. Maheshwari also points out that while all virtual private networks do not specifically use end-to-end encryption, India has already banned multiple VPN services.

While each potential proposal that could undermine encryption is slightly different, the Internet Society’s Voge says that they’ve been met with some “stronger” pro-encryption voices coming from government or law enforcement services around the world, particularly when it comes to protecting national security.

In December, two officials from the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, encouraged more people to use encrypted communications systems after China’s Salt Typhoon hackers gained deep access to US telecoms providers, exposing unencrypted calls and texts. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” one of the officials said.

Voge points out that as well as CISA and the FBI’s calls to use encrypted messaging, the Swedish armed forces has specifically cleared Signal for use with unclassified material, saying it can stop messages and calls from being intercepted by third parties.

Ahead of the UK’s March 14 legal hearing about the backdoor order reportedly made to Apple, US senators and privacy groups urged there to be more transparency about the demands and the risks to global encryption it presents. A bipartisan group of five members of Congress said the “cloak of secrecy” should be removed.

UK civil liberties groups Privacy International and Liberty also filed legal challenges over the secrecy of the proceedings. “While the UK Government seems to have come for Apple today, tomorrow it may be any other big tech companies, such as Google and Microsoft, and the day after it could be Signal, your VPN Provider, Proton and others,” Privacy International said in a statement.

Ultimately, Access Now’s Maheshwari says, efforts to defend encryption will almost certainly continue, as they have for decades, to protect people’s human rights.

“Encryption right now is exceptionally important because it's a crucial enabler of the full spectrum of human rights,” Maheshwari says. “It’s not just privacy. It is what enables you to speak freely, to exercise your freedom of expression, to organize, to assemble, to associate.”

A New Era of Attacks on Encryption Is Starting to Heat Up

February 2025 saw a record 126% surge in ransomware attacks, with Cl0p leading the charge. Hackers exploited file…

February 2025 saw a record 126% surge in ransomware attacks, with Cl0p leading the charge. Hackers exploited file transfer flaws, infostealers, and AI-driven tactics, reveals Bitdefender’s latest Threat Debrief report.

Cybersecurity just reached a new milestone; and not in a good way. According to Bitdefender’s latest Threat Debrief report, February 2025 was the worst month in history for ransomware attacks, with a 126% increase in claimed victims compared to the same period last year.

This surprising jump saw the number of victims soar from 425 in February 2024 to a staggering 962 in February 2025. The massive surge in ransomware attacks occurred despite the United States-led alliance of 40 countries, announced in November 2023, aimed at dismantling ransomware gangs and their infrastructure. The initiative focused on disrupting payments, taking down infrastructure, and enhancing intelligence sharing.

****Clop (Cl0p) Ransomware at Its Peak****

According to Bitdefender’s report shared with Hackread.com ahead of publishing on Thursday, Cl0p ransomware group Clop was responsible for more than a third of the attacks, claiming 335 victims in just one month. This makes a 300% increase from the previous month.

So, what’s behind this sudden rise in attacks? Cybersecurity experts point to a new trend that’s not so new: attackers are increasingly targeting vulnerabilities in edge network devices, such as file transfer systems and remote access tools.

Instead of focusing on specific industries, these opportunistic hackers are scanning the internet for easily exploitable flaws and launching automated attacks. For example, the Cl0p ransomware gang is notorious for exploiting vulnerabilities in MOVEit, a managed file transfer (MFT) software, with the highest frequency in 2023. The group stole so much data through MOVEit vulnerabilities that it launched a clearnet website to leak stolen information from victims worldwide.

In December 2024, Cl0p also announced exploiting security vulnerabilities in Cleo’s managed file transfer software, specifically targeting Cleo Harmony, VLTrader, and LexiCom products. Bitdefender’s Threat Debrief report also spotted Cl0p’s exploitation of Cleo vulnerabilities, especially CVE-2024-50623 and CVE-2024-55956 both rated 9.8 out of 10 in severity.

Both flaws allow attackers to execute commands remotely on compromised systems and were disclosed late last year. Despite patches being available, many organizations failed to update their systems in time, leaving them wide open to exploitation leading to the surge in victims seen in February 2025.

The illustration highlights the rapid pace at which ransomware gangs exploit vulnerabilities and shift to new targets. (Credit: Ditdefender)

****Other Notable Developments in the Ransomware World****

Beyond the record-breaking numbers, Bitdefender researchers noticed several other noteworthy trends in February 2025 including:

****FunkSec’s New Infostealer****

FunkSec, a growing ransomware group, released Wolfer, a tool designed to extract sensitive information from infected machines. It communicates with a Telegram bot to gather system details, Wi-Fi passwords, and more.

A ransomware gang using infostealers is bad news, especially as researchers recently found that cybercriminals are successfully breaching U.S. national security with infostealers as cheap as $10. Even high-security institutions like the military and the FBI have had their systems compromised, with access being sold on the dark web.

****Black Basta Gets Analyzed by AI****

On February 11, 2025, the notorious Black Basta ransomware gang had its internal chats leaked. These chats contained over 200,000 Russian-language messages. Hudson Rock’s researchers created a chatbot called BlackBastaGPT to sift through the chat logs.

Insights revealed details about their profits, use of deepfake technology, and internal conflicts. The group’s leader emphasized avoiding detection by using built-in system tools, a tactic known as “living off the land.”

