Risky Bulletin: Sean Plankey withdraws CISA nomination

Sean Plankey withdraws his CISA director nomination, Russians hacked the Bundestag president, Discord users gain unauthorised access to Anthropics mythos, and the US sanctions a Cambodian senator for running cyber scam compounds. This is the Risky Bulletin, prepared by Katalin Kimpanu and read by me, Claire Aird. Today is the 24th of April and this podcast episode is brought to you by Nebulock. In today's top story, Sean Plankey has asked the White House to withdraw his nomination for CISA director. He was first nominated for the role in March last year, but several senators from both parties placed holds on his nomination. He was re-nominated again in January, but that nomination failed to advance. Last month, Plancky retired from the Coast Guard, where he served as senior advisor to then DHS Secretary Kristi Noam. In other news, U.S. Cyber Command carried out more than 8,000 operations last year, a 25% increase from 2024 levels. Testifying at a House Armed Service Committee hearing, Cybercom's new leader, General Josh Rudd, said he expects this year's numbers to be higher. The Trump administration has been vocal about Cyber Command's involvement in recent conflicts in both Iran and Venezuela. Networking equipment installed at the Isfahan nuclear site malfunctioned ahead of US and Israeli missile strikes. Iranian officials reported issues with Cisco, Fortinet, Juniper and Microtik devices. Officials are still investigating the cause of the malfunctions, but noted that the country was disconnected from the global internet at the time of the attacks. Russian cyber spies have compromised the signal account of German Bundestag president, Julia Klackner. According to Der Spiegel, Klackner was part of a signal group that also included the head of the German government, Chancellor Friedrich Merz. His account was not compromised. Earlier this year, Germany's cyber security agency warned that Russian hackers were targeting signal and WhatsApp accounts. A group of Discord users have gained unauthorised access to Anthropik's Mythos. They gained access to the model the same day it was released as a preview to selected organisations. Bloomberg reported the group used valid credentials and guessed Mythos operating endpoints. Anthropik said the intruders did not run malicious prompts and appear to have simply played around. The company is investigating. Russia's telecommunications watchdog has revoked almost 2,000 telco licences. The Roskomnadzor says they failed to provide required registration and operational information Most of the affected operators are small providers Russian lawmakers are seeking to pass tougher regulations to prevent the operators from regaining their licenses Hackers have stolen $2.5 million from Sri Lanka's Ministry of Finance. Officials said the funds were supposed to repay debt to Australia but were diverted during the process. Sri Lanka has requested help from Australian law enforcement to investigate the hack. Hackers have stolen $3.5 million worth of crypto assets from the Volo DeFi platform. They allegedly use an exploit against three very specific vaults. Volo said it will absorb the loss and continue to operate as normal. Hackers have compromised the Kix vulnerability scanner for the second time in a month. The intruders released malicious versions of the Kix Docker image, GitHub Action and VS Code extensions. Cybersecurity firm Checkmarks, which manages the scanner, confirmed the incident on Wednesday. The Kik scanner was also compromised in March with the same method. The Bitwarden CLI package is the first confirmed victim. Researchers have identified two surveillance campaigns that aim to track the locations of high-profile individuals. The first campaign exploited the SS7 protocol, while the second used SMS messages that contained hidden SIM card commands. Citizen Lab says the campaigns were the work of professional surveillance vendors. The attackers abused 4G infrastructure in Israel, the UK and the Channel Islands for the attacks. Meta is installing spyware on US employee systems to capture mouse movements, clicks and keystrokes. The company says the data will be used to train its AI models and will not be used for performance reviews. The data will be used to train models in areas such as clicking on menus and typing into input fields. The company is set to lay off 8,000 workers in May. The US Treasury has sanctioned a Cambodian senator for running a network of cyber scam compounds. Kok An and his family ran compounds out of retrofitted casinos and office parks in the border regions of Cambodia and Thailand. The centres were raided by authorities in both countries late last year. The US also imposed sanctions on 28 individuals and companies linked to Kok, who's been on the run since those raids. The US Department of Justice has also charged two Chinese nationals over their roles in a cryptocurrency investment fraud operation. Jiang Wanjia and Huang Xingshan are accused of running the Shanda Scam compound in Myanmar. Burmese authorities seized the compound in November. The pair were planning to open a second in Cambodia They were both arrested by Thai law enforcement earlier this year on immigration charges The FBI also seized million worth of cryptocurrency tied to money laundering operations a telegram channel used to recruit workers and 503 scam domains French authorities have arrested a 21-year-old hacker who orchestrated a large hacking campaign last year. The man, who used the handle Hexdex, was detained on Monday in the Vendee province in Western France. He is accused of hacking numerous French organisations, including 15 sports federations, a weapons manufacturer, an e-campus platform and a police training platform. 