Paul Bergman

Category: Cybersecurity

  • When Trusted RMM Tools Become the Attacker’s Backdoor

    When Trusted RMM Tools Become the Attacker’s Backdoor

    The Skeleton Key Problem: When Trusted RMM Tools Become the Attacker’s Backdoor

    Remote Monitoring and Management tools are a cornerstone of modern IT and MSP operations. They are powerful, deeply trusted, and designed to give administrators broad control over endpoints. That trust is exactly what makes them so dangerous when abused.

    A recent analysis from KnowBe4 highlights a growing threat they call the “Skeleton Key” problem. Attackers are weaponizing legitimate RMM tools to gain persistent, stealthy access to victim environments.

    This is not about exploiting obscure malware. It is about abusing the same tools defenders rely on every day.

    How the Attack Works

    The core idea is simple and effective.

    Attackers obtain access to an environment through a familiar initial vector such as phishing, credential theft, or exploitation of an exposed system. Once inside, instead of deploying noisy malware, they install a legitimate RMM agent.

    Because RMM software is trusted by default in many environments, it often bypasses security controls, application allowlists, and even user suspicion. From that point forward, the attacker has what amounts to a master key.

    They can:

    • Execute commands remotely
    • Deploy additional payloads
    • Maintain persistence across reboots
    • Blend in with legitimate administrative activity

    To security tools and logs, this can look like normal IT management traffic.

    Why RMM Abuse Is So Hard to Detect

    Traditional security thinking focuses on blocking unknown or malicious software. RMM flips that model on its head.

    These tools are:

    • Digitally signed
    • Widely used by MSPs and internal IT teams
    • Designed to run continuously in the background

    When attackers use them, they inherit that trust. Alerts that would normally fire for remote execution or system changes may never trigger because the activity is coming from an approved tool.

    In effect, the attacker is living off the land using enterprise grade software.

    The Growing Risk for MSPs and SMBs

    This threat is especially concerning for MSPs and the small and mid sized businesses they support.

    If an MSP RMM platform is compromised or abused, attackers can potentially pivot across multiple client environments. That turns a single intrusion into a supply chain event.

    Even in single tenant environments, unmanaged or poorly governed RMM usage creates blind spots where attackers can persist for long periods without detection.

    Defensive Takeaways That Actually Matter

    The lesson is not to abandon RMM. That is unrealistic. The lesson is to treat RMM as a high risk asset that deserves the same governance as privileged access.

    Key defensive steps include:

    • Strict control over who can deploy RMM agents
    • Monitoring for new or unauthorized RMM installations
    • Logging and reviewing RMM initiated actions as privileged events
    • Tying RMM usage to strong identity controls and MFA
    • Periodic audits of all remote management tools in use

    If your security stack cannot tell the difference between authorized and unauthorized RMM activity, you have a visibility gap.

    Credit and Further Reading

    This post is based on and inspired by the excellent analysis from KnowBe4 titled “The Skeleton Key: How Attackers Weaponize Trusted RMM Tools for Backdoor Access.”
    Full credit goes to the KnowBe4 research team for clearly articulating this emerging threat and why it matters.

    If you manage endpoints, run an MSP, or advise organizations on cybersecurity risk, this is required reading.

    In Summary

    Attackers are not always breaking in with exotic malware. Sometimes they are walking through the front door using tools you already trust.

    If RMM is your skeleton key, make sure you control who holds it.

  • Microsoft Integrates Sysmon Into Windows 11 and Server 2025: Pros and Cons

    Microsoft Integrates Sysmon Into Windows 11 and Server 2025: Pros and Cons

    What’s happening

    Sysmon (System Monitor) — a free tool from Microsoft’s Sysinternals suite — is being integrated natively into Windows 11 and Windows Server 2025. That seems *mostly* great but the business person in me understands that businesses do things for business reasons. My guess is that this is foundational to a paid security product.

    What that means:

    • Instead of needing to deploy Sysmon as a separate download and manage it independently, organizations will have the functionality built-in (available via the “Optional Features” settings).
    • Classic Sysmon capabilities will be preserved: monitoring process creation/termination, file creation, network connections, DNS queries, process access, etc.
    • Management and deployment should become easier: updates handled via Windows Update, centralized configuration potentially easier.
    • Microsoft also says documentation and “enterprise management features and AI-powered threat detection capabilities” will be coming.

