Every day, billions of people place their trust in websites they know little about. Behind each one is a hosting provider, but not all of them play by the same rules. 

Traditionally, privacy policies let web visitors understand how their data would be handled, and SSL (Secure Sockets Layer) certificates ensured their connection was encrypted. Those safeguards were once sufficient. Today, they are not.

The online threat landscape is evolving at the speed and scale of AI development, and many on the front lines are unprepared. A recent survey of 600 enterprise IT leaders found that just 10% of respondents were very confident in their ability to address AI-enabled attacks targeting their organizations. 

Before AI, cyberattacks were primarily rule-based, scripted, and manually executed. These attacks now deploy everything from deepfake phishing calls to automated vulnerability scanning. AI has enhanced their scale, personalization, and automation, making them easier to adapt and harder to detect. That should alarm us all. 

This isn’t only about evolving to meet technological advancements — it’s also about trust. Consumers and businesses alike must be able to identify which providers meet high standards for transparency, reliability, and accountability. Without that clarity, they are left in the dark, unable to make informed choices about who they rely on to keep their digital lives safe. In an era of relentless cyberattacks, the internet needs a higher standard to safeguard not just websites, but the very trust that keeps the entire system running. 

That’s why the Secure Hosting Alliance (SHA) is introducing the SHA Trust Seal. The seal sets a clear bar for providers by demanding transparency, accountability, and resilience. Certified hosts commit to offering fair and understandable terms of service, with no hidden surprises. They act quickly and responsibly when their infrastructure is misused, maintain reliable and resilient services through proactive monitoring and recovery planning, and handle government requests with documented, lawful processes that respect privacy and due process. Most importantly, they commit to ongoing accountability. 

In recent years, transparency has become a cornerstone of the larger cybersecurity community, with companies expected to back up their claims through independent audits, public disclosures, and measurable outcomes. Trust seals are already standard in industries like e-commerce, finance, and health care, where sensitive information is exchanged and verified authentication is essential. Given that the web-hosting industry is part of the internet’s critical infrastructure, it too deserves a clear symbol of trust. The SHA Trust Seal delivers exactly that, translating providers’ promises from words on a website into commitments that can be verified against clear, rigorous standards.

The Trust Seal also reflects a larger shift in how the industry tackles problems. Instead of every company responding in isolation, SHA works with partners such as the Malware and Mobile Anti-Abuse Working Group (M3AAWG) and the Anti-Phishing Working Group (APWG) to build common approaches for preventing cybercrime, improving incident response, and reducing misuse of hosting resources. By creating consistent expectations across providers, the seal helps establish a baseline for what responsible stewardship of the internet should look like.

The stakes are high. From ransomware to supply chain breaches, hackers increasingly target the companies behind the websites we use every day. Earlier this year, Cloudflare blocked a record-breaking distributed denial-of-service (DDoS) attack of 7.3 terabits per second — the largest in history. Attacks like this strike at the very infrastructure of the internet, yet most consumers remain unaware of how fragile that foundation can be. 

This lack of visibility is exactly why a trust seal is needed. The SHA Trust Seal is more than just a badge — it’s a promise. It gives responsible providers a way to make their commitments visible, reassuring customers, elevating industry standards, and strengthening the foundation of a safer internet. By embracing a trust seal, the web hosting industry can transform security from a hidden feature into a visible standard.

Christian Dawson is the co-founder of the Internet Infrastructure Coalition (i2Coalition)and the Coalition on Digital Impact (CODI). 

The post Why the web-hosting industry needs a trust seal appeared first on CyberScoop.

F5, a company that specializes in application security and delivery technology, disclosed Wednesday that it had been the target of what it’s calling a “highly sophisticated” cyberattack, which it attributes to a nation-state actor. The announcement follows authorization from the U.S. Department of Justice, which allowed F5 to delay public disclosure of the breach under Item 1.05(c) of Form 8-K due to ongoing law enforcement considerations.

According to an 8-K form filed with the Securities and Exchange Commission, the company first became aware of unauthorized access Aug. 9 and initiated standard incident response measures, including enlisting external cybersecurity consultants. In September, the Department of Justice permitted F5 to withhold public disclosure of the breach, which the government allows if a breach is determined to be a “a substantial risk to national security or public safety.”  

Investigators discovered that the threat actor maintained prolonged access to parts of F5’s infrastructure. Systems affected included the BIG-IP product development environment and the company’s engineering knowledge management platform. The unauthorized access resulted in the exfiltration of files, some of which contained segments of BIG-IP source code and details regarding vulnerabilities that the company was actively addressing at the time. It also said the files taken were “configuration or implementation information for a small percentage of customers.”

F5 reported that independent reviews by incident response firms found no evidence the attacker had modified the software supply chain, including source code or build and release pipelines. The company stated that it is not aware of any undisclosed critical or remote code execution vulnerabilities, nor any current exploitation linked to the breach. The company also stated that containment actions were implemented promptly and have so far been effective, with no evidence of new unauthorized activity since those efforts began.

According to the SEC form, no evidence was found of access to the company’s customer relationship management, financial, support case management, or iHealth systems. However, the company said a portion of the exfiltrated files included configuration or implementation details affecting a small percentage of customers. F5 is continuing to review these materials and is contacting customers as needed.

Investigative findings further indicated that the NGINX product development environment, as well as F5 Distributed Cloud Services and Silverline systems, remained unaffected.

The United Kingdom’s National Cyber Security Centre said in a notice there is currently no indication customer networks have been impacted as a result of F5’s compromised network.

F5 has continued to work alongside federal law enforcement throughout its response and is implementing additional measures to strengthen its network defenses. Company officials reported that the breach has not had a material effect on its daily operations as of the disclosure date. Ongoing assessments are being conducted to determine if there may be any impact on the company’s financial position or results.

F5, based in Seattle, is a major player in the application security and delivery market, serving thousands of enterprise customers worldwide, including much of the Fortune 500. The company’s primary offerings include its BIG-IP line of hardware and software products, which provide network traffic management, application security, and access control, as well as its NGINX and F5 Distributed Cloud Services platforms. F5’s technologies are used extensively by businesses, government agencies, and service providers around the world. 

Fixes rolled out

F5 released a series of updates to its BIG-IP software suite and advised customers to update their clients for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ and APM as soon as possible. 

The company also shared steps customers can take to harden their F5 systems and added some checks to its diagnostic tool, which can help identify gaps in security and prioritize a proper course of action. 

F5 encouraged customers to monitor for potentially unauthorized login attempts and configuration changes by integrating their security information and event management tools. 

The vendor said it bolstered its internal security in the wake of the breach by rotating credentials and improving its network security architecture and access controls across its systems. F5 also added tools to better monitor, detect and respond to threats, and said it strengthened security controls in its product development environment. 

The company brought in multiple firms to assist in its response and recovery efforts, including NCC Group, IOActive and CrowdStrike. F5 said it’s working with CrowdStrike to make endpoint detection and response sensors and threat hunting available to its customers. 

NCC Group and IOActive both attested that they have not identified any critical-severity vulnerabilities in F5’s source code nor did they find evidence of exploited defects in the company’s critical software, products or development environment. NCC Group added that it has not found any suspicious threat activity such as malicious code injection, malware or backdoors in F5 source code during its review thus far.

“Your trust matters. We know it is earned every day, especially when things go wrong,” the company said in a blog post. “We truly regret that this incident occurred and the risk it may create for you. We are committed to learning from this incident and sharing those lessons with the broader security community.”

Matt Kapko contributed to this story.