****Ghost Ransomware Under Scrutiny****

A joint advisory from CISA highlighted Ghost (also known as Cring), a China-based ransomware operation exploiting older but still unpatched vulnerabilities. Recommendations include patching affected software, segmenting networks, and backing up data regularly.

****Akira’s Webcam Hack****

The Akira ransomware gang found a creative way to bypass security by hijacking a victim’s webcam. Since the device ran Linux and wasn’t monitored closely, it became the perfect launchpad for encrypting files across the network undetected.

****Top 10 Companies Most Targeted by Ransomware Gangs****

The United States, Canada, the UK, Germany, and other developed nations remain the biggest targets of ransomware groups. These countries are highly vulnerable due to their reliance on connected edge devices, cloud infrastructure, and critical business data.

In total, these are the top 10 companies most targeted by ransomware gangs:

1.  USA
2.  Canada
3.  The UK
4.  Germany
5.  France
6.  Australia
7.  Brazil
8.  Mexico
9.  Italy
10.  Sweden

For those looking to understand the full scope of modern ransomware operations and how to fight back, Bitdefender has published a comprehensive whitepaper detailing current attack methods and defence strategies. You can access it here.

Ransomware Hits Record High: 126% Surge in Attacks in February 2025

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed a Miniaudio and three Adobe vulnerabilities.  
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    
For Snort coverage

Thursday, March 13, 2025 14:23

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed a Miniaudio and three Adobe vulnerabilities.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

**Miniaudio out-of-bounds write vulnerability **

_Discovered by Emmanuel Tacheau of Cisco Talos._   

TALOS-2024-2063 (CVE-2024-41147) is an out-of-bounds write vulnerability in Miniaudio, a lightweight, single-file audio playback and capture library written in C. A missing allocation size check can cause a buffer overflow, leading to this out-of-bounds write. This vulnerability can be triggered by a specially crafted FLAC file, resulting in a memory corruption when in playback mode. The application sends raw audio data to Miniaudio, which is then played back through the default playback device as defined by the operating system. 

**Adobe Acrobat out-of-bounds write vulnerability **

_Discovered by KPC of Cisco Talos._   

TALOS-2025-2134 (CVE-2025-27163) and TALOS-2025-2136 (CVE-2025-27164) are out-of-bounds read vulnerabilities in the font functionality, which can lead to disclosure of sensitive information. TALOS-2025-2135 (CVE-2025-27158) is a memory corruption vulnerability, stemming from an uninitialized pointer in the font functionality of Adobe Acrobat, which can potentially lead to arbitrary code execution. A specially crafted font file embedded into a PDF can trigger these vulnerabilities. An attacker needs to trick the user into opening a malicious file.

Miniaudio and Adobe Acrobat Reader vulnerabilities

Cary, North Carolina, 13th March 2025, CyberNewsWire

**Cary, North Carolina, March 13th, 2025, CyberNewsWire**

As Artificial Intelligence (AI)-powered cyber threats surge, INE Security, a global leader in cybersecurity training and certification, is launching a new initiative to help organizations rethink cybersecurity training and workforce development. The company warns that AI is reshaping both the threat landscape and the skills required for cybersecurity professionals. While AI offers significant advantages in cyber defense, organizations must ensure their teams are properly trained to leverage it effectively without becoming overly reliant on automation.

> “The rise of AI in cybersecurity isn’t just a challenge—it’s an opportunity,” said Dara Warn, CEO of INE Security. “By training cybersecurity professionals properly, AI can be leveraged to filter noise, reduce burnout, and increase efficiency. However, if we don’t train people to understand the ‘why’ behind AI-driven decisions, we risk a future where cybersecurity professionals are blindly following AI without the expertise to think critically beyond it.”

**AI as a Force Multiplier: Improving SOC Efficiency and Threat Detection**

AI-driven security tools are improving the signal-to-noise ratio, making Security Operations Centers (SOCs) more efficient by reducing false positive alerts—an area cybersecurity tools have been refining for over a decade. AI can prioritize critical threats, allowing analysts to focus on real dangers rather than wasting time investigating false alarms.

> “AI is making threat detection smarter, but it’s not foolproof,” said Tracy Wallace, Director of Content at INE Security. “Security professionals need to be trained to work alongside AI, not just follow its outputs. AI is great at reducing alert fatigue, but analysts still need the expertise to investigate, interpret, and respond to threats accurately.”

**Generative AI: A Double-Edged Sword for Cybersecurity Talent**

One of the most promising yet complex aspects of AI’s rise is its impact on the cybersecurity workforce. On one hand, generative AI will lower the barrier to entry, allowing more professionals to enter the cybersecurity field and reducing the global labor shortage. 

> However, this shift also presents risks. “The concern isn’t that AI is making cybersecurity easier,” said Wallace. “The concern is that if professionals become too dependent on AI outputs, they won’t develop the critical-thinking skills necessary to work beyond what the AI gives them. Organizations must ensure that cybersecurity training teaches professionals not just how to use AI but how to work independently of it when needed.”

**The Data Privacy Dilemma: AI and LLM Security Risks**

Another concern in AI-driven cybersecurity is data privacy and security risks with large language models (LLMs). While concerns over data leakage with cloud-based AI models are growing, this isn’t a new challenge—it’s an evolution of longstanding security principles. Organizations must ensure AI-powered security solutions do not require external data sharing.

