President Trump last week revoked security clearances for Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency (CISA) who was fired by Trump after declaring the 2020 election the most secure in U.S. history. The White House memo, which also suspended clearances for other security professionals at Krebs's employer SentinelOne, comes as CISA is facing huge funding and staffing cuts.

**President Trump** last week revoked security clearances for **Chris Krebs**, the former director of the **Cybersecurity and Infrastructure Security Agency** (CISA) who was fired by Trump after declaring the 2020 election the most secure in U.S. history. The White House memo, which also suspended clearances for other security professionals at Krebs’s employer **SentinelOne**, comes as CISA is facing huge funding and staffing cuts.

Chris Krebs. Image: Getty Images.

The extraordinary April 9 memo directs the attorney general to investigate Chris Krebs (no relation), calling him “a significant bad-faith actor who weaponized and abused his government authority.”

The memo said the inquiry will include “a comprehensive evaluation of all of CISA’s activities over the last 6 years and will identify any instances where Krebs’ or CISA’s conduct appears to be contrary to the administration’s commitment to free speech and ending federal censorship, including whether Krebs’ conduct was contrary to suitability standards for federal employees or involved the unauthorized dissemination of classified information.”

CISA was created in 2018 during Trump’s first term, with Krebs installed as its first director. In 2020, CISA launched Rumor Control, a website that sought to rebut disinformation swirling around the 2020 election.

That effort ran directly counter to Trump’s claims that he lost the election because it was somehow hacked and stolen. The Trump campaign and its supporters filed at least 62 lawsuits contesting the election, vote counting, and vote certification in nine states, and nearly all of those cases were dismissed or dropped for lack of evidence or standing.

When the Justice Department began prosecuting people who violently attacked the U.S. Capitol on January 6, 2021, President Trump and Republican leaders shifted the narrative, claiming that Trump lost the election because the previous administration had censored conservative voices on social media.

Incredibly, the president’s memo seeking to ostracize Krebs stands reality on its head, accusing Krebs of promoting the censorship of election information, “including known risks associated with certain voting practices.” Trump also alleged that Krebs “_falsely and baselessly denied that the 2020 election was rigged and stolen_, including by inappropriately and categorically dismissing widespread election malfeasance and serious vulnerabilities with voting machines” \[emphasis added\].

Krebs did not respond to a request for comment. SentinelOne issued a statement saying it would cooperate in any review of security clearances held by its personnel, which is currently fewer than 10 employees.

Krebs’s former agency is now facing steep budget and staff reductions. **The Record** reports that CISA is looking to remove some 1,300 people by cutting about half its full-time staff and another 40% of its contractors.

“The agency’s National Risk Management Center, which serves as a hub analyzing risks to cyber and critical infrastructure, is expected to see significant cuts, said two sources familiar with the plans,” The Record’s **Suzanne Smalley** wrote. “Some of the office’s systematic risk responsibilities will potentially be moved to the agency’s Cybersecurity Division, according to one of the sources.”

CNN reports the Trump administration is also advancing plans to strip civil service protections from 80% of the remaining CISA employees, potentially allowing them to be fired for political reasons.

The **Electronic Frontier Foundation** (EFF) urged professionals in the cybersecurity community to defend Krebs and SentinelOne, noting that other security companies and professionals could be the next victims of Trump’s efforts to politicize cybersecurity.

“The White House must not be given free reign to turn cybersecurity professionals into political scapegoats,” the EFF wrote. “It is critical that the cybersecurity community now join together to denounce this chilling attack on free speech and rally behind Krebs and SentinelOne rather than cowering because they fear they will be next.”

However, **Reuters** said it found little sign of industry support for Krebs or SentinelOne, and that many security professionals are concerned about potentially being targeted if they speak out.

“Reuters contacted 33 of the largest U.S. cybersecurity companies, including tech companies and professional services firms with large cybersecurity practices, and three industry groups, for comment on Trump’s action against SentinelOne,” wrote **Raphael Satter** and **A.J. Vicens**. “Only one offered comment on Trump’s action. The rest declined, did not respond or did not answer questions.”

**CYBERCOM-PLICATIONS**

On April 3, President Trump fired **Gen. Timothy Haugh**, the head of the **National Security Agency** (NSA) and the **U.S. Cyber Command**, as well as Haugh’s deputy, **Wendy Noble**. The president did so immediately after meeting in the Oval Office with far-right conspiracy theorist Laura Loomer, who reportedly urged their dismissal. Speaking to reporters on Air Force One after news of the firings broke, Trump questioned Haugh’s loyalty.

Gen. Timothy Haugh. Image: C-SPAN.

Virginia **Senator Mark Warner**, the top Democrat on the Senate Intelligence Committee, called it inexplicable that the administration would remove the senior leaders of NSA-CYBERCOM without cause or warning, and risk disrupting critical ongoing intelligence operations.

“It is astonishing, too, that President Trump would fire the nonpartisan, experienced leader of the National Security Agency while still failing to hold any member of his team accountable for leaking classified information on a commercial messaging app – even as he apparently takes staffing direction on national security from a discredited conspiracy theorist in the Oval Office,” Warner said in a statement.

On Feb. 28, The Record’s **Martin Matishak** cited three sources saying Defense Secretary **Pete Hegseth** ordered U.S. Cyber Command to stand down from all planning against Russia, including offensive digital actions. The following day, **The Guardian** reported that analysts at CISA were verbally informed that they were not to follow or report on Russian threats, even though this had previously been a main focus for the agency.