The post F5 discloses breach tied to nation-state threat actor appeared first on CyberScoop.

Rep. Eric Swalwell, D-Calif., sent a letter Tuesday to acting CISA Director Madhu Gottumukkala raising concerns about staffing levels and the direction of the nation’s primary cybersecurity agency, writing that the “Trump Administration has undertaken multiple efforts to decimate CISA’s workforce, undermining our nation’s cybersecurity.”

Swalwell, the ranking member on the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, called out the agency for its reported shift of cybersecurity personnel to the Department of Homeland Security’s deportation efforts, on top of the approximately 760 people that have been let go from the agency since January. 

“Amid reports that the Department of Homeland Security is now forcibly transferring CISA’s cybersecurity employees to other DHS components, it has become apparent that the Department’s exclusive focus on its mass deportation campaign is coming at the expense of our national security,” Swalwell writes. “As further evidence of the Administration’s failure to prioritize cybersecurity, CISA is now engaging in Reductions in Force (RIFs) that threaten CISA’s capacity to prevent and respond to cybersecurity threats. I demand you immediately cease all efforts to cut CISA’s workforce, reinstate employees who were transferred or dismissed, and provide details on the impacts of the agency’s workforce reductions.“

The letter is not the first time Swalwell has asked for information about CISA’s workforce. In April, he asked the agency to brief the subcommittee on its workforce plans. He wrote in Tuesday’s letter he had not heard back from CISA. 

Further in the letter, Swalwell says shifting CISA personnel to deportation efforts takes away from the agency’s core mission at a time of “unprecedented cybersecurity threats,” pointing to the emergency directive issued last month about an ongoing and widespread attack spree affecting Cisco firewalls. He also questions CISA’s ability to leverage third-party expertise, given the agency’s September termination of its agreement with the Multi-State Information Sharing and Analysis Center — a partnership previously underpinned by $27 million in federal funding for fiscal year 2025. 

“In order to combat these threats, CISA needs to have sufficient personnel to carry out its mission, particularly at a time when canceled contracts and cooperative agreements have left CISA without critical third-party support,” Swalwell writes. 

You can read the full letter below. 

A CISA spokesperson sent CyberScoop the following statement:

“During the Biden Administration, Rep. Swalwell had no issue with CISA performing duties outside of its statutory authority – including censorship, branding, and electioneering. Under the leadership of President Trump and Secretary Noem, CISA focused squarely on executing its statutory mission: serving as the national coordinator for securing and protecting U.S. critical infrastructure. CISA is delivering timely, actionable cyber threat intelligence, supporting federal, state, and local partners, and defending against both nation-state and criminal cyber threats.”

Update: October 18, 2025, 4:00 pm: This article has been updated with comment from CISA.

The post Swalwell seeks answers from CISA on workforce cuts appeared first on CyberScoop.

LevelBlue announced Tuesday it has signed a definitive agreement to acquire Cybereason, a Boston-based cybersecurity firm specializing in extended detection and response platforms and digital forensics. 

Dallas-based LevelBlue, a managed security services provider formerly known as AT&T Cybersecurity, will fold Cyberreason’s extended detection and response (XDR) platform, threat intelligence team, and digital forensics and incident response (DFIR) capabilities into its managed detection and response (MDR) offerings.

“The addition of Cybereason is a strategic leap forward in our mission to become the most complete cybersecurity partner for our clients and strategic partners,” Bob McCullen, CEO and chairman of LevelBlue, said in a release. “By combining Cybereason’s world-class XDR and DFIR capabilities with our AI-powered MDR and incident response, we can deliver unified protection that’s proactive, scalable, and purpose-built for today’s fast-evolving threats.”

The acquisition follows a trend of industry consolidation, as cybersecurity companies aim to offer a variety of products and services under singular brands. Cybereason merged with managed service provider Trustwave earlier this year. 

For Cybereason, the acquisition bookends a turbulent seven-year period that saw the company swing from near-IPO status to dramatic valuation declines and multiple restructurings. Founded in 2012 by former members of the Israeli Defense Forces signals intelligence unit, the company competes with firms like CrowdStrike and SentinelOne in providing endpoint detection services and threat intelligence capabilities.

Cybereason appeared to reach its apex in 2021, when it raised $325 million in a funding round led by Liberty Strategic Capital. That round valued the company at approximately $3.1 billion, and Cybereason confidentially filed for an initial public offering with an expected valuation of $5 billion. At its peak, the company employed roughly 1,500 workers and had raised $850 million in total funding, with Japanese multinational investment holding company SoftBank as its primary investor.

However, the economic downturn of 2022 fundamentally altered the company’s trajectory. The shifting market conditions, combined with pressure from SoftBank following its significant losses on investment in WeWork, forced Cybereason to acknowledge it had over-hired at unsustainable wage levels. The company conducted two major rounds of layoffs, cutting more than 300 employees. In early 2022, Cybereason eliminated approximately 10% of its workforce, citing what it called a “seismic shift” in private and public markets. The IPO was eventually scrapped. 

As part of Tuesday’s announced transaction, SoftBank Corp. and Liberty Strategic Capital will become investors in LevelBlue. Additionally, Steven Mnuchin, former U.S. Treasury secretary and managing partner of Liberty Strategic Capital, will join LevelBlue’s board of directors. 

The post LevelBlue to acquire Cybereason in latest cybersecurity industry consolidation appeared first on CyberScoop.

Cybersecurity today is defined by complexity. Threats evolve in real time, driven by AI-generated malware, autonomous reconnaissance, and adversaries capable of pivoting faster than ever. 

In a recent survey by DarkTrace of more than 1,500 cybersecurity professionals worldwide, nearly 74% said AI-powered threats are a major challenge for their organization, and 90% expect these threats to have a significant impact over the next one to two years. 

Meanwhile, many organizations are still operating with defensive models that were built for a more static world. These outdated training environments are ad hoc, compliance-driven, and poorly suited for the ever-changing nature of today’s security risks.

What’s needed now within organizations and cybersecurity teams is a transformation from occasional simulations to a daily threat-informed practice. This means changing from fragmented roles to cross-functional synergy and from a reactive defense to operational resilience. 

At the heart of that transformation lies Continuous Threat Exposure Management (CTEM), a discipline — not a tool or a project — that enables organizations to evolve in step with the threats they face.

Why traditional models no longer work

Legacy training models that include annual penetration tests, semi-annual tabletop exercises, and isolated red vs. blue events are no longer sufficient. They offer limited visibility, simulate too narrow a scope of attack behavior, and often check a compliance box without building lasting and strategic capabilities.

Even worse, they assume adversaries are predictable and unchanging. But as we know, AI-generated malware and autonomous reconnaissance have raised the bar. Threat actors are now faster, more creative, and harder to detect. 

Today’s attackers are capable of developing evasive malware and launching attacks that shift in real time. To meet this evolving threat environment, organizations must shift their mindset before they can shift their tactics. 

Embedding CTEM into daily practice

CTEM offers a fundamentally different approach. It calls for operationalized resilience, where teams systematically test, refine, and continually evolve their defensive posture daily. 

This is not done through broad-stroke simulations, but through atomic, context-aware exercises targeting individual techniques relevant to their specific threat landscape. This is also done one sub-technique at a time. Teams look at one scenario, then iterate, refine, and move to the next. 

This level of precision ensures organizations are training for the threats that actually matter — attacks that target their sector, their infrastructure, and their business logic. It also creates a steady rhythm of learning that helps build enduring security reflexes.