> “As AI becomes more deeply integrated into cybersecurity operations, privacy-first security architectures are crucial,” said Wallace. “Organizations need AI models that can operate securely without exposing sensitive data to external systems.”

**The Future of AI Security Training: Agentic Architectures and AI-Driven Automation**

Looking ahead, Agentic AI architectures are becoming a hot topic in cybersecurity. While some view it as buzzword hype, there is real potential for AI-driven security agents that autonomously investigate threats, adjust defenses in real-time, and improve security workflows with minimal human intervention.

> However, automation must be carefully balanced. “Agentic AI might be the future, but we can’t let it replace hands-on expertise and human decision-making,” said Warn. “Security professionals must be trained to interpret AI-driven insights, make judgment calls, and recognize when AI is wrong.”

**Training as the Solution: INE Security’s AI-Powered Cybersecurity Curriculum**

To close the cybersecurity skills gap and help professionals work effectively with AI, INE Security is working to expand its AI-driven training programs. These programs will focus on:

*   **AI-Driven Threat Analysis** – Training security teams to interpret AI-generated threat intelligence and reduce false positives.
*   **Machine Learning for Cyber Defense** – Teaching professionals how AI-powered security models work and how attackers exploit AI vulnerabilities.
*   **Generative AI in Cybersecurity** – Helping cybersecurity teams understand the risks and benefits of AI-generated attacks and defenses.
*   **Hands-On AI Security Labs** – Simulating real-world AI-powered attacks and training professionals on how to counter them manually and with AI assistance.

> “Our end goal is not just to train security professionals how to use AI but to train them how to think critically in an AI-driven world,” said Wallace. 

**The Call to Action: Prepare for AI-Driven Threats Now**

With AI transforming cybersecurity threats at an unprecedented pace, INE Security urges companies to:

*   Train their cybersecurity teams on AI-driven tools, while ensuring they develop critical problem-solving skills.
*   Prioritize AI-powered security solutions that enhance, not replace, human expertise.
*   Implement privacy-first AI models that reduce data exposure risks**.**

> “The AI revolution in cybersecurity is here,” concluded Warn. “Organizations that act now—by investing in security training, developing cybersecurity talent, and understanding how AI truly impacts the field—will be the ones leading the industry forward. The future of cybersecurity belongs to those who train for it.”

**About INE Security**

INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers, offering both Red Team training and Blue Team training. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

INE Security Alert: Using AI-Driven Cybersecurity Training to Counter Emerging Threats

Employees at the Cybersecurity and Infrastructure Security Agency tell WIRED they’re struggling to protect the US while the administration dismisses their colleagues and poisons their partnerships.

Mass layoffs and weak leadership are taking a severe toll on the US government’s cyber defense agency, undermining its ability to protect America from foreign adversaries bent on crippling infrastructure and ransomware gangs that are bleeding small businesses dry.

Inside the Cybersecurity and Infrastructure Security Agency, vital support staff are gone, international partnerships have been strained, and workers are afraid to discuss threats to democracy that they’re now prohibited from countering. Employees are even more overworked than usual, and new assignments from the administration are interfering with important tasks. Meanwhile, CISA’s temporary leader is doing everything she can to appease President Donald Trump, infuriating employees who say she’s out of touch and refusing to protect them.

“You've got a lot of people who … are looking over their shoulder as opposed to looking at the enemy right now,” says one CISA employee.

As the Trump administration’s war on the federal bureaucracy throws key agencies into chaos, CISA’s turmoil could have underappreciated consequences for national security and economic prospects. The agency, part of the Department of Homeland Security, has steadily built a reputation as a nonpartisan source of funding, guidance, and even direct defensive support for cities, businesses, and nonprofits reeling from cyberattacks. That mission is now under threat, according to interviews with seven CISA employees and another person familiar with the matter, all of whom requested anonymity to avoid reprisals.

“Our enemies are not slowing their continuous assaults on our systems,” says Suzanne Spaulding, who led CISA’s predecessor during the Obama administration. “We need all hands on deck and focused, not traumatized and distracted.”

**Talent Exodus**

CISA’s mission has grown significantly since its creation in 2018. Established mainly to defend government networks, the agency increasingly embraced new roles supporting private companies and state governments, advocating for secure software, and cooperating with foreign partners. This helped CISA raise its profile and gain credibility. But now, following several rounds of layoffs and new restrictions from the Trump administration, the agency is struggling to sustain its momentum.

The extent of the cuts at CISA is still unclear—employees are only learning about the loss of colleagues through word of mouth—but multiple employees estimate that, between the layoffs and the Office of Personnel Management’s deferred-resignation program, CISA has lost between 300 and 400 staffers—roughly 10 percent of its 3,200-person workforce. Many of those people were hired through DHS’s Cybersecurity Talent Management System (CTMS), a program designed to recruit experts by competing with private-sector salaries. As a result, they were classified as probationary employees for three years, making them vulnerable to layoffs. These layoffs at CISA also hit longtime government workers who had become probationary by transferring into CTMS roles.

Key employees who have left include Kelly Shaw, who oversaw one of CISA’s marquee programs, a voluntary threat-detection service for critical infrastructure operators; David Carroll, who led the Mission Engineering Division, the agency’s technological backbone; and Carroll’s technical director, Duncan McCaskill. “We've had a very large brain drain,” an employee says.