A follow-up story from **The Washington Post** cited officials saying Cyber Command had received an order to halt active operations against Russia, but that the pause was intended to last only as long as negotiations with Russia continue.

The Department of Defense responded on Twitter/X that Hegseth had “neither canceled nor delayed any cyber operations directed against malicious Russian targets and there has been no stand-down order whatsoever from that priority.”

But on March 19, Reuters reported several U.S. national security agencies have halted work on a coordinated effort to counter Russian sabotage, disinformation and cyberattacks.

“Regular meetings between the National Security Council and European national security officials have gone unscheduled, and the NSC has also stopped formally coordinating efforts across U.S. agencies, including with the FBI, the Department of Homeland Security and the State Department,” Reuters reported, citing current and former officials.

**TARIFFS VS TYPHOONS**

President’s Trump’s institution of 125% tariffs on goods from China has seen Beijing strike back with 84 percent tariffs on U.S. imports. Now, some security experts are warning that the trade war could spill over into a cyber conflict, given China’s successful efforts to burrow into America’s critical infrastructure networks.

Over the past year, a number of Chinese government-backed digital intrusions have come into focus, including a sprawling espionage campaign involving the compromise of at least nine U.S. telecommunications providers. Dubbed “Salt Typhoon” by Microsoft, these telecom intrusions were pervasive enough that CISA and the FBI in December 2024 warned Americans against communicating sensitive information over phone networks, urging people instead to use encrypted messaging apps (like Signal).

The other broad ranging China-backed campaign is known as “Volt Typhoon,” which CISA described as “state-sponsored cyber actors seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”

Responsibility for determining the root causes of the Salt Typhoon security debacle fell to the Cyber Safety Review Board (CSRB), a nonpartisan government entity established in February 2022 with a mandate to investigate the security failures behind major cybersecurity events. But on his first full day back in the White House, President Trump dismissed all 15 CSRB advisory committee members — likely because those advisers included Chris Krebs.

Last week, **Sen. Ron Wyden** (D-Ore.) placed a hold on Trump’s nominee to lead CISA, saying the hold would continue unless the agency published a report on the telecom industry hacks, as promised.

“CISA’s multi-year cover up of the phone companies’ negligent cybersecurity has real consequences,” Wyden said in a statement. “Congress and the American people have a right to read this report.”

**The Wall Street Journal** reported last week Chinese officials acknowledged in a secret December meeting that Beijing was behind the widespread telecom industry compromises.

“The Chinese official’s remarks at the December meeting were indirect and somewhat ambiguous, but most of the American delegation in the room interpreted it as a tacit admission and a warning to the U.S. about Taiwan,” The Journal’s **Dustin Volz** wrote, citing a former U.S. official familiar with the meeting.

Meanwhile, China continues to take advantage of the mass firings of federal workers. On April 9, the **National Counterintelligence and Security Center** warned (PDF) that Chinese intelligence entities are pursuing an online effort to recruit recently laid-off U.S. employees.

“Foreign intelligence entities, particularly those in China, are targeting current and former U.S. government (USG) employees for recruitment by posing as consulting firms, corporate headhunters, think tanks, and other entities on social and professional networking sites,” the alert warns. “Their deceptive online job offers, and other virtual approaches, have become more sophisticated in targeting unwitting individuals with USG backgrounds seeking new employment.”

Image: Dni.gov

**ELECTION THREATS**

As Reuters notes, the FBI last month ended an effort to counter interference in U.S. elections by foreign adversaries including Russia, and put on leave staff working on the issue at the Department of Homeland Security.

Meanwhile, the U.S. Senate is now considering a House-passed bill dubbed the “**Safeguard American Voter Eligibility (SAVE) Act**,” which would order states to obtain proof of citizenship, such as a passport or a birth certificate, in person from those seeking to register to vote.

Critics say the SAVE Act could disenfranchise millions of voters and discourage eligible voters from registering to vote. What’s more, documented cases of voter fraud are few and far between, as is voting by non-citizens. Even the conservative **Heritage Foundation** acknowledges as much: An interactive “election fraud map” published by Heritage lists just 1,576 convictions or findings of voter fraud between 1982 and the present day.

Nevertheless, the GOP-led House passed the SAVE Act with the help of four Democrats. Its passage in the Senate will require support from at least seven Democrats, Newsweek writes.

In February, CISA cut roughly 130 employees, including its election security advisors. The agency also was forced to freeze all election security activities pending an internal review. The review was reportedly completed in March, but the Trump administration has said the findings would not be made public, and there is no indication of whether any cybersecurity support has been restored.

Many state leaders have voiced anxiety over the administration’s cuts to CISA programs that provide assistance and threat intelligence to election security efforts. **Iowa Secretary of State Paul Pate** last week told the **PBS** show I**owa Press** he would not want to see those programs dissolve.

“If those (systems) were to go away, it would be pretty serious,” Pate said. “We do count on a lot those cyber protections.”

Pennsylvania’s **Secretary of the Commonwealth Al Schmidt** recently warned the CISA election security cuts would make elections less secure, and said no state on its own can replace federal election cybersecurity resources.