    Pros

    1. Easier deployment & coverage
      Since Sysmon will be built-in, organisations don’t have to separately push the tool out, track installations, worry about version mismatches or missing endpoints. That means fewer gaps in endpoint visibility.
    2. Simplified updates & lifecycle management
      Because it’s integrated, updates can arrive via the standard Windows Update channels. That reduces the management overhead of a separate tool chain.
    3. Consistent baseline functionality
      The announcement says that the standard Sysmon feature set will remain (custom config files, advanced filtering, etc). That means you don’t lose functional depth just because it’s built-in. BleepingComputer
    4. Better alignment with enterprise security strategy
      Built-in capability means more organisations can adopt it, security-ops teams can rely on the tool being present, and you can manage via standard OS management tooling. This is especially relevant for your cybersecurity strategy work.
    5. Potential for richer integration
      With Microsoft promising AI-powered detection and enterprise features, there may be tighter integration with Windows logging, the event pipeline, and broader detection/response workflows. This can help advance threat hunts, EDR/UEBA coverage, and visibility.

    Cons

    1. Dependence on Microsoft’s schedule and support model
      Because the capability is built into the OS, you are reliant on Microsoft’s update cadence, documentation, and support. If Microsoft delays features, you might be stuck waiting rather than deploying an independent version more quickly.
    2. Possibility of reduced flexibility or slower innovation
      Independent Sysmon (via Sysinternals) can evolve freely; when tool functionality is tied into OS builds, you may see slower iteration, or features that must align with broader OS lifecycle.
    3. Potential for confusion between versions/configs
      Organisations already using Sysmon separately will need to plan migration, versioning, configuration consistency, and ensure policies continue to work. There may be overlap or conflict between the standalone version and built-in version during transition.
    4. Licensing/support overhead may shift
      While the functionality is built-in, how Microsoft handles support and future features may be tricky. Look for new paid add-ons in the future.
    5. Risk of complacency
      Because the tool becomes “built-in” there’s a risk security teams assume visibility is solved, without validating configuration, filtering, or ensuring proper event coverage. Even with built-in Sysmon you will still need to pay attention; monitoring pipelines and alerting logic.

    Implications for your environment

    Since you’re leading cybersecurity & IT operations and dealing with solutions like SIEM, EDR, PAM etc. Consider:

    • Plan for migration: If you already deploy Sysmon standalone, map out how you will transition to the built-in version (or whether you’ll continue standalone). Consider configuration file compatibility, versioning, and overlapping logs.
    • Review your custom Sysmon config and event-filtering strategy now: Even though functionality is preserved, you’ll want to validate that your configs still behave as expected in the built-in scenario.
    • Leverage the deployment simplification: Since fewer endpoints may need additional installation, your RMM/EDR agents (e.g., your environment with Datto RMM, Blackpoint Cyber MDR) can focus more on orchestration, configuration management, tuning.
    • Hints of enterprise features? The upcoming documentation and enterprise management enhancements may provide new hooks for your SOC pipeline or SIEM ingestion.
    • Guard against configuration drift: Just because the tool is built in doesn’t mean your configurations will auto-optimize. Ensure your monitoring, alerting and event-flow still align with your risk posture and controls.

    Takeaway:
    Integrating Sysmon directly into Windows is a compelling upgrade for endpoint visibility and management. But the change also requires forethought; i.e. migration planning. Failure to plan could lead to a gaps or mis-configuration.

  • Would You Ignore a 1-in-3 Chance of a $250,000 Loss?

    Would You Ignore a 1-in-3 Chance of a $250,000 Loss?

    If someone told you that you had a one in three chance of an accident this year that could cost your business $250,000, what would you do?

    Would you roll the dice and hope it doesn’t happen?
    Or would you buy an insurance policy that dramatically reduces your risk?

    That’s the same calculation every small and mid-sized business faces when it comes to cybersecurity.

    According to Microsoft’s 2024 SMB Cybersecurity Report, 31% of small and mid-sized businesses experienced a cyberattack in the past year, and the average cost of an incident exceeded $250,000. For many organizations, that’s not just a setback! I’ve seen businesses go under from this size loss; it’s an existential threat!