The departures have strained a workforce that was already stretched thin. “We were running into \[a\] critical skills shortage previously,” says a second employee. “Most people are and have been doing the work of two or more full-time \[staffers\].”

The CISA team that helps critical infrastructure operators respond to hacks has been understaffed for years. The agency added support positions for that team after a Government Accountability Office audit, but “most of those people got terminated,” a third employee says.

CISA’s flagship programs have been mostly unscathed so far. That includes the threat-hunting branch, which analyzes threats, searches government networks for intruders, and responds to breaches. But some of the laid-off staffers provided crucial “backend” support for threat hunters and other analysts. “There's enhancements that could be made to the tools that they're using,” the first employee says. But with fewer people developing those improvements, “we're going to start having antiquated systems.”

In a statement, DHS spokesperson Tricia McLaughlin says CISA remains “committed to the safety and security of the nation’s critical infrastructure” and touted “the critical skills that CISA experts bring to the fight every day.”

National Security Council spokesperson James Hewitt says the reporting in this story is “nonsense,” adding that “there have been no widespread layoffs at CISA and its mission remains fully intact.”

“We continue to strengthen cybersecurity partnerships, advance AI and open-source security, and protect election integrity,” Hewitt says. “Under President Trump’s leadership, our administration will make significant strides in enhancing national cybersecurity.”

**Partnership Problems**

CISA’s external partnerships—the cornerstone of its effort to understand and counter evolving threats—have been especially hard-hit.

International travel has been frozen, two employees say, with trips—and even online communications with foreign partners—requiring high-level approvals. That has hampered CISA’s collaboration with other cyber agencies, including those of “Five Eyes” allies Canada, Australia, New Zealand, and the UK, staffers say.

CISA employees can’t even communicate with people at other federal agencies the way they used to. Previously routine conversations between CISA staffers and high-level officials elsewhere now need special permissions, slowing down important work. “I can’t reach out to a CISO about an emergency situation without approval,” a fourth employee says.

Meanwhile, companies have expressed fears about sharing information with CISA and even using the agency’s free attack-monitoring services due to DOGE’s ransacking of agency computers, according to two employees. “There is advanced concern about all of our services that collect sensitive data,” the third employee says. “Partners \[are\] asking questions about what DOGE can get access to and expressing concern that their sensitive information is in their hands.”

“The wrecking of preestablished relationships will be something that will have long-lasting effects,” the fourth employee says.

CISA’s Joint Cyber Defense Collaborative, a high-profile hub of government-industry cooperation, is also struggling. The JCDC currently works with more than 300 private companies to exchange threat information, draft defensive playbooks, discuss geopolitical challenges, and publish advisories. The unit wants to add hundreds more partners, but it has “had difficulty scaling this,” the first employee says, and recent layoffs have only made things worse. Contractors might be able to help, but the JCDC’s “vendor support contracts run out in less than a year,” the employee says, and as processes across the government have been frozen or paused in recent weeks, CISA doesn’t know if it can pursue new agreements. The JCDC doesn't have enough federal workers to pick up the slack, the fourth CISA employee says.

With fewer staffers to manage its relationships, the JCDC confronts a perilous question: How should it focus its resources without jeopardizing important visibility into the threat landscape? Emphasizing ties with major companies might be more economical, but that would risk overlooking mid-sized firms whose technology is quietly essential to vital US industries.

“CISA continuously evaluates how it works with partners,” McLaughlin says, “and has taken decisive action to maximize impact while being good stewards of taxpayer dollars and aligning with Administration priorities and our authorities.”

**Gutting Security Advocacy**

Other parts of CISA’s mission have also begun to atrophy.

During the Biden administration, CISA vowed to help the tech industry understand and mitigate the risks of open-source software, which is often poorly maintained and has repeatedly been exploited by hackers. But since Trump took office, CISA has lost the three technical luminaries who oversaw that work: Jack Cable, Aeva Black, and Tim Pepper. Open-source security remains a major challenge, but CISA’s efforts to address that challenge are now rudderless.

The new administration has also frozen CISA’s work on artificial intelligence. The agency had been researching ways to use AI for vulnerability detection and networking monitoring, as well as partnering with the private sector to study AI risks. “About 50 percent of \[CISA’s\] AI expert headcount has been let go,” says a person familiar with the matter, which is “severely limiting” CISA’s ability to help the US Artificial Intelligence Safety Institute test AI models before deployment.

The administration also pushed out CISA’s chief AI officer, Lisa Einstein, and closed down her office, the person familiar with the matter says. Einstein’s team oversaw CISA’s use of AI and worked with private companies and foreign governments on AI security.

A large team of DHS and CISA AI staffers was set to accompany Vice President JD Vance to Paris in February for an AI summit, but those experts “were all pulled back” from attending, according to a person familiar with the matter.

**‘Nefarious’ Retribution**

CISA staffers are still reeling from the agency’s suspension of its election security program and the layoffs of most people who worked on that mission. The election security initiative, through which CISA provided free services and guidance to state and local officials and worked with tech companies to track online misinformation, became a target of right-wing conspiracy theories in 2020, which marked it for death after Trump’s return to the White House.