16 cybersecurity agencies have jointly published an advisory on China's use of residential proxy networks. The botnets are made up of home routers, security cameras and other IoT devices, and are used to obscure espionage activity. The advisory specifically warns about IOC extinction, where compromise indicators such as IP addresses are discarded after a few uses, which makes tracking and prevention difficult. A North Korean APT group is using generative AI technology in a campaign targeting developers in the Web3 ecosystem. The group is targeting developers with fake job offers. Developers are infected with malware when they're asked to perform a skills assessment test. The group has stolen up to $12 million in cryptocurrency from private wallets in three months. Security firm Expel tracks the group as hexagonal rodent. A Belarusian threat actor is selling software that powers more than 90 sim farms globally. The group is one of the first major sim farm as a service providers observed in underground circles. Known as ProxySmart, the software uses a web panel to allow operators to control large setups of smartphones or 4 and 5G modem dongles. According to InfraWatch, ProxySmart has been used for sim farms that power proxy botnets, social media bot farms and censorship evasion services. German office suite maker Nextcloud has shut down its bug bounty program following an increase in AI-generated reports. The program was taken offline on Wednesday. Co-founder Josh Portfleet said his staff members were spending up to 30 times longer on reports than before, and most of them were rubbish. Chinese tech giant QiHu360 claims it's developed its own cybersecurity AI model that rivals Anthropix Mythos. The agent reportedly found more than 1,000 vulnerabilities. Some were found in products such as Microsoft Office and OpenClaw. Chihoo 360 says the agent is now a core component of its vulnerability discovery operations. Almost 8 access tokens and secrets have been leaked via web development environments The tokens were found across 22 million public code snippets and projects They were hosted on platforms such as CodePen CodeSandbox and StackBlitz One token belonged to a GitHub employee and allowed write access to the GitHub platform. Dread Actors began exploiting a vulnerability in an AI server platform 12 hours after a patch was made available. Attacks are targeting LM Deploy, a toolkit for compressing and serving LLMs. The vulnerability is a server-side request forgery that allows attackers to access server endpoints without authentication. Apple has punched a bug that allowed notifications from deleted apps to remain in devices' logs. The bug was used by the FBI this year to extract signal messages from a suspect's device, despite the app having been deleted. Copies of the messages were stored in an iPhone database of previous notifications. Security updates have been released for PackageKit, a cross-distro package manager for Linux distributions. The patch fixes a privilege escalation bug that allowed unprivileged users to obtain root access on the underlying OS. The vulnerability has been tested and confirmed on distros such as Ubuntu, Debian, Fedora and Rocky Linux. Canonical is releasing more than 40 security patches for the Ubuntu operating system. The patches are all in the Rust Core Utils library. The library is a Rust rewrite of the GNU Core Utilities, the Linux component that supports basic file shell and text manipulation utilities. The security flaws were found in a security audit last year and more patches are expected later this year. Republican lawmakers have introduced two privacy bills in Congress this week. The two bills are designed to unite regulation under one set of national rules. The Secure Data Act introduces privacy regulations for the tech and IT sector, while the Guard Financial Data Act introduces new rules for banks and financial institutions. Consumer privacy groups have already called the bills a significant backwards step for privacy that's intended to replace stronger state and local laws. And finally, the UK's NCSC Cybersecurity Agency has developed technology that will be sold as a commercial product for the first time. The device, named Silent Glass, sits between monitors and PCs or laptops and blocks malicious data transfers via DisplayPort and HDMI connections. The device will be manufactured by Goldilocks Labs and Sony UK. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Nebulock. Find them at nebulock.io. Thanks for your company.