    The ROI of Prevention

    Now imagine you could reduce that $150,000–$250,000 loss risk for about $3,500 a month by investing in security tools, monitoring, and staff training. That’s $42,000 per year to safeguard the entire business. That’s far less than a full time employee in much of the US.

    The return on investment is clear:

    • Losses avoided: $150,000
    • Annual cost: $42,000
    • ROI: 257%

    That’s not an expense — that’s a high-performing investment.

    Every dollar spent on proactive cybersecurity yields more than $2.50 in protected value, not counting the reputational damage, lost clients, and downtime avoided.

    Cybersecurity Is Business Insurance

    Cybersecurity isn’t just about technology, it’s about risk management. It functions like an insurance policy you can actively control.

    Unlike traditional insurance, cybersecurity investments don’t just pay off when something goes wrong. They improve efficiency, reduce downtime, and build client trust every day. And unlike insurance premiums, your controls (such as employee training, managed detection and response, and strong identity protection) actually reduce the odds of an incident.

    Would you refuse to insure your business vehicles with a 1-in-3 chance of a crash this year?
    Probably not.
    Yet that’s effectively what many SMBs do when they delay or minimize cybersecurity investment.

    The True Cost of “Doing Nothing”

    The average cyberattack costs more than money. It brings:

    • Weeks of downtime
    • Lost customer confidence
    • Regulatory fines (especially if personal data is exposed)
    • Employee stress and turnover

    Recovery costs often exceed the original damage. Even a small ransomware attack can consume weeks of effort! That’s time that should have been spent serving customers and growing the business.

    The Smarter Investment

    When you frame cybersecurity as an investment, not an expense, the logic becomes simple:

    InvestmentAnnual CostPotential Loss AvoidedROI
    Cyber controls, monitoring, and training$42,000$150,000257%

    It’s like paying $1 for every $2.50 you keep safe.
    No CFO would ignore that kind of return.

    In Summary

    If there’s a 1-in-3 chance of losing $250,000, and a $3,500 monthly cybersecurity plan can prevent it, the question isn’t “Can we afford it?” it is “Can we afford not to?”

  • The cybersecurity reality for SMBs

    In today’s digital environment, SMBs can no longer assume “we’re too small to matter” when it comes to cyber-threats. Microsoft’s report underscores how the risk has become pervasive and how the stakes are significant for organizations with limited resources yet major responsibilities. The findings reveal both awareness and a gap between knowing the risk and acting fully on it.

    Here is a summary of the Microsoft report from a survey of SMBs.
    Read the Full Report Here

    5 Key Statistics

    Here are five standout figures from the report:

    1. 94% of SMBs say cybersecurity is critical to their success.
      According to Microsoft, 94% of SMB respondents recognize that cybersecurity is fundamentally important to business success.
    2. About 1 in 3 SMBs suffered a cyberattack in the past year.
      The report notes roughly 31% of SMBs reported being victims of a cyberattack (including ransomware, phishing or data breach).
    3. The average cost of a cyberattack for an SMB is over US$250,000, and some incidents exceeded US$7 million.
      Microsoft reports that the cost to an SMB can easily top the quarter-million mark and in some cases go much higher.
    4. 81% of SMBs believe AI increases the need for additional security controls.
      As artificial intelligence becomes more widespread, 81% of SMBs view it as elevating their security requirements.
    5. Less than 30% of SMBs manage their security in-house.
      The report indicates that due to limited resources and expertise, fewer than 30% of SMBs handle security internally, the rest rely on external providers or outsourcing.

    What this means for SMBs

    Given those statistics, here are some reflections and take-aways that SMBs (including you, if this applies) should consider:

    Awareness is high, but action must catch up

    Yes — 94% of SMBs know cybersecurity is critical. But the fact that ~1 in 3 have still been attacked suggests awareness alone isn’t sufficient. Investment in the right controls, training, governance and incident-response capability is essential.

    The financial risk is real

    With costs often exceeding US$250k (and in some cases many millions), cyberattacks can be existential for smaller companies. For SMBs with tighter margins, fewer resources, and less time to recover, the pressure is intense. Having a plan ahead of time can reduce both impact and downtime.