The program—on hold pending CISA’s review of a recently completed internal assessment—was a tiny part of CISA’s budget and operations, but the campaign against it has alarmed agency employees. “This is definitely in the freak-out zone,” says the first employee, who adds that CISA staffers across the political spectrum support the agency’s efforts to track online misinformation campaigns. “All of us recognize that this is a common deception tactic of the enemy.”

The election security purge rippled across the agency, because some of the laid-off staffers had moved from elections to other assignments or were simultaneously working on both missions. Geoff Hale, who led the elections team between 2018 and 2024, was serving as the chief of partnerships at the JCDC when he was placed on administrative leave, setting off a scramble to replace him.

The removal of Hale and his colleagues “was the start to a decline in morale” at CISA, according to the second employee. Now, staffers are afraid to discuss certain topics in public forums: “No one's going to talk about election security right now,” the first employee says.

“The fact that there’s retribution from the president … is kind of frightening,” this employee adds. “A very nefarious place to be.”

**Abandoned and Demoralized**

The layoffs, operational changes, and other disruptions at CISA have severely depleted morale and undermined the agency’s effectiveness. “Even simple tasks feel hard to accomplish because you don't know if your teammates won't be here tomorrow,” says the fourth employee.

The biggest source of stress and frustration is acting CISA director Bridget Bean, a former Trump appointee who, employees say, appears eager to please the president even if it means not defending her agency. Bean “just takes whatever comes down and implements \[it\] without thought of how it will affect \[CISA’s\] mission,” the fifth employee says. Employees describe her as a poor leader and ineffective communicator who has zealously enacted Trump’s agenda. In town-hall meetings with employees, Bean has said CISA must carefully review its its authorities and urged staffers to “assume noble intent” when dealing with Trump officials. While discussing Elon Musk’s mass-buyout program, she allegedly said, “I like to say ‘Fork in the Road’ because it's kind of fun,.” according to the fourth employee. She was so eager to comply with Musk’s “What did you do last week?” email that she instructed staffers to respond to it before DHS had finalized its department-wide approach. DHS later told staff not to respond, and Bean had to walk back her directive.

“Bean feels like she's against the workforce just to please the current administration,” the second employee says. The fourth employee describes her as “not authentic, tone-deaf, spineless, \[and\] devoid of leadership.”

McLaughlin, the DHS spokesperson, says CISA “is not interested in ad hominem attacks against its leadership,” which she says “has doubled down on openness and transparency with the workforce.”

The return-to-office mandate has also caused problems. With all employees on-site, there isn’t enough room in CISA’s offices for the contractors who support the agency’s staff. That has made it “very difficult” to collaborate on projects and hold technical discussions, according to the first employee. “There wasn’t much thought about \[RTO’s\] impact to operations,” says the fourth employee. According to a fifth employee, “executing some of our sensitive operations is now harder.” (“CISA has worked tirelessly to make the return to office as smooth as possible from space to technology,” McLaughlin says.)

Employees are dealing with other stressors, too. They have no idea who’s reading their Musk-mandated performance reports, how they’re being evaluated, or whether AI is analyzing them for future layoffs. And there’s a lot of new paperwork. “The amount of extra shit we have to do to comply with the ‘efficiency measures’ … \[takes\] a lot of time away from doing our job,” says the fifth employee.

**Bracing for More**

When Trump signed the bill creating CISA in November 2018, he said the agency’s workforce would be “on the front lines of our cyber defense” and “make us, I think, much more effective.” Six and a half years later, many CISA employees see Trump as the biggest thing holding them back.

“This administration has declared psychological warfare on this workforce,” the fourth employee says.

With CISA drawing up plans for even larger cuts, staffers know the chaos is far from over.

“A lot of people are scared,” says the first employee. “We’re waiting for that other shoe to drop. We don't know what's coming.”

Entire wings of CISA—like National Risk Management Center and the Stakeholder Engagement Division—could be on the chopping block. Even in offices that survive, some of the government’s most talented cyber experts—people who chose public service over huge sums of money and craved the lifestyle of CISA’s now-eliminated remote-work environment—are starting to see their employment calculus differently. Some of them will likely leave for stabler jobs, further jeopardizing CISA’s mission. “What is the organization going to be capable of doing in the future?” the first employee asks.

If Trump’s confrontational foreign-policy strategy escalates tensions with Russia, China, Iran, or North Korea, it’s likely those nations could step up their use of cyberattacks to exact revenge. In that environment, warns Nitin Natarajan, CISA’s deputy director during the Biden administration, weakening the agency could prove very dangerous.

“Cuts to CISA’s cyber mission,” Natarajan says, “will only negatively impact our ability to not only protect federal government networks, but those around the nation that Americans depend on every day.”

‘People Are Scared’: Inside CISA as It Reels From Trump’s Purge

“No Lives Matter” has emerged in recent months as a particularly violent splinter group within the extremist crime network known as Com and 764, and experts are at a loss for how to stop its spread.

The kids are all grown up. In the face of international law enforcement pressure, dozens of prosecutions, and worldwide disrepute, the network of young sadists, misanthropes, child predators, and extortionists known as Com and 764 has not shrunk away into obscurity.

Rather, its members have progressed from online extortion and crimes related to child sexual abuse material, to real-world violence, a trajectory that alarms extremism researchers and government officials alike. Knifings, killings, firebombings, drive-by shootings, school shootings, and murder-for-hire plots in North America and Europe have all been connected to a splinter group called “No Lives Matter” that, per the group’s own manifesto, “idolizes death” and “seeks the purification of all mankind through endless attacks.” The group has released at least two “kill guides” that have been connected to violent attacks and plots in Europe and the United States.