The **Pennsylvania Capital-Star** reports that several local election offices received bomb threats around the time polls closed on Nov. 5, and that in the week before the election a fake video showing mail-in ballots cast for Trump and Sen. Dave McCormick (R-Pa.) being destroyed and thrown away was linked to a Russian disinformation campaign.

“CISA was able to quickly identify not only that it was fraudulent, but also the source of it, so that we could share with our counties and we could share with the public so confidence in the election wasn’t undermined,” Schmidt said.

According to CNN, the administration’s actions have deeply alarmed state officials, who warn the next round of national elections will be seriously imperiled by the cuts. A bipartisan association representing 46 secretaries of state, and several individual top state election officials, have pressed the White House about how critical functions of protecting election security will perform going forward. However, CNN reports they have yet to receive clear answers.

Nevada and 18 other states are suing Trump over an executive order he issued on March 25 that asserts the executive branch has broad authority over state election procedures.

“None of the president’s powers allow him to change the rules of elections,” Nevada Secretary of State **Cisco Aguilar** wrote in an April 11 op-ed. “That is an intentional feature of our Constitution, which the Framers built in to ensure election integrity. Despite that, Trump is seeking to upend the voter registration process; impose arbitrary deadlines on vote counting; allow an unelected and unaccountable billionaire to invade state voter rolls; and withhold congressionally approved funding for election security.”

The order instructs the **U.S. Election Assistance Commission** to abruptly amend the voluntary federal guidelines for voting machines without going through the processes mandated by federal law. And it calls for allowing the administrator of the so-called **Department of Government Efficiency** (DOGE), along with DHS, to review state voter registration lists and other records to identify non-citizens.

The Atlantic’s **Paul Rosenzweig** notes that the chief executive of the country — whose unilateral authority the Founding Fathers most feared — has literally no role in the federal election system.

“Trump’s executive order on elections ignores that design entirely,” Rosenzweig wrote. “He is asserting an executive-branch role in governing the mechanics of a federal election that has never before been claimed by a president. The legal theory undergirding this assertion — that the president’s authority to enforce federal law enables him to control state election activity — is as capacious as it is frightening.”

Trump Revenge Tour Targets Cyber Leaders, Elections

Microsoft held off on releasing the privacy-unfriendly feature after a swell of pushback last year. Now it’s trying again, with a few improvements that skeptics say still aren't enough.

Security and privacy advocates are girding themselves for another uphill battle against Recall, the AI tool rolling out in Windows 11 that will screenshot, index, and store everything a user does every three seconds.

When Recall was introduced in May 2024, security practitioners roundly castigated it for creating a gold mine for malicious insiders, criminals, or nation-state spies if they managed to gain even brief administrative access to a Windows device. Privacy advocates warned that Recall was ripe for abuse in intimate partner violence settings. They also noted that there was nothing stopping Recall from preserving sensitive disappearing content sent through privacy-protecting messengers such as Signal.

**Total Recall**

Following months of backlash, Microsoft later suspended Recall. On Thursday, the company said it was reintroducing Recall. It currently is available only to insiders with access to the Windows 11 Build 26100.3902 preview version. Over time, the feature will be rolled out more broadly. Microsoft officials wrote:

> Recall (preview)\* saves you time by offering an entirely new way to search for things you’ve seen or done on your PC securely. With the AI capabilities of Copilot+ PCs, it’s now possible to quickly find and get back to any app, website, image, or document just by describing its content. To use Recall, you will need to opt-in to saving snapshots, which are images of your activity, and enroll in Windows Hello to confirm your presence so only you can access your snapshots. You are always in control of what snapshots are saved and can pause saving snapshots at any time. As you use your Copilot+ PC throughout the day working on documents or presentations, taking video calls, and context switching across activities, Recall will take regular snapshots and help you find things faster and easier. When you need to find or get back to something you’ve done previously, open Recall and authenticate with Windows Hello. When you’ve found what you were looking for, you can reopen the application, website, or document, or use Click to Do to act on any image or text in the snapshot you found.

Microsoft is hoping that the concessions requiring opt-in and the ability to pause Recall will help quell the collective revolt that broke out last year. It likely won’t for various reasons.

First, even if User A never opts in to Recall, they have no control over the setting on the machines of Users B through Z. That means anything User A sends them will be screenshotted, processed with optical character recognition and Copilot AI, and then stored in an indexed database on the other users’ devices. That would indiscriminately hoover up all kinds of User A's sensitive material, including photos, passwords, medical conditions, and encrypted videos and messages. As Privacy Guides writer Em wrote on Mastodon:

> This feature will unfortunately extract your information from whatever secure software you might have used and store it on this person's computer in a possibly less secure way.
> 
> Of course this person could manually take a screenshot of all of this anyway, but this feature makes it that even a well-intentioned person might either not be aware it is on, or might wrongly assume it is secure enough.
> 
> This feature isn't fully released yet, but it might be soon.

The presence of an easily searchable database capturing a machine’s every waking moment would also be a bonanza for others who don’t have users’ best interests at heart. That level of detailed archival material will undoubtedly be subject to subpoena by lawyers and governments. Threat actors who manage to get their spyware installed on a device will no longer have to scour it for the most sensitive data stored there. Instead they will mine Recall just as they do browser databases storing passwords now.

Microsoft didn’t immediately respond to a message asking why it’s reintroducing Recall less than a year after the feature got such a chilly reception. For critics, Recall is likely to remain one of the most pernicious examples of enshittification, the recently minted term for the shoehorning of unwanted AI and other features into existing products when there is negligible benefit to users.