    New threats are emerging (AI, hybrid work, remote access)

    The finding that 81% of SMBs believe AI raises security demands signals that it’s not just “business as usual”. Threats are evolving, the attack surface is shifting (remote/hybrid work, cloud adoption, AI) and SMBs need to adapt accordingly.

    Outsourcing security is common but presents its own challenges

    Less than 30% of SMBs manage security internally. That means many professionals are depending on MSPs (managed service providers), consultants, SaaS tools, etc. While that’s often necessary, it creates dependencies: choose your providers carefully, establish clear SLAs, maintain visibility into what they do, and ensure you retain control over your security posture.

    Prioritisation and investment matter

    If 80%+ of SMBs intend to increase their security spending (as the report indicates), then the next question is where to invest. Data-protection, identity management (MFA, least‐privilege access), endpoint detection, and incident response planning should all be high on the list. Preventing an attack is far cheaper than recovering from one.

    Practical steps for SMBs today

    Here’s a brief “checklist” of actionable items based on these insights:

    • Conduct a cyber risk assessment: identify your assets (data, systems, identity), map your threat vectors (phishing, ransomware, remote access), and determine potential impact.
    • Ensure multi-factor authentication (MFA) is enabled for all privileged or remote access accounts.
    • Invest in employee training — phishing awareness, suspicious link detection, secure remote-work practices.
    • Implement an incident response plan: define roles, notification paths, backup/recovery procedures, and test it periodically.
    • Consider partnering with a trusted MSP or security consultant — but keep reporting, visibility and oversight top-of-mind.
    • Monitor emerging risks: AI/ML-driven threats, supply-chain vulnerabilities, cloud misconfigurations, hybrid work models.
    • Measure and track your security posture over time: number of access incidents, malware alerts, patching status, compliance with policies, etc.

    Final thoughts

    The Microsoft SMB Cybersecurity Report paints a clear message: SMBs cannot afford to be passive. The combination of widespread awareness (94%), meaningful attack rates (~31%) and potentially crippling costs (US$250k+) indicates urgency. At the same time, emerging threat vectors like AI and remote access complicate the picture.

    Yet it’s not too late — careful planning, targeted investment, smart outsourcing, and ongoing monitoring can shift a business from vulnerable to resilient. SMBs may not have the large budgets of enterprise giants, but they often have agility on their side: the ability to implement security controls, train staff, and build culture more quickly. With the right mindset and focus, smaller size can become an advantage rather than a disadvantage.

    If you’d like, I can pull additional statistics from the report (e.g., geographical breakdowns, sector‐specific results, readiness levels) and we could craft a companion infographic or checklist for SMB leaders. Would you like me to do that?

  • Protecting Yourself from FinTech Fraud: Five Common Scams and How to Stay Safe

    Protecting Yourself from FinTech Fraud: Five Common Scams and How to Stay Safe

    Financial technology, or FinTech, has made managing money faster and easier than ever. Apps can send money, invest, or pay bills in seconds. That same convenience can also make you a target for fraud.

    According to Stripe’s Guide to FinTech Fraud Detection, criminals use many different tricks to steal money or personal data. Understanding how these scams work is the best way to protect yourself.

    Below are five of the most common FinTech fraud attacks and what you can do to stop them before they happen.

    You will notice that I use “IMMEDIATELY” a lot. I don’t want you to misunderstand and think that I use it for impact. I use it because while transactions seem to happen in the blink of an eye, there is actually a window of time in which they can be reversed. It’s NOT a very long window, so reacting “IMMEDIATELY” is important.

    1. Account Takeover

    What happens: A criminal gets access to your account by stealing or guessing your password and then uses it to move money, make purchases, or change your settings.

    How to protect yourself:

    • Turn on multi factor authentication (MFA) in every app that offers it, especially your bank and payment apps.
    • Never reuse passwords across multiple sites. Consider using a password manager to generate and store strong, unique passwords.
    • Watch for unusual login alerts or changes to your account and report them immediately.

    2. Payment Fraud and Card Testing

    What happens: Thieves use stolen card numbers to make fake purchases or to test which cards still work. Even a few small transactions can quickly add up.