The US Department of Justice classifies Com and 764 as a “Tier One” terrorism threat, the highest priority afforded to an extremist group, ideology, or tendency in American law enforcement’s internal rubric. Intelligence documents reviewed by WIRED show a stream of concern from analysts about the group’s harm to juvenile exploitation victims and the growing exhortations to physical violence that embody the No Lives Matter ethos.

However, the phenomenon has proved incredibly hard to combat due to a lack of coherent structure or ideology. Along with the insidious neo-Nazi propaganda group the Terrorgram Collective, over the past four years, Com/764 has morphed into a twisted amalgam of the Columbine Effect and older domestic terror groups like the Atomwaffen Division: Young extortionists and assailants egg each other on to progressively more lurid and debased acts of violence for the sake of internet notoriety and status.

In response, Western governments have employed terrorism charges against young people accused of conspiring to kill homeless people or phoning in bomb threats to schools and religious institutions beyond their own borders. In the United Kingdom, the Crown Prosecution Service recently secured a six-year prison term for 19-year-old Cameron Finnegan, who went by the handle “Acid,” for a raft of 764-related offenses, including possessing CSAM, urging young people to kill themselves, and possessing a “kill manual” authored by No Lives Matter adherents, replete with viable instructions for carrying out lethal attacks with knives, firearms, and vehicles.

"We want to make the public aware of \[Com/764\]," Detective Chief Superintendent Claire Finlay, the head of Counter Terrorism Policing Southeast, told the BBC following Finnegan’s guilty plea in January. "The threat that they pose, not just within the United Kingdom but globally, is immense."

According to senior DOJ officials who were granted anonymity to speak about internal law enforcement matters, the feds have come across related cases in every field office in the US. US authorities are so hell-bent on pursuing this trend that they are trying to extradite a 17-year-old Romanian boy who prosecutors at the Southern District of New York claim took part in exploiting minors and soliciting and distributing CSAM. The teenager also faces US terrorism charges for allegedly phoning in several hundred bomb threats to dozens of schools and institutions in the US as part of 764 and its splinter groups, according to information obtained by this reporter.

"We’ve seen a lot of hybrid movements and ideologies, new trends that we can’t categorize under the traditional categories,” says Bàrbara Molas, a senior analyst at RAND Europe who specializes in far-right extremism and who testified as an expert witness for the prosecution in Finnegan’s recent Com/764-related case.

For Molas, Com/764 represents that type of hybridity, where participants in the network will pick and choose elements from a series of discrete ideologies—neo-Nazism; the satanist group Order of Nine Angles, which has become prevalent throughout the most transgressive spheres of the transnational far right; Ted-Kaczynski-inspired neo-Luddism—and assemble their own belief pantheon.

“When 764 was only about CSAM, their targets tended to be women—but specifically women from diminished social groups, who were seen as the weak party of society,” Molas says. “That ideal of imposing violence on this part of society has carried on and become more violent.” When members of the network commit violence in the name of the group, Molas says, it “helps them rise within the group and advance the larger cause, which is to change society through violence and chaos.”

The lodestar for this transition towards wanton violence is a German teenager named Nino Luciano, who went by the handle “Tobbz” within 764. Sent to live in a foster home in Romania because his mental illnesses overwhelmed the capacity of institutions in his home country, Tobbz was drawn into 764 during the Covid-19 pandemic and quickly became enthralled with the group, daubing its name on a wall in his room and tattooing himself with “764” and a septagram from the Order of Nine Angles. In March 2022, he committed and livestreamed a series of knife attacks, stabbing an elderly woman to death and severely wounding an old man. He was convicted in August 2023 and is serving 14 years in prison.

Tobbz’s behavior inspired other young extremists in the Com/764 network, who have since either tried to emulate his livestreamed attacks or commit similar acts of violence to boost their notoriety and status within their extremist peer group. No Lives Matter’s exhortations to commit mass casualty events and distribution of detailed guides to violence are patterned off Tobbz’s example, according to experts who’ve studied the network.

Baron Martin, a resident of Tucson, Arizona, was charged in federal court with cyberstalking and sexual exploitation of a child that included the production of CSAM. According to court records, the government also accused Martin of soliciting the murder of the grandmother of one of his victims under the handle “Convict.” He allegedly sent the following message to a Discord server, court records show: “know anyone in \[state\] thats willing to do kidnappings or shootings...i need someone to tobbz a grandma. Somebody wanted to dox one of my egirls. now I’m getting their grandma merked.” The use of “Tobbz” as a synonym for murder was not casual: Martin allegedly offered to pay another user to carry out the hit, which was never realized.

According to court documents, Martin, through his handle, was connected to authoring a detailed guide widely distributed in 764’s channels on how to groom victims for extortion, which the FBI claims Martin bragged online was “the catalyst for thousands of extortions.” (Martin has pleaded not guilty.)

Molas, of RAND Europe, says Martin’s alleged path from extortion to soliciting a homicide traces a familiar path of transgressive behavior often seen in Com/764’s online world. “They’ll start with little acts of sin—shoplifting, then robberies, abuse of minors, weapons violations, then all the way up to kidnapping and murder,” Molas says.