Real-time breach simulations: training under pressure

What separates CTEM from traditional testing is not just frequency, but authenticity. Real-time breach simulations aren’t hypothetical. These simulations are designed to replicate real adversarial behavior, intensity, and tactics. If they are done right, they mirror the sneakiness and ferocity of live attacks.

We should keep in mind that authenticity doesn’t just come from tools but also from the people designing the simulations. You can only replicate real-world threats if your SOC teams are keeping current with today’s threat landscape. Without that, simulations risk becoming just another theoretical exercise. 

These complex scenarios don’t just test defenses; they reveal how teams collaborate under pressure, how fast they detect threats, and whether their response protocols are aligned with actual threat behavior.

Analytics as a feedback loop

What happens after a simulation is just as important as the exercise itself. The post-simulation analytics loop offers critical insights into what worked, what didn’t, and where systemic weaknesses lie. 

Granular reporting is essential, as it allows organizations to identify issues with skills, processes, or coordination. By learning the specifics and gaining meaningful metrics — including latency in detection, success of containment, and coverage gaps — they can turn simulations into actionable intelligence. 

Over time, recurring exercises using similar tradecraft help measure progress with precision and determine if improvements are taking hold or if additional refinements are needed.

A blueprint for CISOs: building resilient, cross-functional teams

For CISOs and security leaders, adopting CTEM is not just about adding more tools — it’s about implementing culture, structure, and strategy. 

This is a blueprint for embedding CTEM into an organization’s security protocols:

• Integrate tactical threat intelligence. Training must be based on real-world intelligence. Scenarios disconnected from the current threat landscape are at best inefficient, at worst misleading.
• Align red and blue teams through continuous collaboration. Security is a team sport. Silos between offensive and defensive teams must be broken down. Shared learnings and iterative refinement cycles are essential.
• Engage in simulation, not just instruction. Structured training is the foundation, but true readiness comes from cyber incident simulation. Teams need to move from knowing a technique to executing it under stress, in an operational context.
• Establish CTEM as a daily discipline. CTEM must be part of the organization’s DNA and a continuous process. This requires organizational maturity, dedicated feedback loops, and strong process ownership.
• Use metrics to drive learning. Evidence-based repetition depends on reliable data. Analytics from breach simulations should be mapped directly to skills development and tooling performance.

The role of AI in cybersecurity training

While attackers are already using AI to their advantage, defenders can use it too, but with care. 

AI isn’t a replacement for real-world training scenarios. Relying on it alone to create best-practice content is a mistake. What AI can do well is speed up content delivery, adapt to different learners, and personalize the experience. 

It can also identify each person’s weaknesses and guide them through custom learning paths that fill real skill gaps. In 2026, expect AI-driven personalization to become standard in professional development, aligning learner needs with the most relevant simulations and modules.

Beyond tools: making CTEM a culture

Ultimately, CTEM succeeds when it’s embraced not as a feature or a product but as a discipline woven into the daily practices of the organization. 

It also requires careful development. Red and blue teams must be open, transparent, and aligned. It’s not enough to simulate the threat. Security teams must also simulate to match an adversary’s intensity in order to build reflexes strong enough to withstand the real thing. 

The organizations that take this path won’t just respond faster to incidents — they’ll be able to anticipate and adapt and cultivate resilience that evolves as quickly as the threats do.

Dimitrios Bougioukas is vice president of training at Hack The Box, where he leads the development of advanced training initiatives and certifications that equip cybersecurity professionals worldwide with mission-ready skills.

The post Red, blue, and now AI: Rethinking cybersecurity training for the 2026 threat landscape appeared first on CyberScoop.

Cisco Systems has issued security updates to address a critical vulnerability in its widely deployed IOS and IOS XE network operating systems, after confirming the flaw is being exploited in active attacks.

Designated CVE-2025-20352, the vulnerability resides in the Simple Network Management Protocol (SNMP) subsystem of Cisco’s core network software. According to Cisco, the weakness stems from a stack-based buffer overflow and affects any device with SNMP enabled. The flaw allows authenticated, remote attackers with low privileges to force targeted systems to reload, causing denial of service. Higher-privileged attackers could execute arbitrary code with root-level permissions on affected Cisco IOS XE devices, effectively gaining complete control.

Cisco disclosed that the vulnerability has been exploited in the wild. The company became aware of active attacks after the compromise of local administrator credentials. Attackers have leveraged the flaw by sending crafted SNMP packets over either IPv4 or IPv6 networks.

“All devices that have SNMP enabled and have not explicitly excluded the affected object ID (OID) should be considered vulnerable,” Cisco wrote in a published advisory. The company noted the problem affects all versions of SNMP, including v1, v2c, and v3. Models such as the Meraki MS390 and Catalyst 9300 running Meraki CS 17 or earlier are impacted, with a fix arriving in a further IOS XE software release.

No known workarounds exist beyond software updates. While organizations unable to immediately upgrade can mitigate some risk by limiting SNMP access to trusted users and network segments, Cisco advises that these are only temporary measures. 

The company’s security bulletin further instructs administrators on verifying the presence of SNMP and potentially affected configurations through command-line tools. Devices running IOS XR and NX-OS are confirmed as unaffected.

The same update that addressed the SNMP flaw also included patches for 13 other vulnerabilities. Two of these are considered significant: a reflected cross-site scripting weakness (CVE-2025-20240) permitting attackers to potentially steal session cookies, and a denial-of-service flaw (CVE-2025-20149) that can be triggered by authenticated local users. Both have proof-of-concept exploit code available publicly.

Cisco’s IOS and IOS XE platforms are foundational to global networking infrastructure, making vulnerabilities with the potential for remote code execution and denial of service particularly significant for enterprise operations and internet service providers. SNMP’s pervasive use for network monitoring and management, coupled with default or weak credential usage in some environments, continues to place heightened importance on timely security response.

The post Cisco uncovers new SNMP vulnerability used in attacks on IOS devices appeared first on CyberScoop.

Terminating their employment is the easy part. The rest is complicated.

When enterprises discover they have inadvertently hired North Korean information technology workers, they face a cascade of urgent decisions involving sanctions law, cybersecurity protocols, and law enforcement cooperation that can expose them to significant legal and financial risks.

Incident response experts and cybersecurity lawyers explained how enterprises can navigate these risks Monday at Google’s Cyber Defense Summit in Washington, D.C. The challenges have grown more prominent as cybersecurity firms track what they describe as an organized employment scheme designed to generate revenue for North Korea’s weapons programs. 

“Their primary goal is revenue generation, often from multiple employers at once, to fund their weapons of mass destruction program,” Mike Lombardi, who leads North Korean-focused incident response work at Mandiant, said during a panel discussion on the issue.

While North Korean IT workers ultimately funnel their earnings back to the regime, cybersecurity experts emphasize that the workers themselves are primarily motivated by securing paychecks rather than causing immediate corporate damage. Because of this, experts emphasized Monday how companies need all of their departments — like human resources, security, and legal — to watch for warning signs when hiring and to work together if they discover a suspicious worker on their team.

Detection through HR anomalies

Evan Wolff, who co-chairs Akin’s cybersecurity, privacy and data protection practice, emphasized that initial detection often occurs during routine vetting processes. “A lot of these cases seem more HR than cyber at first,” Wolff said.

Key indicators include email addresses that lack credentials with known data brokers, LinkedIn profiles with recycled resumes, and an applicant’s reluctance to appear on video during interviews. Matthew Welling, a partner in Crowell & Moring’s cyber practice, noted that mismatched personal information often provides the first clues.