    How to protect yourself:

    • Check your bank and card statements regularly. Set up transaction alerts so you are notified of any activity right away.
    • Use virtual card numbers for online shopping when possible since many banks and payment platforms now offer this feature.
    • Report any unauthorized charges immediately. Your bank can usually stop additional fraudulent activity.

    3. Identity Theft and Fake Accounts

    What happens: Fraudsters use your personal information, such as your Social Security number or driver’s license, to open new accounts or apply for loans in your name.

    How to protect yourself:

    • Never share your personal information unless you initiated the contact and are sure of the company’s legitimacy.
    • Use an identity monitoring or credit report service to track any new accounts opened in your name.
    • Shred old financial documents and store sensitive information securely.

    4. SIM Swaps and Phone Hijacking

    What happens: A scammer convinces your phone carrier to move your number to a SIM card they control. Once they have it, they can intercept text messages, including security codes, and access your accounts.

    How to protect yourself:

    • Avoid using text messages as your only form of authentication. Use an authenticator app or security key instead.
    • Add a PIN or password to your mobile carrier account to prevent unauthorized changes.
    • Be cautious of sudden loss of cell service because it can be a sign of a SIM swap attack.

    5. Insider and Fake Business Scams

    What happens: Sometimes fraud comes from within an organization or from fake businesses pretending to be legitimate merchants or investment firms. These scammers process fake payments or trick victims into transferring funds.

    How to protect yourself:

    • Before sending money or investing, verify the business. Check their website, contact details, and online reviews.
    • Be skeptical of any company that pressures you to act fast or promises guaranteed returns.
    • Use well-known payment apps and platforms that have fraud protection policies.

    Stay Alert, Stay Secure

    Fraud is constantly evolving, but awareness is your best defense. Use strong authentication, monitor your accounts regularly, and think carefully before sharing personal or financial details.

    As Stripe points out, fintech companies are working hard to detect and prevent fraud, but users play an equally important role in staying safe.

    In Summary:
    Fraudsters are always looking for weak spots, but with a few smart habits, you can make their job much harder. Protect your passwords, verify who you are dealing with, and act quickly if something does not look right.

  • Ransomware: What Small Businesses Need to Know

    Ransomware: What Small Businesses Need to Know

    When ransomware first hit headlines, attackers often lingered in networks for weeks or even months before making demands. That window has shrunk dramatically.

    Today, the average time from initial compromise to ransom is just 17 hours, with reports showing some attacks happening in as little as 6 hours. In other words, by the time many businesses realize something’s wrong, it’s already too late.

    The Paradox: Payments Down, Attacks Up

    Interestingly, ransom payments have declined in recent years. Organizations are more reluctant to pay, and law enforcement agencies strongly discourage it. But this hasn’t slowed attackers. In fact, the number of ransomware attacks continues to rise.

    Why? Cybercriminals understand that they can still disrupt operations, steal sensitive data, and pressure victims with threats of exposure. Even if fewer organizations pay, the volume of attacks ensures that enough victims will give in to make it worthwhile.

    Why Small and Mid-Sized Businesses Are at Risk

    Large enterprises often dominate the headlines, but small and mid-sized businesses (SMBs) are increasingly being targeted. The reason is simple: many SMBs have limited security resources and little awareness of just how quickly ransomware can spread.

    Attackers know this. They automate scanning for weaknesses and exploit them rapidly, banking on the fact that smaller companies won’t notice until it’s too late.

    The Key Defense: Continuous Network Monitoring

    Given how quickly ransomware can move, continuous network monitoring is no longer optional. Tools and practices like Endpoint Detection & Response (EDR), Managed Detection & Response (MDR), and Security Information & Event Management (SIEM) give you real-time visibility into what’s happening inside your systems.

    This isn’t about paranoia, it’s about reducing the time to detection. If criminals can move from access to ransom in 6 hours, your team needs the ability to detect and contain the breach in minutes, not days.

    Practical Steps You Can Take Now:

    • Assess your visibility: Do you know what’s happening in your network right now?
    • Deploy monitoring tools: Even small businesses can afford lightweight MDR or SOC-as-a-service options.
    • Plan for incidents: Have a clear ransomware response plan — who to call, what systems to isolate, and how to restore from backups.