_This story originally appeared on_ _Ars Technica._

Microsoft’s Recall AI Tool Is Making an Unwelcome Return

A newly created inetpub folder turns out to be part of a Microsoft update against a vulnerability tracked as CVE-2025-21204

In a new update for the guide concerning CVE-2025-21204 Microsoft told users they need the new inetpub folder for protection.

As part of April’s patch Tuesday updates, Microsoft released a patch to a link following flaw in the Windows Update Stack. Applying the patch creates a new %systemdrive%\\inetpub folder on the device.

Users who noticed the new folder asked questions because they were concerned about its origin and purpose. Since the empty folder is generally associated with an Internet Information Services (IIS) feature that most users will not be running, this called for an explanation.

Internet Information Services (IIS) is a web server platform created by Microsoft to host websites, web applications, and services on Windows systems. The platform is not installed by default but can be enabled through the Windows Features dialog.

Microsoft states in the update:

> “This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users.”

CVE-2025-21204, when successfully exploited, allows an authorized attacker to elevate privileges locally.

Per Microsoft:

> “An authenticated attacker who successfully exploits this vulnerability gains the ability to perform and/or manipulate file management operations on the victim machine in the context of the NT AUTHORITY\\SYSTEM account.”

The “link following flaw” means that the product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

As a resolution, denying access to a file can prevent an attacker from replacing that file with a link to a malicious file. Denying access can be done by assigning file/folder permissions. When you set permissions while creating a folder, you specify what users are allowed to do within that folder, such as limiting their ability to “Read-only” which means it allows the user to open and read files within the folder, but not add or edit existing files in the folder.

Read-only inetpub folder

Short answer: the inetpub folder is there to protect you from an attacker exploiting a vulnerability, and it’s hardly taking up any space, so best leave it alone.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 No, it’s not OK to delete that new inetpub folder 

Allegedly responsible for the theft of $1.5 billion in cryptocurrency from a single exchange, North Korea’s TraderTraitor is one of the most sophisticated cybercrime groups in the world.

On February 21, the largest crypto heist ever started to unfold. Hackers gained control of a crypto wallet belonging to the world’s second-largest cryptocurrency exchange, Bybit, and stole almost $1.5 billion of digital tokens. They quickly shunted the money between dozens of cryptocurrency wallets and services to try and obscure the activity, before starting to cash the stolen funds out.

The eye-popping digital raid had all the hallmarks of being conducted by one of North Korea’s elite subgroups of hackers. While Bybit remained solvent by borrowing cryptocurrency and launched a bounty scheme to track down the stolen funds, the FBI quickly pinned the blame on the North Korean hackers known as TraderTraitor.

Before the Bybit heist, TraderTraitor had already been linked to other high-profile cryptocurrency thefts and compromises of supply chain software.

“We were waiting for the next big thing,” says Michael Barnhart, a longtime cybersecurity researcher focused on North Korea and investigator at security firm DTEX Systems. “They didn't go away. They didn’t try to stop. They were clearly plotting and planning—and they’re doing that now,” he says.

North Korea’s hackers—alongside those from China, Russia, and Iran—are consistently considered to be one of the most sophisticated and most dangerous cyber threats to Western democracies. While all of these countries engage in espionage and theft of sensitive data, North Korea’s cyber operations come with their own set of distinct goals: helping to fund the hermit kingdom’s nuclear programs. Increasingly, that means stealing cryptocurrency.

Over at least the past five years, the totalitarian regime of Kim Jong-un has deployed technically skilled IT workers to infiltrate companies around the world and earn wages that can be sent back to the motherland. In some cases, after being fired, those workers extort their former employers by threatening to release sensitive data. At the same time, North Korean hackers, as part of the broad umbrella Lazarus Group, have stolen billions in cryptocurrency from exchanges and companies around the world. TraderTraitor makes up one part of the wider Lazarus group, which is run out of the Reconnaissance General Bureau, the North Korean intelligence agency.

TraderTraitor—which is also referred to as Jade Sleet, Slow Pisces, and UNC4899 by security companies—is primarily interested in cryptocurrency.

“They use a variety of creative techniques to get into blockchain, cryptocurrency, anything that has to do with platforms, trading forums, all of those different things that are around cryptocurrency and decentralized finance,” says Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft. “The Jade Sleet group \[TraderTraitor\] is one of the most sophisticated groups within that echelon,” she says.

TraderTraitor first emerged around the start of 2022, multiple cybersecurity researchers say, and is likely an offshoot of the North Korean APT38 group that hacked the SWIFT financial system and attempted to steal $1 billion from the Central Bank of Bangladesh at the start of 2016. “They walked off with very little money,” says DTEX Systems’s Barnhart. “In that moment you had a real, significant shift.”

Barnhart says North Korea realized that relying on other people—such as money mules—could make their operations less effective. Instead, they could steal cryptocurrency. Two groups emerged from that tactical shift, Barnhart says, CryptoCore and TraderTraitor. “TraderTraitor is the most sophisticated of all,” he says. “And why? Because APT38 was the A team.”

Since then, TraderTraitor has been linked to multiple large-scale cryptocurrency thefts in recent years. For instance, the March 2024 theft of $308 million from Japan-based cryptocurrency company DMM has been linked to TraderTraitor by the FBI, Department of Defense, and police in Japan.