“A big part of this is spotting pieces of information that don’t fit together — for example, if the address on their ID doesn’t match the address where they want things sent, that’s often a giveaway,” Welling said.

Caroline Brown, a Crowell & Moring partner specializing in international trade and national security, said investigations sometimes reveal more complex patterns. “We saw one IT worker employed at several places at once, looking for their next job, possibly using their employer’s systems to do so,” Brown said.

Immediate sanctions exposure

The legal implications can become apparent quickly once a North Korean is suspected to be employed inside an organization. Brown, who previously worked at the Justice Department’s National Security Division and the Department of Treasury’s Office of Foreign Assets Control (OFAC), explained the strict liability that can come with violating U.S. sanctions.

“North Korea is under a comprehensive embargo — no dealings with U.S. persons or companies, directly or indirectly,” Brown said. “Finding out you’ve made a payment to them could be an additional violation, even strict liability, meaning you don’t need to know you did it; you’re still liable.”

The timing of discovery creates additional complications for things like payroll processing. When asked about scenarios where companies discover a rogue employee mid-week but have payroll scheduled for Friday, Brown responded that the situation becomes “very fact-specific and is about risk tolerance.”

“If you process a payment and it turns out to be for a North Korean, your payment processor — a U.S. financial institution — has violated sanctions, which may also expose you as the cause of that violation,” Brown said.

Strategic response decisions

Unlike typical cybersecurity incidents, these cases sometimes involve staying in communication with the suspected workers to facilitate evidence collection and device recovery. Welling noted that the threat actors’ behavior differs from expectations.

“More often than not, they’re very cooperative, trying to get one more paycheck or severance, even arranging for someone to return the laptop for money,” Welling said. “The key is to keep the interaction alive: tell them you’re having technical issues, keep communication open, and stay in touch.”

Lombardi confirmed this approach to CyberScoop, stating that “most of the time, we just want to get the laptop back.” He explained that maintaining the ruse can be essential for forensic analysis, particularly when evidence is stored locally on devices rather than in centralized systems.

The cooperative nature of these workers when discovered reflects their primary motivation. “By and large, we see that their motivation is to remain employed,” Lombardi said. “Even if things fall apart, the worker will usually comply, to try to stretch out payments or maintain a relationship, not go nuclear.”

Law enforcement and regulatory coordination

One of the biggest decisions companies face is when and how to involve federal authorities. Wolff, who previously worked at the Department of Homeland Security, noted the FBI’s effectiveness in these cases.

“As someone who spent four years at Homeland Security, I don’t always love the FBI, but in this case they’re extremely effective and can work proactively with affected clients to stop this pre-employment,” Wolff said.

There is no legal requirement to notify law enforcement, but Wolff noted that “sharing information with the FBI is helpful, and as the relationship lengthens or the money paid increases, the risk grows.”

Brown also highlighted the benefits of voluntary self-disclosure to OFAC. “More companies are doing so, which preserves mitigation credit — a 50% reduction in penalties — if OFAC were to penalize you,” she said.

The disclosure decision becomes more complex when the FBI initiates contact. “It depends on what the cooperation agreement is with the FBI and whether they’ve already told OFAC about the incident,” Brown said.

Wolff emphasized that whatever the appetite is for getting outside parties involved, an organization should test those plans through tabletop exercises. He explained that even companies that hold cybersecurity-focused tabletops “don’t cover this kind of case” and stressed the importance of including HR personnel in planning a response.

“One challenge is that nobody tells you ‘this person is definitely North Korean’ early on, so you’re piecing together information, often through HR investigations rather than standard cyber incident response,” Wolff said.

The panel members agreed that the threat continues to evolve and expand. Welling characterized it as an enduring challenge: “This isn’t a threat that’s going away. If anything, more groups are picking up the playbook.”

Update – 9/24/25: A previous version of this article attributed a quote to Matthew Welling that was actually said by Evan Wolff.

The post What to do if your company discovers a North Korean worker in its ranks appeared first on CyberScoop.

In August 2024, the National Institute of Standards and Technology published its first set of post-quantum cryptography (PQC) standards, the culmination of over seven years of cryptographic scrutiny, review and competition. 

As the standards were announced, the implications for cybersecurity leaders were clear: The U.S. government must re-secure its entire digital infrastructure — from battlefield systems to tax records — against adversaries preparing to use quantum computers to break our encryption.

This isn’t a theoretical risk; it’s an operational vulnerability. The cryptography that secures federal data today will be obsolete — NIST has already set a deadline to ban some algorithms by 2035 — and our adversaries know it.

A foundational national security threat

Quantum computers are no longer science fiction — they’re a strategic priority for governments across the United States, Europe, China, and beyond, investing billions in their development. While the technology holds promise for scientific and economic breakthroughs, it also carries significant risks for national security.

If just one adversarial state succeeds in building a large enough quantum computer, it would render RSA, ECC, and other foundational cryptographic systems — the algorithms underpinning federal communications, authentication, and data protection — completely obsolete. This would occur not in years or decades that it would take a classical computer today, but in days.

Even before such computers exist, the risk is clear. Intelligence agencies like the National Security Agency have long warned of “harvest now, decrypt later” attacks. That means sensitive U.S. government data — captured today over insecure links or stolen in data breaches — may be stored in data centers with the intention of being decrypted years from now when quantum capabilities mature. This includes classified material, personally identifiable information, defense logistics data, and more.

We are not talking about theoretical vulnerabilities or bugs. We are talking about a complete systemic failure of classical cryptography in the face of a new computing paradigm, and a long-known one at that.

You’ve been warned and instructed

If you work in federal IT or security and haven’t started quantum-proofing your systems, you are already behind. The U.S. government has made its intentions crystal clear over the past three years. 

National Security Memorandum 10 (NSM-10), under the Biden administration, was signed in 2022 and mandates that all National Security Systems transition to quantum-resistant cryptography by 2030. This was followed by Office of Management and Budget memo M-23-02 in November 2022, which requires all federal civilian agencies to inventory their cryptographic assets, assess quantum vulnerability, and develop transition plans.

These early instructions were cemented in the NSA’s CNSA 2.0 guidelines, stating that systems protecting classified and national security data must move to quantum-safe algorithms before the 2035 deadline, with many systems already transitioned by 2030, using NIST’s approved cryptographic standards.

This is not a proposal; it is federal policy. The deadlines are set. The threat is recognized and the technology is ready.

The scale is unprecedented but not insurmountable

There hasn’t been a cryptographic overhaul of this magnitude since the transition to public-key cryptography in the 1980s and arguably not since Y2K. But unlike Y2K, there is no fixed date when things will fail. There won’t be a headline or official press release when quantum computing arrives. If you’re waiting for a clear signal, you won’t get one — it will simply be here, and those who haven’t prepared will already be behind.

Just as when the Allies broke the Enigma machine, the first nation to build a cryptographically relevant quantum computer is not likely to announce this to the world and their adversaries. 

Quantum-safe transition isn’t as simple as swapping out a cryptographic library. Legacy systems across agencies rely on hardcoded cryptographic protocols. Hardware modules may require firmware upgrades or full replacement. Key management systems will need to be redesigned. Certification and compliance processes must be updated. 

This encryption is found everywhere across the technology supply chain and in everyday life. With so many critical government functions, services, systems and departments now run online, just one weak link in the supply chain could bring the whole network down. 