    In Summary

    Ransomware isn’t slowing down, it’s speeding up. While ransom payments may be declining, the sheer number of attacks is climbing and SMBs are firmly in the crosshairs. The best defense is awareness and action, starting with continuous network monitoring.

    I know you’re not watching your network…but chances are someone else is.

  • When AI Bots Break the Rules: Lessons from Perplexity’s Stealth Crawling

    When AI Bots Break the Rules: Lessons from Perplexity’s Stealth Crawling

    Artificial intelligence is reshaping how we access and use information, but with that power comes responsibility. Recent findings by Cloudflare and investigative reporting from CyberScoop have revealed troubling behavior by Perplexity, an AI-powered answer engine, that challenges the ethical foundation of AI data practices.

    ????️‍♂️ The Incident: Crawling Behind Closed Doors

    Cloudflare discovered that Perplexity’s crawlers were accessing content even when websites explicitly blocked them via robots.txt and firewall rules. To verify, Cloudflare created private “honeytrap” domains, completely undiscoverable and locked down from bots. When Perplexity returned answers sourced directly from these restricted sites, the evidence was clear—these crawlers were bypassing protections.

    ???? Cloaked Crawls and Evasion Tactics

    Rather than respecting access rules, Perplexity reportedly:

    • Impersonated regular browsers like Chrome to avoid detection
    • Rotated IP addresses and hosting networks to slip past filters
    • Ignored robots.txt and other site owner directives

    These tactics suggest deliberate avoidance of web standards designed to foster trust between site owners and automated crawlers.

    ⚠️ Why This Matters: Trust Is Fragile

    The web relies on a shared understanding: crawlers identify themselves, respect boundaries, and play by the rules. When an AI company violates these norms, it doesn’t just break trust with site owners—it undermines the integrity of the entire ecosystem. Cloudflare’s response was decisive, blocking the offending bots and stripping Perplexity of its “verified” crawler status.

    ✅ A Contrast in Behavior: OpenAI’s Approach

    Interestingly, Cloudflare highlighted that OpenAI’s bots adhered to site instructions, backing off when told not to crawl. This difference underscores an important point: compliance is not optional—it’s a baseline expectation.

    ???? My Take: Innovation Needs Boundaries

    AI tools like Perplexity hold incredible potential to enhance our access to knowledge, but cutting-edge technology is not a license to bypass rules. Web standards exist to protect the rights of content creators, maintain trust, and ensure that innovation benefits everyone—not just the companies pushing boundaries.

    Breaking these rules in the name of progress is shortsighted. True innovation respects the ecosystem it operates in. Ethical AI providers must prioritize transparency, consent, and respect for established norms. Anything less risks eroding the trust they depend on to thrive.

    ???? Lessons for Website Owners and AI Companies

    1. Website Owners:
      • Monitor crawler activity closely and use tools like Cloudflare’s WAF to enforce boundaries.
      • Consider new “pay-per-crawl” models that allow compensation when AI systems use your data.
    2. AI Companies:
      • Respect robots.txt and other site policies—these are not suggestions.
      • Be transparent about data collection practices to build long-term trust.
      • Remember: being on the cutting edge does not grant carte blanche to break the rules.

    ???? Moving Forward

    The Perplexity case is a wake-up call. The future of AI must be built not only on technological advances but also on ethical conduct. The companies that will ultimately lead this space will be those that respect the boundaries of others while pushing the limits of what’s possible.

    Related news on AI crawler control

    Cloudflare says Perplexity's AI bots are 'stealth crawling' blocked sites

    Cloudflare says Perplexity’s AI bots are ‘stealth crawling’ blocked sites

    An AI data trap catches Perplexity impersonating Google

    An AI data trap catches Perplexity impersonating Google

    Cloudflare will now block AI crawlers by default

    Cloudflare will now block AI crawlers by default

  • What is Salt Typhoon and why should I care?

    ???? What is Salt Typhoon?

    Salt Typhoon is a state-sponsored Chinese Advanced Persistent Threat (APT) believed to operate under China’s Ministry of State Security. Its espionage operations began around 2020 and have heavily targeted U.S. critical infrastructure CyberScoop.