TraderTraitor typically targets people working at Web3 firms using spear-phishing messages—most often, people working on software development. “They know the individuals that work at these companies, they track them, they have profiles on them, they know which trading platforms are doing the most volume. They’re focused on that entire industry, understanding it backwards and forwards,” says Microsoft’s DeGrippo.

GitHub, which is owned by Microsoft, highlighted in July 2023 how TraderTraitor created fake accounts on the coding platform, plus LinkedIn, Slack, and Telegram. The TraderTraitor criminals can create fake personas that they use to message their targets or use real accounts that have been hacked, GitHub’s research says. In that instance, TraderTraitor invited developers to collaborate on GitHub, before ultimately infecting them with malware using malicious code. Recently, security researchers at Palo Alto Networks’ Unit 42 threat intelligence team found 50 North Korean recruiter profiles on LinkedIn and linked them back to TraderTraitor.

The group has been seen using “custom backdoors,” such as PLOTTWIST and TIEDYE, that target macOS, says Adrian Hernandez, a senior threat analyst at Google’s Threat Intelligence Group. “These are typically heavily obfuscated to prevent detection and thwart analysis,” Hernandez says. “Once UNC4899 \[TraderTraitor\] has gained access to valid credentials, we’ve observed this threat actor moving laterally and accessing other accounts to access hosts and systems, keeping a low profile and aiming to evade detection.”

Once the North Korean hackers have their hands on cryptocurrency or digital wallets, the money laundering often follows a similar pattern, as cryptocurrency tracing firm Elliptic outlined in a blog post breaking down the Bybit hack. To avoid having cryptocurrency wallets frozen, they quickly swap stolen tokens—which are often issued by centralized entities and can have restrictions placed upon them—for more mainstream cryptocurrency assets like ether and bitcoin that are harder to limit.

“The second step of the laundering process is to ‘layer’ the stolen funds in order to attempt to conceal the transaction trail,” Elliptic writes. This means splitting the funds into smaller amounts and sending them to multiple wallets. With Bybit, Elliptic writes, money was sent to 50 different wallets that were then emptied in the coming days. This cryptocurrency is then moved through various cryptocurrency exchanges, converted into bitcoin, and passed through crypto mixers that aim to obscure crypto transactions.

“North Korea is the most sophisticated and well-resourced launderer of crypto assets in existence, continually adapting its techniques to evade identification and seizure of stolen assets,” Elliptic says in its blog post.

In addition to cryptocurrency heists, TraderTraitor has been linked to hacks at software supply chain companies, most prominently JumpCloud in June 2023. Compromising software used by multiple companies may provide the hackers a stealthier way into their intended targets. “That could impact any tech industry, any organization that uses that software,” says Andy Piazza, senior director for threat research at Unit 42.

As TraderTraitor has increasingly garnered attention over the past couple of years, Piazza says he has seen the group improve their operations and attempt to evade detection. For example, Unit 42’s recent research noted that TraderTraitor had been using malware the researchers called RN Loader that installs an information stealer and then deletes itself, making it harder to detect.

“You can definitely tell that they’re stepping up,” Piazza says.

Piazza says that unlike haphazard Russian hacking groups—which were both in the networks of the DNC simultaneously around 2016—there appears to be more organization with the North Korean groups. “It seems more coordinated that they're not bumping into each other out in the battle space,” Piazza says. “They’re really showing that they have the capability to be focused on that OPSEC, to be focused on that persistence capability.”

North Korea’s hacking operations may be even more complex than many realize. According to Piazza and other experts WIRED spoke to, the crypto hackers and the undercover IT workers may even coordinate. Their tactics show some “overlap,” Piazza says.

“If you right now went out onto some type of freelance website and said that you are a brand-new crypto startup and you’re looking for developers before the day is out, you would have North Koreans in your inbox,” Barnhart, the DTEX Systems researcher, says. He says some North Korean hackers can bounce between the country’s different groups, and there’s the possibility that they could also work with or alongside its IT workers. There may be more overlap than people thought, Barnhart says.

“Whenever we attribute this \[hacking\] back to TraderTraitor, was nobody else involved? Did somebody else have a hand in there?”

TraderTraitor: The Kings of the Crypto Heist

Russian APT group Storm-2372 employs device code phishing to bypass Multi-Factor Authentication (MFA). Targets include government, technology, finance,…

**Russian APT group Storm-2372 employs device code phishing to bypass Multi-Factor Authentication (MFA). Targets include government, technology, finance, defense, healthcare.**

Cybersecurity researchers at SOCRadar have discovered a new attack tactic used by the notorious Russian state-backed advanced persistent threat (APT), Storm-2372. According to SOCRadar’s research, shared with Hackread.com, Storm-2372 can now break into online accounts of major organizations without trying to guess passwords.

This is achieved through a method called “device code phishing,” which helps them get around even strong security measures like Multi-Factor Authentication (MFA).

Device Code Phishing takes advantage of the way some devices, like smart TVs, connect to online services. Usually, these devices give you a special code that you type into a website on your computer or phone to log in (OAuth device authorization flow). Hackers are using this same process to fool people into giving them access to their work accounts.