Under the NSA’s CNSA 2.0 guidelines, any business that wants to do business with the U.S. government must implement PQC, especially for any new technology procurement beyond 2030. Furthermore, any products using the designated vulnerable encryption will be discontinued by 2035.

Most agencies aren’t prepared, and the private sector vendors they depend on are working hard to provide the tools needed to deliver the transition. What we must be careful of is some suppliers marketing “quantum-safe” solutions that do not meet NIST standards and may introduce new vulnerabilities down the line.

What federal IT leaders must do today 

The countdown to 2030 and 2035 has already begun. Federal CIOs, CISOs, and program managers should take the following steps this fiscal year:

1. Enforce cryptographic discovery mandates. OMB memo M-23-02 requires all agencies to submit an annual inventory of cryptographic systems. If your agency hasn’t complied or gone beyond minimal discovery, it’s time to escalate.
   
2. Demand vendor transparency. Your suppliers must tell you when and how they plan to support NIST’s PQC algorithms, not “proprietary” solutions. If they can’t, find new ones.
   
3. Fund pilot deployments now. Testing post-quantum algorithms in isolated systems today will reveal architectural bottlenecks and allow for smoother rollout in future years.
   
4. Educate procurement teams. Use the NSA’s quantum-safe procurement guidance to ensure RFPs, contracts, and tech refreshes explicitly require PQC readiness.
   
5. Treat PQC as a cybersecurity budget line item, not a future capital project. Quantum risk is not hypothetical, it’s live and needs action to address it today.
   

The bottom line: This is a national defense imperative

You don’t have to believe the quantum hype — you just have to follow your own government’s threat assessments.

 Federal legislation, including the Quantum Computing Cybersecurity Preparedness Act, signed into law in December 2022, requires agencies to prepare for the migration.

If your systems still rely on RSA, ECC, or other legacy algorithms without a transition roadmap,  you are not defending them — you are leaving them open to attack.

The NIST standards show that with one year of progress behind us, there are five years of opportunity ahead.

Ali El Kaafarani is the founder and CEO of PQShield, a global leader in post-quantum cryptography.

The post Why federal IT leaders must act now to deliver NIST’s post-quantum cryptography transition appeared first on CyberScoop.

The Department of Defense is seeking to address persistent shortages in its cyber workforce by reducing the time to fill vacant cybersecurity jobs to 25 days. The target, outlined by a senior official during a recent discussion, comes as the department faces a shortfall of nearly 20,000 cyber professionals within its ranks, a figure that reflects broader national trends.

Mark Gorak, who manages the DOD’s cyber workforce, described the scale of the challenge Thursday at FedTalks, produced by Scoop News Group. He noted that the department’s cyber component alone consists of approximately 245,000 personnel, while the wider Department of Defense encompasses about 4 million. The vacancy rate, which recently dropped below 10%, remains a significant concern, as the nation as a whole is estimated to be short by 500,000 to 700,000 cyber experts.

Efforts to accelerate hiring have already yielded some results. The department currently averages 70 days to hire, a figure that compares favorably to the federal government’s 80-day benchmark but lags behind the private sector, where technical hiring can take as little as 46 days. The new 25-day target, if achieved, would represent a substantial shift in federal hiring practices.

Central to the department’s strategy is a move toward skills-based hiring. Gorak emphasized a departure from traditional requirements such as advanced degrees, certifications, or lengthy experience. Instead, candidates will be evaluated on their ability to perform job-specific tasks, often through the use of cyber ranges — simulated environments designed to assess technical proficiency. The department is developing 30-minute assessment ranges to quickly determine whether applicants can meet the demands of the role.

“My number one goal is skills-based hiring in the department,” Gorak said. “I don’t care what your occupational series is. I don’t care what your [Military Occupational Specialty] is. I care about what you do and if you’re qualified to do it.”

The shift comes amid rapid technological change, particularly in artificial intelligence. The official noted that the department is updating its work roles and the associated knowledge, skills, abilities, and tasks (KSATs) every 90 days to keep pace with evolving cyber threats and tools. The use of AI is being encouraged within the workforce, with Gorak acknowledging that many federal employees have yet to adopt such technologies in their daily work.

“Right now, AI is exponentially increasing,” he said. “Every month, right now, we’re changing our AI capabilities. We have to keep up.”

The department’s approach also involves collaboration with industry, academia, and other government partners. Gorak, who now leads the newly established Cyber Academic Engagement Office, underscored the need for a broad coalition to address the workforce gap.

“Congress gave me a task. I appointed a director. I don’t have funding, I don’t have resources, I don’t have people,” he said. “I firmly believe we need industry, academia, civilians and military to solve our challenges.”

The post DOD official: We need to drop the cybersecurity talent hiring window to 25 days appeared first on CyberScoop.

A man who pleaded guilty in 2023 for charges related to his work as founder and operator of the notorious BreachForums website was resentenced Tuesday to three years in prison after having his initial sentence overturned in January.

Conor Brian Fitzpatrick, 22, operated BreachForums — once regarded as the largest English-language cybercrime marketplace — under the alias “Pompompurin.” The forum allowed users to purchase, sell, and exchange hacked or stolen data and other illicit materials, including child sexual abuse material, federal authorities said.  

Fitzpatrick pleaded guilty in July 2023 to conspiracy to commit access device fraud, solicitation concerning fraudulent access devices, and possession of child sexual abuse material. Prosecutors from the Eastern District of Virginia originally sought nearly 16 years of imprisonment for the defendant. However, Fitzpatrick was initially given a sentence of 17 days — time served — along with 20 years of supervised release.

Court records reveal that the lenient sentence considered mitigating circumstances, including Fitzpatrick’s autism diagnosis and his youth. The sentencing memo noted that even while legal proceedings were ongoing, Fitzpatrick violated the court’s terms by using a VPN to access online chatrooms via Discord. In those environments, he challenged the legitimacy of his guilty plea, expressed regret over not contesting the charges, and made statements trivializing the sale of sensitive data to foreign interests.

Reaction to these post-plea actions was swift from prosecutors, who appealed the sentence. U.S. Court of Appeals Judge Paul V. Niemeyer, writing the opinion to vacate the original sentence, described Fitzpatrick’s behavior as demonstrating “a lack of remorse,” noting that the district court “never addressed the seriousness of his crimes or explained how its sentence fulfilled” the legal requirements.

With the appellate court’s decision, the case was returned for resentencing. In addition to the prison sentence, Fitzpatrick was ordered to forfeit over 100 domain names used in connection with BreachForums, more than a dozen electronic devices, and cryptocurrency proceeds from the site’s activity.

BreachForums rose to prominence quickly after law enforcement dismantled RaidForums, then the major English-language hacking platform, in February 2022. BreachForums launched the following March and by most accounts, immediately filled the void left in RaidForums’ absence, accumulating over 330,000 members in less than a year and containing more than 14 billion individual records of personal information, according to court documents.

Since Fitzpatrick’s arrest, law enforcement has attempted to remove BreachForums from the internet, only to see copycats return in the wake of each takedown. 

The post BreachForums founder resentenced to three years in prison appeared first on CyberScoop.

Check Point Software Technologies announced Monday it will acquire Lakera, a specialized artificial intelligence security platform, as entrenched cybersecurity companies continue to expand their offerings to match the generative AI boom.

The deal, expected to close in the fourth quarter of 2025, positions Check Point to offer what the company describes as an “end-to-end AI security solution.” Financial terms were not disclosed.

The acquisition reflects growing concerns about security risks as companies integrate large language models, generative AI, and autonomous agents into core business operations. These technologies introduce potential attack vectors including data exposure, model manipulation, and risks from multi-agent collaboration systems.