    ???? How did they infiltrate U.S. telecom networks?

    • Initial access via unpatched vulnerabilities in critical network gear—especially Cisco routers, Fortinet, and Versa Director systems—often exploiting default or weak admin credentials.
    • Once inside, they leveraged existing tools (“living-off-the-land” such as PsExec, WMIC) to avoid detection and maintain stealthy network access.
    • They carefully erased logs and stayed embedded for months—or longer. Cisco Talos notes one case with persistent presence for over three years.

    ???? Scope of the breach: What was affected?

    • At least eight U.S. telecom firms were breached (Verizon, AT&T, T‑Mobile, Spectrum, Lumen, Windstream, Consolidated, and another unnamed firm); a ninth was confirmed later by the White House.
    • Access extended to infrastructure handling lawful intercepts (CALEA systems), exposing text and call metadata—and in some cases, even call audio—of over a million individuals, including senior political figures (Trump, Vance, Harris campaign).
    • Metadata included timestamps, phone numbers, IP addresses, and live intercepts.

    ???? Broader implications

    • Senate Intelligence Chair Sen. Mark Warner described it as “the worst telecom hack in our nation’s history”—worse even than SolarWinds or Colonial Pipeline .
    • The intrusion extended beyond espionage: it potentially granted visibility and control over communications infrastructure—vital in crisis or conflict scenarios.
    • U.S. authorities fear this is a strategic campaign to enable future disruption, pre-positioning within critical inter-state communication networks.

    ????️ Government response & policy shifts

    • U.S. agencies (FBI, CISA, NSA, FCC) issued hardening guidance—patching, monitoring, stronger authentication, log retention.
    • Calls emerged for mandatory cybersecurity regulations for telecoms, culminating in new FCC rules championed by Chair Rosenworcel.
    • The Treasury .
    • However, full eviction of the hackers is still a challenge—remediation may require replacing thousands of devices.

    ???? Summary: Key facts at a glance

    CategoryDetails
    ActorSalt Typhoon (MSS-affiliated)
    Breach timelineFrom at least mid-2023 through late 2024, possibly earlier .
    Firms affected8–9 major U.S. telecoms
    Data compromisedCall metadata, wiretap systems, live audio
    Depth of accessRouter-level access via Cisco exploits
    Strategic threat levelEspionage w/ potential for disruption

    ???? What this means for you

    While the average consumer’s daily service hasn’t been significantly disrupted, this breach compromises the integrity and privacy of communications infrastructure. As a result, safer communication practices like using end-to-end encrypted apps (Signal, WhatsApp) are now recommended WIRED.

    ? Why do the carriers not care?

    The fact of the matter is that this had no impact on the carriers financially. Yes, they have failed to secure our data and communications but there is no real downside to them.

  • Balancing Budgets and Breaches: The Risky Tradeoff of Cutting Tech Talent

    Balancing Budgets and Breaches: The Risky Tradeoff of Cutting Tech Talent

    Balancing Budgets and Breaches: The Risky Tradeoff of Cutting Tech Talent

    In an era where technology drives competitive advantage, companies are under increasing pressure to cut costs while remaining innovative. Artificial Intelligence (AI) has emerged as a compelling solution, promising automation, efficiency, and scalability. For executive boards focused on shareholder value and margin expansion, it’s easy to see AI as a strategic investment—especially during periods of financial tightening.

    But as organizations accelerate their shift toward automation, many are making a consequential tradeoff: reducing their technical headcount, especially in cybersecurity and IT operations. While this may appear to streamline expenses in the short term, the longer-term implications deserve closer scrutiny.

    Recent examples from major firms like Microsoft and CrowdStrike underscore this trend. Both companies have announced workforce reductions—7,000 and several hundred jobs respectively—while ramping up AI investments (Microsoft Layoffs, CrowdStrike Cuts). For board members, this shift may look like prudent fiscal management—but there’s another side to the story.

    Cybersecurity Staffing: An Unseen Cost

    According to a Dark Reading article, mass layoffs in information security can create hidden vulnerabilities. More than 80% of departing employees take some form of sensitive information with them—either unintentionally or maliciously. This risk grows exponentially when defensive cybersecurity staff are reduced or replaced without a solid transition plan in place.