****Here’s how it works****

The hackers send fake messages, often through email or text, telling people they need to use a device code to log in. These messages direct them to real-looking login pages, like the ones from Microsoft. The victims then unknowingly type in a code that the hackers have created. Once the person enters the code, the hackers can get into their account without needing a password or triggering the usual security checks. This makes it much harder to spot the attack as the victims don’t realize they have been compromised until it is too late.

Device Code Phishing Attack Sequence (Source: SOCRadar)

Previously, the method OG Device Code Phishing was used by hackers to create a device code using special tools and sent it via message. However, these codes only lasted about 15 minutes, making it difficult for hackers to log in if the person didn’t see the message.

Storm-2372 employs the more advanced Dynamic Device Code Phishing technique, previously documented by Black Hills in 2023, to create fake websites resembling real login pages using services like Azure Web Apps. When a user visits these fake sites, they generate a new device code, allowing hackers to log in. They sometimes use CORS-Anywhere to display the code correctly in the user’s browser. When the user enters the fake code, they receive access tokens and refresh tokens, allowing hackers to access Microsoft email for up to three months.

Storm-2372 is, reportedly, targeting organizations that hold valuable information and make important decisions. This includes government agencies, technology companies, banks, defence contractors, healthcare providers, and media companies. They’ve been seen attacking organizations in countries like the United States, Ukraine, the United Kingdom, Germany, Canada, and Australia.

This new trick shows that these hackers are getting better at fooling people to get past even good security systems, and companies need to find smarter ways to protect themselves from such sneaky attacks.

“The campaign underlines the critical need for modern organizations to embrace adaptive, context-aware defense mechanisms to counter identity-based threats that are increasingly evading conventional protections,” researchers concluded.

Russia’s Storm-2372 Hits Orgs with MFA Bypass via Device Code Phishing

As organizations increasingly rely on SaaS applications to run their operations, securing them has become a necessity. Without…

As organizations increasingly rely on SaaS applications to run their operations, securing them has become a necessity. Without strong protection, sensitive data, user access, and cloud infrastructure are left vulnerable to breaches. SaaS security is not a single-layer fix; it demands multiple approaches to address cybersecurity threats across identity, data, and applications.

****Key Components of a Secure SaaS Architecture****

Creating a secure SaaS architecture involves prioritizing the most important security factors. Each factor serves to mitigate certain threats that may endanger your application or customer information.

****Identity and Access Management (IAM)****

A strong IAM solution enforces secure access using multi-factor authentication (MFA), single sign-on (SSO), and user provisioning to minimize identity-based threats. Integrate identity providers like Azure AD, Okta, or Google Workspace to gain centralized control over user authentication and authorization.

****Data Protection****

Encrypt sensitive data, implement data loss prevention (DLP) policies, and control data sharing to prevent leaks or breaches. Implement encryption at rest and in transit to protect data at multiple levels.

****Secure Development Practices****

Adopt secure coding principles, perform code reviews, and implement automated security scanning tools to identify vulnerabilities in the initial phases of the development life cycle. Use tools like SonarQube, Snyk, or Checkmarx to scan code and identify vulnerabilities.

****Network Security****

You must implement firewalls, Virtual Private Clouds (VPCs), and network segmentation so that sensitive workloads are placed within secure boundaries. It will also minimize the attack surface. Implement IP whitelisting, VPN access, and network-level monitoring to secure data flow.

****Incident Response Plan****

Establish a good incident response plan that provides detection, containment, and recovery procedures in the case of security incidents. Regular practice drills are necessary to educate your staff to respond to an incident properly.

Bridging these building blocks contributes to developing a good foundation for your SaaS architecture.

****Essential SaaS Security Practices****

Effective SaaS security requires a layered approach. These essential strategies help protect your SaaS applications from unauthorized access, misconfigurations, and third-party vulnerabilities:

1.  **Data Encryption**: You must encrypt data at rest and in transit to prevent unauthorized access. Ensure encryption keys are managed securely to prevent compromise.
2.  **Access Controls**: Use role-based access controls (RBAC) and implement the principle of least privilege. It is necessary to regularly review and audit permissions to minimize over-privileged accounts.
3.  **Secure Configuration**: Regularly review and harden cloud configurations to minimize exposure. Tools like AWS Config, Azure Security Center, and GCP Security Command Center help maintain consistent security configurations.
4.  **Monitoring and Logging**: Enable detailed logs and use tools to detect suspicious behavior. Solutions like AWS CloudTrail, Azure Monitor, and Google Cloud Operations provide insights for incident response.
5.  **Third-Party Risk Management**: Assess the security posture of third-party integrations. Regularly conduct vendor assessments to evaluate risks posed by external services.

Combining these strategies ensures a stronger security posture for your SaaS applications.

****Implementing Identity First Security for Stronger Access Control****

Identity-first security shifts the security focus from the network perimeter to individual user identities. This approach strengthens access control by ensuring that identity is the core factor in securing resources.

****1\. Centralized Identity Management****

You must use centralized identity providers (IdPs) like Azure AD, Okta, or Google Workspace to simplify user management and ensure consistent security policies. Centralized identity management reduces identity sprawl and makes it easier to enforce MFA, password policies, and session control.

****2\. Multi-Factor Authentication (MFA)****

MFA across critical applications is important so you can prevent unauthorized access even if credentials are compromised. Enable adaptive MFA to assess risk signals, such as user behavior or device location, before prompting additional verification.

****3\. Role-Based Access Control (RBAC)****

Implement RBAC to ensure users only have access to resources relevant to their roles, reducing excessive permissions. Continuously review and audit roles to prevent privilege creep.