“AI is transforming every business process, but it also introduces new attack surfaces,” said Check Point CEO Nadav Zafrir. The company chose Lakera for its AI-native security approach and performance capabilities, he said.

Lakera, founded by former AI specialists from Google and Meta, operates out of both Zurich and San Francisco. The company’s platform provides real-time protection for AI applications, claiming detection rates above 98% with response times under 50 milliseconds and false positive rates below 0.5%.

The startup’s flagship products, Lakera Red and Lakera Guard, offer pre-deployment security assessments and runtime enforcement to protect AI models and applications. The platform supports more than 100 languages and serves Fortune 500 companies globally. The company also operates what it calls Gandalf, an adversarial AI network that has generated more than 80 million attack patterns to test AI defenses. This continuous testing approach helps the platform adapt to emerging threats.

David Haber, Lakera’s co-founder and CEO, said joining Check Point will accelerate the company’s global mission to protect AI applications with the speed and accuracy enterprises require.

Check Point already offers AI-related security through its GenAI Protect service and other AI-powered defenses for applications, cloud systems, and endpoints. The Lakera acquisition extends these capabilities to cover the full AI lifecycle, from models to data to autonomous agents.

Upon completion of the deal, Lakera will form the foundation of Check Point’s Global Center of Excellence for AI Security. The integration aims to accelerate AI security research and development across Check Point’s broader security platform.

The acquisition is another in a flurry of bigger cybersecurity companies moving to acquire AI-focused startups. Earlier this month, F5 acquired CalypsoAI, Cato Networks acquired Aim Security, and Varonis acquired SlashNext. 

The deal remains subject to customary closing conditions.

The post Check Point acquires AI security firm Lakera in push for enterprise AI protection appeared first on CyberScoop.

Earlier this week, Aikido Security disclosed what is being described as the largest npm supply chain compromise to date. Attackers successfully injected malicious code into 18 popular npm packages, collectively accounting for more than 2.6 billion weekly downloads. The entire campaign began not with a technical exploit, but with a single, well-trained maintainer clicking on a convincingly crafted phishing email.

The scale of this incident should serve as a wake-up call for the industry. Even though the financial fallout has been labeled “minimal,” attackers were able to compromise packages at the very core of the JavaScript ecosystem. That reality should concern every developer, security leader, and policymaker.

We can’t afford to normalize these events as routine, low-stakes occurrences. Each successful package takeover exposes the fragility of our collective software infrastructure. The fact that defenders managed to contain this “leaking roof” in time should not reassure us — it should motivate us to act before the next one.

Anatomy of the compromise

The attack began with a familiar but effective tactic: account takeover. According to Aikido, attackers tricked the maintainer of the affected libraries using a phishing email impersonating npm support, requesting a two-factor authentication update. With those stolen credentials in hand, the attackers published malicious versions of popular packages — including chalk and debug — by modifying their index.js files.

The injected payload was designed to hijack cryptocurrency transactions. By monitoring browser APIs like fetch, XMLHttpRequest, and wallet interfaces such as window.ethereum, the malware could redirect funds to attacker-controlled addresses.

Fortunately, the malicious versions were identified within minutes and publicly disclosed within the hour. This rapid response helped prevent widespread damage. Still, millions of developers pulled compromised versions during that brief window — a reminder of how much trust we place in open source infrastructure and how quickly that trust can be exploited.

Adding to the picture, further research has revealed that additional npm packages were hijacked as part of this campaign, including duckdb, which alone sees nearly 150,000 downloads per week. These findings reinforce the breadth of the operation and highlight how difficult it is to measure the full scope of supply chain compromises in real time.

A playbook that’s here to stay

This compromise was not an isolated incident. Package takeovers have become a standard tactic for threat actors because they provide unmatched reach: compromise one popular project, and you instantly gain access to millions of downstream systems. 

We have seen this strategy become a key tool for advanced persistent threats (APTs), including groups like Lazarus most recently. Package takeovers allow them to infiltrate massive portions of the world’s developer population by targeting a single under-resourced project.

The npm ecosystem is not unique in this regard. Whether it’s PyPI, RubyGems, or Maven Central, package registries are critical distribution points in the modern software supply chain. They represent single points of failure that adversaries will continue to exploit.

The “it wasn’t that bad” narrative

Since disclosure, some industry commentary has downplayed the incident. Reports note that the attackers appear to have stolen just a handful of crypto assets: roughly 5 cents of ETH and $20 worth of a small memecoin.

But this framing is short-sighted. The true cost is not the stolen cryptocurrency; it’s the thousands of hours of engineering and security work required worldwide to clean up compromised environments, not to mention the contracts, compliance requirements, and audits that inevitably follow. 

What’s also striking is how quickly attackers are now able to act. In this case, malicious versions of npm packages were downloaded potentially millions of times within minutes. The same pattern has played out for years in vulnerability exploitation — from HeartBleed to Equifax — where the time between disclosure and exploitation has shrunk to nearly zero.

The “minimal impact” narrative risks lulling organizations into complacency. It encourages a mindset where each incident is dismissed as “low risk” until one day, it isn’t.

What needs to change

Focusing on what didn’t happen ignores the reality that attackers had the opportunity to hit far harder. This incident underscores several urgent priorities, including:

• Strengthen maintainer security: Package maintainers are the new frontline of cyberattacks. Protecting their accounts with phishing-resistant authentication, hardware keys, and stronger identity protections must become the norm, not the exception.
• Improve ecosystem-level safeguards: Registries must continue to invest in stronger safeguards, such as mandatory MFA, anomaly detection for unusual publishing activity, and proactive monitoring for malicious code patterns.
• Shift industry mindset: Organizations need to treat every compromise of a widely used package as a major security incident — even if the immediate payload looks trivial. A malicious package should trigger the same urgency as a zero-day exploit, because the potential blast radius is just as large.
• Invest in supply chain visibility: Software bills of materials (SBOMs) and automated dependency tracking are essential. Enterprises must be able to quickly identify whether they’re pulling compromised versions and take immediate action.

This npm compromise may go down as the “largest to-date,” but its significance has little to do with its size or the negligible cryptocurrency stolen. Its importance lies in what it reveals about the state of modern software security: our trust in open-source infrastructure is more fragile than we like to admit, and attackers know it.

If we keep measuring the significance of these breaches only by their immediate dollar impact, we’ve missed the point. This was like catching a leaking roof before the storm — the damage was limited only because it was discovered quickly. Next time, we may not be so fortunate.

Brian Fox is co-founder and CTO at Sonatype. 

The post When ‘minimal impact’ isn’t reassuring: lessons from the largest npm supply chain compromise appeared first on CyberScoop.

The post ​​DHS watchdog finds mismanagement in critical cyber talent program appeared first on CyberScoop.

F5, a Seattle-based application delivery and security company, announced Thursday it will acquire Dublin-based CalypsoAI for $180 million in cash, highlighting the mounting security challenges enterprises face as they rapidly integrate artificial intelligence into their operations.

The acquisition comes as companies across industries rush to deploy generative AI systems while grappling with new categories of cybersecurity threats that traditional security tools struggle to address. CalypsoAI, founded in 2018, specializes in protecting AI systems against emerging attack methods, including prompt injection and jailbreak attacks.

“AI is redefining enterprise architecture and the attack surface companies must defend,” said François Locoh-Donou, F5’s president and CEO. The company plans to integrate CalypsoAI’s capabilities into its Application Delivery and Security Platform to create what it describes as a comprehensive AI security solution.