    Cutting defensive staff may also mean fewer eyes on real-time alerts, fewer team members conducting penetration testing, and longer response times during active threats. AI can certainly assist with detection and automation—but it still needs experienced humans to interpret signals, act with nuance, and make judgment calls in rapidly evolving threat environments.

    Why Boards Feel the Pressure

    From the boardroom perspective, AI can look like a smart play. Technology vendors promise lower long-term operational costs, 24/7 monitoring, and faster throughput. And with capital markets and investors increasingly fixated on profitability and growth, the drive to find cost efficiencies is real. This is particularly acute in tech-heavy sectors where headcount is a large portion of operational spend.

    However, while automation can enhance productivity, it doesn’t eliminate risk. When cybersecurity roles are seen as cost centers rather than risk mitigation investments, the balance can tip dangerously toward exposure.

    A Smarter Path Forward

    This isn’t a call to reject AI. On the contrary, AI is already improving outcomes in areas like phishing detection, log analysis, and behavioral anomaly monitoring. But it works best as a co-pilot—not a replacement—for skilled professionals.

    Boards and executive teams must consider hybrid models that integrate AI with existing human talent. Upskilling employees to work alongside AI, rather than replacing them outright, can preserve institutional knowledge while embracing innovation.

    Final Thoughts

    It’s understandable that companies seek to do more with less. But as cybersecurity threats become more sophisticated and reputational risks grow, the decision to replace experienced defenders with machines should be made with full awareness of the tradeoffs. AI may be the future—but it’s not a substitute for human expertise just yet.

    Let me know if you’d like a LinkedIn version or graphic elements for this article.

  • Are you hosting a BotNet node?

    Are you hosting a BotNet node?

    Cybercrime Alert: FBI Warns of Botnet-Driven Attacks on old network routers

    The FBI’s Internet Crime Complaint Center (IC3) has issued a critical alert regarding the 5Socks proxy service, a tool exploited by cybercriminals to mask malicious activities. This service facilitates the operation of botnets—networks of compromised devices—enabling a range of cyberattacks that threaten individuals and organizations alike.​

    Understanding Botnets: The Hidden Threat

    A botnet is a collection of internet-connected devices, such as computers and smartphones, that have been infected with malware and are controlled remotely by cybercriminals. These compromised devices, often referred to as “bots” or “zombies,” can be orchestrated to perform coordinated attacks without the owners’ knowledge.​

    Botnets are utilized for various malicious purposes, including:​

    • Distributed Denial-of-Service (DDoS) Attacks: Overwhelming targeted systems with traffic to disrupt services.​
    • Spam Distribution: Sending massive volumes of unsolicited emails.​
    • Data Theft: Harvesting personal and financial information.​
    • Credential Stuffing: Using stolen login credentials to access multiple accounts.​
    • Cryptocurrency Mining: Exploiting device resources to mine digital currencies.​

    5Socks Proxy Service: A Cybercriminal’s Tool

    The 5Socks proxy service has been identified as a facilitator for cybercriminals to anonymize their activities. By routing malicious traffic through this service, attackers can obscure their origins, making it challenging for law enforcement and cybersecurity professionals to trace and mitigate threats.​

    Protecting Yourself Against Botnet Threats

    To safeguard against botnet-related attacks:

    • Maintain Updated Software: Regularly update operating systems and applications to patch vulnerabilities.​
    • Use Robust Security Solutions: Employ reputable antivirus and anti-malware programs.​
    • Be Cautious with Emails and Links: Avoid clicking on suspicious links or downloading attachments from unknown sources.​
    • Implement Strong Passwords: Use complex passwords and consider multi-factor authentication.​
    • Monitor Network Activity: Keep an eye on unusual device behavior or network traffic.​

    Reporting Suspicious Activities

    If you suspect your device is part of a botnet or notice unusual online activities:

    • Report to IC3: Visit www.ic3.gov to file a complaint.​
    • Seek Professional Assistance: Consult cybersecurity experts to assess and remediate potential infections.

    Free Device Tracking Spreadsheet
    If you would like a template for device tracking, here is an Excel template.