****4\. Just-in-Time (JIT) Access****

Grant temporary elevated access only when required, minimizing the risk of long-term privileged accounts. This reduces the risk of attackers exploiting excessive or dormant privileges.

By focusing on identity as the foundation for security, organizations can better control access and reduce exposure to breaches.

****Building Secure SaaS Workflows****

Implementing secure workflows helps reduce the risk of human errors and potential security gaps. Structured workflows ensure consistent handling of data, identity, and application behavior.

*   **Secure Onboarding and Offboarding**: Create well-defined onboarding and offboarding processes to manage user access efficiently. Automated provisioning and deprovisioning tools help ensure that no orphaned accounts remain active. Integrate these processes with your IAM provider to streamline access management.

*   **Secure API Management**: Ensure all SaaS APIs are authenticated, encrypted, and properly documented. Implement API gateways and limit exposure to only essential endpoints. Use OAuth 2.0, OpenID Connect, and API rate limiting to enhance API security.

*   **Data Backup and Recovery**: Establish backup routines with strict data recovery objectives. Regularly test recovery processes to minimize downtime in case of an incident. Adopt services like AWS Backup, Azure Backup, or Google Cloud Backup for automated backup management.

By following these practices, organizations can maintain secure and efficient workflows.

****Why Identity Security is the Backbone of Modern Cybersecurity****

Identity security plays an important role in protecting cloud applications, services, and data. Since compromised identities are often the starting point for cyberattacks, securing identities is key to preventing major security incidents.

****Preventing Credential-Based Attacks****

Attackers frequently exploit weak passwords or stolen credentials. Strong identity security with MFA, password policies, and behavior-based monitoring can reduce this risk. Use tools like Microsoft Defender for Identity, Google Cloud Identity Protection, or Okta ThreatInsight to detect suspicious identity-related behavior.

****Enabling Zero Trust Architecture****

Identity security aligns with Zero Trust principles, ensuring that no user or device is trusted by default. Every access request is verified based on identity, device health, and location before access is granted.

****Enhancing User Accountability****

With proper identity tracking and auditing, organizations can monitor user actions and quickly detect suspicious behavior. Solutions like AWS CloudTrail, Azure AD Logs, and Google Cloud Audit Logs provide visibility into identity-related events.

****Improving Compliance****

Identity security helps meet compliance standards by enforcing access controls, maintaining audit trails, and ensuring data protection. Frameworks such as ISO 27001, SOC 2, and HIPAA emphasize strong identity security as part of compliance best practices.

Organizations can build a resilient defense against evolving cyber threats by prioritising identity security.

****Conclusion****

SaaS security is not a one-time effort but a continuous strategy combining proactive threat defense, identity-centric access control, and scalable automation. By implementing strong data encryption, enforcing least-privilege access, and managing identities with precision, businesses can significantly reduce their exposure to threats.

Prioritizing identity security lays the groundwork for Zero Trust and helps meet growing compliance demands. Investing in these security measures not only protects your SaaS stack but also builds long-term customer trust and operational resilience as your business scales.

Top/Featured Image by Vicki Hamilton from Pixabay

SaaS Security Essentials: Reducing Risks in Cloud Applications

The US indicated they will sign the Pall Mall Pact, an international treaty to regulate commercial spyware and surveillance tools.

The US State Department reportedly plans to sign an international agreement designed to govern the use of commercial spyware known as the Pall Mall Pact.

The Pall Mall Pact, formally known as the Pall Mall Process, was initiated by France and the United Kingdom in February 2024. The goal of the Pall Mall Pact is to regulate Commercial Cyber Intrusion Capabilities (CCICs), or what we usually refer to as spyware and surveillance tools.

Signed by France, the UK, Japan, and 18 other EU member states, the Code of Practice is a voluntary non-binding agreement establishing “best practices” among governments in relation to the development, facilitation, purchase, transfer, and use of commercial cyber intrusion tools and services.

Primarily, it aims to tackle the misuse of powerful cybertools sold on the open market. These tools, often developed by private companies like the NSO Group and Paragon Solutions, have been exploited by state and non-state actors to surveil journalists, human rights defenders, activists, and even government officials. The misuse of spyware has raised concerns about its impact on democracy, human rights, and national security.

By promoting international collaboration among governments, combined with industry players like Google and Microsoft, civil society organizations, and academics, the pact represents a collective effort to regulate an industry that has operated almost without reins.

The ongoing proliferation of spyware poses existential risks to privacy and civil liberties. Commercial hacking tools have enabled intrusive surveillance practices that undermine fundamental freedom and human rights. For example, spyware can infiltrate smartphones and computers, granting unauthorized access to sensitive data such as messages, emails, and location information.

Initially, countries like the United States opted not to sign the Pall Mall Pact but to pursue similar initiatives independently. However, this fragmentation could dilute global efforts to regulate spyware effectively. Not ideal, since its voluntary nature already raises questions about its effectiveness.

While not legally binding, the Code offers building blocks for the future and builds momentum for further development. It also offers the participating states a framework for further discussion and national implementation into laws.

In an increasingly digital world, privacy is a growing concern. As our recent research showed, a majority of people feel isolated in securing their sensitive information from companies, governments, AI models, and scammers.