Companies are embedding AI into products and operations at an unprecedented pace, but this rapid adoption has created compliance gaps and heightened regulatory scrutiny. CalypsoAI addresses these challenges through what the company calls “model-agnostic” security, providing protection regardless of which AI models or cloud providers enterprises use. 

The platform conducts automated red-team testing against thousands of attack scenarios monthly, generating risk assessments and implementing real-time guardrails to prevent data leakage and policy violations.

“Enterprises want to move fast with AI while reducing the risk of data leaks, unsafe outputs, or compliance failures,” said CalypsoAI CEO Donnchadh Casey. The company’s approach focuses on the inference layer where AI models process requests, rather than securing the models themselves.

The acquisition comes during a flurry of similar moves by established companies in the cybersecurity space that are looking to add AI-powered offerings to their customers. 

F5 has also been active this year with what it considers strategic purchases. The company acquired San Francisco-based Fletch in June and observability firm MantisNet in August, demonstrating a pattern of building capabilities through acquisition rather than internal development.

The deal is expected to close by Sept. 30. 

The post F5 to acquire AI security firm CalypsoAI for $180 million appeared first on CyberScoop.

The post Acting federal cyber chief outlines his three priorities for the next year appeared first on CyberScoop.

Apple has unveiled a comprehensive security system called Memory Integrity Enforcement (MIE) that represents a five-year engineering effort to combat sophisticated cyberattacks targeting individual users through memory corruption vulnerabilities.

The technology is built into Apple’s new iPhone 17 and iPhone Air devices, as well as the A19 and A19 Pro chips. It combines custom-designed hardware with changes to the operating system to deliver what Apple describes as “industry-first, always-on” memory safety protection. According to Apple’s security researchers, the system is primarily designed to defend against sophisticated attacks from so-called “mercenary spyware,” rather than from typical consumer malware.

“Based on our evaluations pitting Memory Integrity Enforcement against exceptionally sophisticated mercenary spyware attacks from the last three years, we believe MIE will make exploit chains significantly more expensive and difficult to develop and maintain, disrupt many of the most effective exploitation techniques from the last 25 years, and completely redefine the landscape of memory safety for Apple products,” the company wrote in a blog posted Tuesday. “Because of how dramatically it reduces an attacker’s ability to exploit memory corruption vulnerabilities on our devices, we believe Memory Integrity Enforcement represents the most significant upgrade to memory safety in the history of consumer operating systems.”

Memory corruption vulnerabilities have long accounted for some of the most pervasive threats to operating system security. These flaws happen when software doesn’t properly control how it reads from or writes to memory, allowing attackers to change, overwrite, or access parts of a computer’s memory they shouldn’t be able to.

Exploits targeting these flaws — in particular buffer overflows and use-after-free errors — have underpinned the sophisticated, multi-million-dollar exploit chain that powers spyware. Attackers exploit these flaws, often in “zero-click” (no user interaction required) scenarios, to run harmful code, steal data, or crash systems. For example, NSO Group’s Pegasus spyware was powered by three memory corruption vulnerabilities that were chained together. 

Recognizing this, Apple expanded efforts over the past five years to address memory safety “at scale.” The company worked closely with the chip designer Arm to improve a memory protection system where memory checks happen immediately, every single time memory is used, instead of sometimes waiting, which could leave a small window open for attackers. This led to the creation of Enhanced Memory Tagging Extension (EMTE), a key part of Apple’s new system.

EMTE works by giving each piece of memory a special secret tag. Whenever the device tries to use a particular section of memory, the hardware checks the tag to make sure it is correct. If the tag doesn’t match what is expected, the device will immediately stop the program and record the incident. By ensuring every block of memory has its own unique tag, and by changing these tags whenever memory is reused, Apple’s system blocks unauthorized access efforts before they can cause damage.

“Apple has a deep understanding of this problem space, and because they control both the hardware (Apple Silicon) and the software (iOS), they have the unique ability to engineer a tightly integrated and very effective security mechanism,” said Patrick Wardle, co-founder and CEO of DoubleYou, a company that specializes in Apple security. “This kind of approach, which depends on tight coupling between the chip and the operating system, is something most other vendors cannot replicate as easily since they do not own both sides of the stack.”

The company acknowledges in a blog post that the system does not entirely eliminate spyware’s ability to be executed on an Apple device, but makes it extremely difficult for attacks to successfully run spyware or maintain access if a device has been compromised. 

“While there’s no such thing as perfect security, MIE is designed to dramatically constrain attackers and their degrees of freedom during exploitation,” the blog post reads. 

The efforts mirror similar systems put in place by Microsoft, which has a memory integrity feature in Windows 11, and Google, which has a similar system in its Pixel devices.

Natalia Krapiva, senior tech-legal counsel at Access Now, told CyberScoop she thought it was “great” that Apple was taking effective measures since it’s “always a cat-and-mouse” game when large tech companies create ways to thwart spyware developers.

“These spyware developers like finding new ways of targeting people, evading detection and so on,” Krapiva told CyberScoop. “This is great to see Apple coming up with new ways to protect high-risk users.

The one drawback Krapiva did highlight is that this system is only available on new devices. AccessNow works internationally with groups that are often targeted by spyware on devices that are several generations older than what most consumers use. 

“For our communities, oftentimes these are grassroots, independent media. It’s very hard to afford new devices, especially Apple devices,” she told CyberScoop. “It could be a nice thing for Apple to have some kind of a program to allow for these types of groups to be able to access this.”

MIE can also be taken advantage of by third-party applications, including social media and messaging applications. Additionally, EMTE is available to all Apple developers in Xcode, its developer toolkit, as part of the Enhanced Security feature it rolled out earlier this year. 

The post Apple’s new Memory Integrity Enforcement system deals a huge blow to spyware developers appeared first on CyberScoop.

The Department of Justice unsealed an indictment against a Ukrainian national alleged to be central to a ransomware campaign affecting hundreds of companies worldwide. 

Volodymyr Viktorovych Tymoshchuk, known online as “deadforz,” “Boba,” “msfv,” and “farnetwork,” is accused of developing and deploying ransomware variants Nefilim, LockerGoga, and MegaCortex, all of which have been used in attacks on prominent organizations in the United States, Europe, and elsewhere since at least 2018.

According to the indictment, filed in the Eastern District of New York, Tymoshchuk and his alleged co-conspirators are believed to have extorted more than 250 companies across the U.S. and hundreds more globally, generating tens of millions of dollars in damages. Victims suffered not just the loss of data and disabling of business operations, but high mitigation and recovery costs. 

Among the targets were blue-chip corporations, health care institutions, and major industrial firms. Prosecutors detailed how the group tailored attacks to entities with annual revenues exceeding $100 million, sometimes specifically seeking out companies in the U.S., Canada, or Australia.

Additionally, the State Department announced rewards totaling up to $10 million for information leading to the arrest or conviction of Tymoshchuk, with a separate reward of up to $1 million for information on other key leaders of the groups deploying the ransomware variants.

“Volodymyr Tymoshchuk repeatedly used ransomware attacks to target hundreds of companies in the United States and around the globe in attempts to extort victims. Today’s announcement should serve as warning, cyber criminals may believe they act with impunity while conducting harmful cyber intrusions, but law enforcement is onto you and will hold you accountable,” said Christopher Raia, FBI assistant director in charge. “The FBI along with our law enforcement partners will continue to scour the globe to bring to justice any individual attempting to use the anonymity of the internet to commit crime.”