In mid-February, Jairo Tinajero, a 25-year-old Arkansas man who took part in the 764 splinter group 8884, pleaded guilty to CSAM and conspiracy charges for extorting an underage girl in Louisville, Kentucky. According to his plea agreement, Tinajero confessed to plotting to kill the girl once she stopped complying with him, posting her address and personal information about her and her family family in 764’s servers, unsuccessfully trying to buy an assault rifle, and talking through a murder plot with other 764 members.

Tinajero also admitted taking part in 764 online chats where prior mass casualty attacks were discussed along with “future attacks on heavily populated areas such as malls or other large gatherings, LGBTQ+ events and gatherings, schools, public places, government buildings and police stations” with the intent to “destabilize society and cause the collapse of governments and rule of law.”

Most recently, neo-Nazi Aidan Harding’s inspiration from 764 was brought up during a mid-February federal court hearing for CSAM possession charges. In addition to participating in public actions with a number of Pittsburgh-area extremist groups, prosecutors claimed that Harding and another man were deeply interested in the Columbine massacre, visiting the memorial in Littleton, Colorado, and posing for a photo in front of a swastika flag while dressed as Dylan Klebold and Eric Harris. “Eric and Dylan were kickstarting a revolution,” Harding wrote in a message, which prosecutors showed in court. Harding and the other man, who hasn’t been charged, also discussed carrying out mass shootings through Instagram direct messages, which were presented in court. “The only thing holding me back is a partner … I don’t want to do it alone or die alone,” Harding wrote.

According to two researchers who attended Harding’s three-and-a-half-hour court appearance related to probable cause on February 12, an FBI agent claimed during questioning that investigators found reams of videos depicting children being raped, ultraviolent videos of executions, and the extremist mass shootings in Buffalo, Nashville, and Columbine, along with a photo on Harding’s phone of a phrase daubed in blood: “I sold my soul to 764,” above a swastika and a Lviathan cross often used by 764. Another photo, handed up to the judge and not shown in court, depicted the naked chest of a young girl wearing a cross, with the words “No Lives Matter” carved into her body with a sharp instrument.” Harding has pleaded not guilty.

The crimes described in court cases this year follow a months-long surge in No Lives Matter–related violence. In October, authorities claim, a 14-year-old Swede committed eight attacks on unsuspecting passersby in Stockholm. The attacker, per national broadcaster SVT, took part in 764 and went by the handle “Slain” in the group. Documents circulated by 764 participants on Telegram and elsewhere claim “Slain764” as one of their own, and identify Sweden, the UK, and Bulgaria as countries where their group has a presence.

In mid-February, Italian police arrested a 15-year-old boy on suspicion of planning to murder a homeless man and livestream the act. Police said the teenager was reportedly involved in 764 and faces charges for explosives possession and possession of CSAM material. Italian authorities claim he planned his actions as part of a “week of terror” along with unspecified colleagues.

There is also evidence of 764’s praxis and imagery merging with that of the Terrorgram Collective, a neo-Nazi propaganda network that aims to radicalize young people and inspire solo acts of sabotage and mass murder.

Solomon Henderson, a Tennessee teenager whom police said shot up his high school last month, posted a sprawling manifesto that referenced both mass shooters inspired by Terrorgram as well as homicidal 764 members, including Tobbz. Henderson’s social media accounts also show extensive imagery from 764’s channels as well as the Order of Nine Angles “The influence I see most heavily in that agenda is the Order of Nine Angles,” Molas says.

That confluence of extremist inspirations is highly unpredictable, and may prove influential: There is reportedly evidence that social media accounts connected to Henderson may have communicated with accounts linked to Natalie “Samantha” Rupnow, a young Wisconsin woman who killed two and wounded classmates in a mid-December shooting at her school before dying by suicide. Earlier in December, a high school student in Guadalajara, Mexico, livestreamed an axe attack on his classmates before they were able to subdue him. The young man’s social media posts were rife with O9A influence, including photos of himself with butchered animals and another with a blood pact, a common O9A practice.

The Violent Rise of ‘No Lives Matter’

Tel Aviv, Israel, 12th March 2025, CyberNewsWire

**Tel Aviv, Israel, March 12th, 2025, CyberNewsWire**

CYREBRO, the AI-native Managed Detection and Response (MDR) solution, announced today that it won Silver in the category of Security Operations Center (SOC) solutions at the annual 2025 Globee Awards. The program aims to raise awareness about cybersecurity issues and honor those who have made significant contributions in protecting organizations and individuals from cyber threats.

This award comes on the heels of significant advancements for CYREBRO, solidifying its position as a future-proof cybersecurity leader. The company has recently launched its proprietary security data lake, enabling unparalleled threat analysis and faster, more precise detection. This innovation, coupled with a strategic partnership with Google Cloud, enhances CYREBRO’s ability to scale and deliver cutting-edge security solutions across diverse environments.

CYREBRO’s commitment to global expansion is evident in its rapidly growing customer base across new markets, demonstrating the universal need for proactive threat detection and response across companies of all sizes.

CYREBRO remains steadfast in its 100% channel-based strategy, empowering its partners to deliver exceptional MDR services to their clients. This approach ensures seamless integration and personalized service, maximizing the value of CYREBRO’s MDR capabilities.