Privacy is more than a personal concern. It’s a cornerstone of democracy and human rights. The Pall Mall Pact offers a roadmap for protecting these values against the misuse of powerful surveillance technologies. No one should be subject to arbitrary or unlawful interference with their privacy, as set out in the International Covenant on Civil and Political Rights and other applicable international and regional treaties.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 The Pall Mall Pact and why it matters 

Out-of-bounds read in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.

CVE-2025-29834: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

April Microsoft Patch Tuesday. A total of 153 vulnerabilities, 2 times more than in March. Of these, 32 were added between the March and April MSPTs. Three vulnerabilities show signs of exploitation in the wild: 🔻 EoP – Windows Common Log File System Driver (CVE-2025-29824). An attacker can gain SYSTEM privileges. No technical details yet.🔻 […]

**April Microsoft Patch Tuesday.** A total of 153 vulnerabilities, 2 times more than in March. Of these, 32 were added between the March and April MSPTs. Three vulnerabilities show signs of exploitation in the wild:

🔻 **EoP** – Windows Common Log File System Driver (CVE-2025-29824). An attacker can gain SYSTEM privileges. No technical details yet.  
🔻 **SFB** – Microsoft Edge (CVE-2025-2783). Sandbox escape with an existing PoC exploit.  
🔻 **RCE** – Microsoft Edge (CVE-2025-24201). Originally reported as a WebKit vuln on Apple OSes. 🤷‍♂️

Microsoft also patched vulnerabilities in Kubernetes with known exploits (CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-24513)

Other notable ones:

🔹 **RCE** – LDAP (CVE-2025-26670, CVE-2025-26663), TCP/IP (CVE-2025-26686), Microsoft Office (CVE-2025-29794, CVE-2025-29793), RDS (CVE-2025-27480, CVE-2025-27482), Hyper-V (CVE-2025-27491)  
🔹 **SFB** – Kerberos (CVE-2025-29809)

🗒 Full Vulristics report

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

April Microsoft Patch Tuesday

ReversingLabs reveals a malicious npm package targeting Atomic and Exodus wallets, silently hijacking crypto transfers via software patching.

**TL;DR – ReversingLabs has identified a malicious npm package, “pdf-to-office,” that targets Atomic and Exodus crypto wallet users by silently patching local software to hijack transactions. The malware swaps recipient wallet addresses and remains persistent even after removal.**

Cybersecurity firm ReversingLabs (RL) has uncovered a new tactic threat actors are employing to target cryptocurrency users. Their latest research, shared with Hackread.com, reveals that cybercriminals are leveraging the **npm** (Node Package Manager) network to inject malicious code into locally installed cryptocurrency wallet software, specifically targeting Atomic Wallet and Exodus.

This attack involves the malicious patching of legitimate software files, allowing attackers to intercept cryptocurrency transfers by silently swapping recipient wallet addresses.

****Fake Package and Malicious Injection****

RL researchers discovered a malicious npm package named “pdf-to-office” that falsely appeared as a utility for converting PDF files to **Microsoft Office documents**. However, upon execution, it deployed a malicious payload to modify key files within Atomic Wallet and Exodus installation directories.

Malicious Package (Source: RevesingLabs)

The malware overwrites legitimate files with trojanised versions, secretly altering the destination address for outgoing cryptocurrency transactions. This allows attackers to remain undetected for an extended period, as the wallet’s core functionality appears unchanged to the user.

ReversingLabs’ automated Spectra Assure platform flagged this package as suspicious because it exhibited behaviours consistent with previous npm-based malware campaigns. An obfuscated Javascript file was also found within the package, revealing malicious intent.

The payload targeted the "atomic/resources/app.asar" archive in **Atomic Wallet**‘s directory and the "src/app/ui/index.js" file in **Exodus**.

“Atomic Wallets weren’t the only target of this malicious package, either. RL also detected a malicious payload that tried to inject a trojanised file inside a legitimate, locally-installed Exodus wallet as well,” wrote ReversingLabs’ Software Threat Researcher Lucija Valentić in a **blog post**.

The attackers targeted specific Atomic Wallet versions (2.91.5 and 2.90.6), indicating sophistication in their targeting. The malicious files were named accordingly, overwriting the correct file regardless of the installed version.

“We also observed what appears to be an effort by the malicious actors to cover their tracks and thwart incident response efforts, or simply to exfiltrate even more information,” the researcher explained.

****Persistence and Impact****

A particularly problematic part of this campaign is its persistence. Research indicates that even if the malicious “pdf-to-office” package is removed from the victim’s system, the compromised cryptocurrency wallet software remains infected.

Moreover, the trojanised files within Atomic Wallet and Exodus continue to operate, silently redirecting funds to the attackers’ Web3 wallet. The only effective way to eliminate the threat is a complete removal and re-installation of the affected wallet software.

The good news is that the official Atomic Wallet and Exodus Wallet installers remain unaffected, but the compromise occurs after the malicious “pdf-to-office” package is installed and executed.

It is worth noting that this campaign is similar to a previous one RL **reported in late March**, which used two malicious npm packages, "ethers-provider2" and "ethers-providerz" to deliver a payload that patched the legitimate “ethers” package to serve a reverse shell.

The cryptocurrency sector is, therefore, facing increasing risks from software supply chain attacks. These attacks are becoming more sophisticated and frequency-driven, requiring increased vigilance from software producers and end-user organizations.

Tag

#microsoft