Authorities say the Nefilim variant operated in a “ransomware as a service” model. Tymoshchuk allegedly acted as an administrator, providing ransomware tools to affiliates — including co-defendant Artem Stryzhak, who was extradited from Spain in April and awaits trial in New York — in exchange for a share of payments.

Federal prosecutors reported that many attacks were thwarted after law enforcement warned potential victims their networks were compromised before ransomware was deployed. Still, ransomware groups continued to iterate with new malicious code after older versions had been unraveled by defenders.

The investigation was carried out by the U.S. Attorney’s Office for the Eastern District of New York’s National Security and Cybercrime Section, alongside the Department of Justice’s Computer Crime and Intellectual Property Section. The Justice Department’s Office of International Affairs, FBI Legal Attachés, and authorities from more than 10 European countries played key roles in the case’s development.

Despite these efforts, Tymoshchuk remains a fugitive. 

You can read the full indictment on the Department of Justice’s website. 

The post U.S. indicts Ukrainian national for hundreds of ransomware attacks using multiple variants appeared first on CyberScoop.

Industrial conglomerate Mitsubishi Electric has agreed to acquire OT and IoT cybersecurity specialist Nozomi Networks in a transaction that values the San Francisco-based firm near the $1 billion mark. The deal, slated to close in the fourth quarter of 2025, will see Nozomi Networks become a wholly owned subsidiary while continuing to operate independently.

The acquisition represents Mitsubishi Electric’s largest to date, with the company set to purchase the 93% of Nozomi shares it does not already own for $883 million in cash. Mitsubishi Electric previously acquired a 7% stake through Nozomi’s $100 million Series E funding round in early 2024, a relationship that laid the foundation for the takeover.

Following the transaction’s closure, Nozomi Networks will retain its brand, leadership, and personnel, maintaining its headquarters in San Francisco and its research and development hub in Switzerland. Both parties have indicated there will be no disruption to operations, roadmaps, or external partnerships.

Nozomi Networks focuses on security in operational technology (OT), Internet of Things (IoT), and cyber-physical systems (CPS). Its platform, designed for critical infrastructure and industrial organizations, focuses on asset discovery, continuous monitoring, anomaly detection, and vulnerability management. The company generated $75 million in revenue in 2024, an increase from $62 million the previous year.

The integration of Nozomi’s cloud-first, AI-powered solutions into Mitsubishi Electric’s portfolio grants the Japanese industrial giant a stake in advanced industrial cybersecurity at a time when OT and IoT environments are seeing increased attention due to rising threats of cyberattacks and operational disruptions. 

“By becoming part of Mitsubishi Electric, we will combine our strengths to drive the next generation of industrial security and innovation to bring additional value for customers around the world,” said Edgard Capdevielle, president and CEO of Nozomi Networks. “With the combined global reach and resources of both companies, we can supercharge our innovation engine, helping industrial organizations secure and accelerate their own digital transformations.”

Mitsubishi Electric, which brings more than a century of experience in industrial technology, sees the purchase as a way to accelerate the digital transformation of critical infrastructure clients globally. Combining its operational expertise with Nozomi’s technology is expected to result in the development of new AI-powered solutions tailored for OT and IoT use cases.

“This acquisition will enable us to co-create valuable new services while supporting Nozomi’s commitment to innovation and customer flexibility,” said Satoshi Takeda, Mitsubishi Electric’s senior vice president. “Together, we can help our customers achieve their digital transformation goals while enhancing security, efficiency, and resilience.”

The transaction is expected to receive all necessary regulatory approvals and is anticipated to close by the end of 2025. 

The post Mitsubishi Electric to acquire Nozomi Networks in $1 billion deal appeared first on CyberScoop.

Israeli cybersecurity company Cato Networks has acquired AI security startup Aim Security in its first ever acquisition, reflecting the broader industry rush to address security challenges posed by artificial intelligence adoption.

The deal combines Cato’s Secure Access Service Edge (SASE) networking platform with Aim’s AI security capabilities, allowing the company to protect customers from threats associated with generative AI tools and applications. Financial terms were not disclosed. 

The acquisition underscores how cybersecurity companies are scrambling to develop solutions for AI-related risks as enterprises rapidly adopt AI tools without fully understanding potential vulnerabilities. Aim’s technology addresses three key areas: securing employee use of public AI applications, protecting private AI systems, and managing security throughout AI development lifecycles.

“AI transformation will eclipse digital transformation as the main force that will shape enterprises over the next decade,” said Shlomo Kramer, CEO and co-founder of Cato Networks. “With the acquisition of Aim Security, we’re turbo-charging our SASE platform with advanced AI security capabilities to secure our customers’ journey into the new and exciting AI era.”  

Cato’s move comes as the company also extended its Series G funding round with an additional $50 million from Acrew Capital, bringing the total round to $409 million.

The acquisition reflects broader consolidation in the cybersecurity sector as companies seek to expand their capabilities to address evolving threats. Palo Alto Networks agreed in June to acquire CyberArk Software for approximately $25 billion, primarily to gain identity security tools that can be integrated with AI programs. Earlier this week, Varonis announced it has acquired SlashNext, an AI-driven email security company, for $150 million.

Aim Security, founded in 2022 and backed by YL Ventures and Canaan Partners, has positioned itself at the forefront of enterprise AI security. The company’s research team recently identified the first reported zero-click AI vulnerability in Microsoft 365 Copilot, dubbed “EchoLeak,” demonstrating the emerging nature of AI-specific security threats.

Cato plans to offer Aim’s capabilities as part of its SASE platform beginning in early 2026, providing existing customers with a migration path from standalone AI security solutions to integrated platform capabilities.

The post Cato Networks acquires AI security startup Aim Security appeared first on CyberScoop.

Varonis has acquired SlashNext, an AI-driven email security company, for up to $150 million in a move that reflects the rising role of artificial intelligence in both attack and defense.

The acquisition, announced Tuesday, brings together Varonis’ focus on data-centric security and threat detection with SlashNext’s technology for blocking phishing and social engineering attacks across email and collaboration platforms. The companies cited a rapidly evolving threat environment, as cybercriminals increasingly use AI to target victims on channels reaching beyond traditional email, including Slack, Microsoft Teams, WhatsApp, and Zoom.

Founded by Atif Mushtaq, who worked on FireEye’s malware detection systems, SlashNext deploys predictive AI models to identify, remove and block socially engineered threats. Its technology leverages computer vision, natural language processing, and virtual browsers to pinpoint signs of compromise.

Independent testing has placed SlashNext’s detection rates near the top of the industry. The Tolly Group, which evaluates cybersecurity tools, found SlashNext delivering 99% overall detection accuracy and a 100% detection rate for business email compromise (BEC) and QR code attacks.

Varonis has focused on real-time data threat detection since 2013. Its security portfolio has since expanded to include user and entity behavior analytics, incident response, and managed data detection and response (MDDR) services with a 30-minute service-level agreement for ransomware cases. The company claims to have prevented an average of five cyberattacks daily for its customers.

CEO Yaki Faitelson, who co-founded Varonis, described the acquisition as “a natural evolution” of the company’s platform. “By connecting the dots between email, identity, and data, we will dramatically increase the value of our MDDR service and help customers stop threats in their inbox, where many data breaches begin,” he said in a press release. 

The SlashNext acquisition is the second one for Varonis this year. In March, it acquired Cyral, a company that specialized in database activity monitoring. 

The post Varonis buys AI email security firm SlashNext appeared first on CyberScoop.