> “We are honored to receive this prestigious award,” said Ori Arbel, CYREBRO CTO. “This recognition validates our relentless pursuit of innovation and our dedication to empowering businesses with robust cybersecurity defenses. We’re particularly proud of the strides we’ve made in enhancing our platform, directly translating to superior security outcomes for our partners and customers.”

**About CYREBRO**

CYREBRO is an AI-native, end-to-end Managed Detection and Response (MDR) solution, designed for hands-off or hands-on control through its future-proof SOC platform.

With its advanced Security Data Lake revolutionizing SIEM and SOAR capabilities, CYREBRO includes 24/7 SOC monitoring and threat intelligence, augmented with exceptionally swift incident response and forensic investigations. CYREBRO delivers precision-guided threat detection and response across any tech stack, providing clear, actionable insights to ensure world-class security and compliance.

With comprehensive visibility and expert guidance, CYREBRO empowers over 900 businesses of all sizes to manage threats proactively, enhancing their security posture and delivering full and complete protection.

**Contact**

**CMO**  
**Gil Harel**  
**CYREBRO**  
**\[email protected\]**

CYREBRO’s AI-Native MDR Platform Earns Silver at the 2025 Globee Cybersecurity Awards

Threat intelligence firm GreyNoise is warning of a "coordinated surge" in the exploitation of Server-Side Request Forgery (SSRF) vulnerabilities spanning multiple platforms.
"At least 400 IPs have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts," the company said, adding it observed the activity on March 9, 2025.
The countries which

Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack

Elon Musk said a “massive cyberattack” disrupted X on Monday and pointed to “IP addresses originating in the Ukraine area” as the source of the attack. Security experts say that's not how it works.

The social network X suffered intermittent outages on Monday, a situation owner Elon Musk attributed to a “massive cyberattack.” Musk said in an initial X post that the attack was perpetrated by “either a large, coordinated group and/or a country.” In a post on Telegram, a pro-Palestinian group known as Dark Storm Team took credit for the attacks within a few hours. Later on Monday, though, Musk claimed in an interview on Fox Business Network that the attacks had come from Ukrainian IP addresses.

Web traffic analysis experts who tracked the incident on Monday were quick to emphasize that the type of attacks X seemed to face—distributed denial-of-service, or DDoS, attacks—are launched by a coordinated army of computers, or a “botnet,” pummeling a target with junk traffic in an attempt to overwhelm and take down its systems. Botnets are typically dispersed around the world, generating traffic with geographically diverse IP addresses, and they can include mechanisms that make it harder to determine where they are controlled from.

“It’s important to recognize that IP attribution alone is not conclusive. Attackers frequently use compromised devices, VPNs, or proxy networks to obfuscate their true origin," says Shawn Edwards, chief security officer of the network connectivity firm Zayo.

X did not return WIRED's requests for comment about the attacks.

Multiple researchers tell WIRED that they observed five distinct attacks of varying length against X's infrastructure, the first beginning early Monday morning with the final burst on Monday afternoon.

The internet intelligence team at Cisco's ThousandEyes tells WIRED in a statement, “During the disruptions, ThousandEyes observed network conditions that are characteristic of a DDoS attack, including significant traffic loss conditions which would have hindered users from reaching the application.”

DDoS attacks are common, and virtually all modern internet services experience them regularly and must proactively defend themselves. As Musk himself put it on Monday, “We get attacked every day.” Why, then, did these DDoS attacks cause outages for X? Musk said it was because “this was done with a lot of resources,” but independent security researcher Kevin Beaumont and other analysts see evidence that some X origin servers, which respond to web requests, weren't properly secured behind the company's Cloudflare DDoS protection and were publicly visible. As a result, attackers could target them directly. X has since secured the servers.

“The botnet was directly attacking the IP and a bunch more on that X subnet yesterday. It's a botnet of cameras and DVRs,” Beaumont says.

A few hours after the final attack concluded, Musk told Fox Business host Larry Kudlow in an interview, “We're not sure exactly what happened, but there was a massive cyberattack to try to bring down the X system with IP addresses originating in the Ukraine area.”

Musk has mocked Ukraine and its president, Volodymyr Zelensky, repeatedly since Russia invaded its neighbor in February 2022. A major campaign donor to President Donald Trump, Musk now heads the so-called Department of Government Efficiency, or DOGE, which has razed the US federal government and its workforce in the weeks since Trump's inauguration. Meanwhile, the Trump administration has recently warmed relations with Russia and moved the US away from its longtime support of Ukraine. Musk has already been involved in these geopolitics in the context of a different company he owns, SpaceX, which operates the satellite internet service Starlink that many Ukrainians rely on.

DDoS traffic analysis can break down the firehose of junk traffic in different ways, including by listing the countries that had the most IP addresses involved in an attack. But one researcher from a prominent firm, who requested anonymity because they are not authorized to speak about X, noted that they did not even see Ukraine in the breakdown of the top 20 IP address origins involved in the X attacks.

If Ukrainian IP addresses did contribute to the attacks, though, numerous researchers say that the fact alone is not noteworthy.

“What we can conclude from the IP data is the geographic distribution of traffic sources, which may provide insights into botnet composition or infrastructure used,” Zayo’s Edwards says. “What we can’t conclude with certainty is the actual perpetrator’s identity or intent.”

_Additional reporting by Zoë Schiffer._

Tag

#intel