T.H.I.N.K. – Week 26: Digital Independence Day Edition. Defending Freedom in the Age of AI-Driven Threats

This week, THINK spotlights the convergence of AI-fueled risks, systemic cyber vulnerabilities, and regulatory fragmentation that are reshaping enterprise security priorities. For example, Netcraft revealed that GPT-4.1 frequently suggests incorrect or unregistered URLs—some later turned into phishing sites—highlighting how AI tools can unintentionally assist attackers when URL authenticity is deprioritized. Simultaneously, browser-based AI agents were shown to be more susceptible to phishing and malware than even entry-level employees, prompting urgent calls for permission controls, behavioral monitoring, and sandbox testing. Meanwhile, breaches at Connexure, Axis Max Life, Qantas, and Monticello Bank demonstrated the long tail of ransomware, third-party risk, and social engineering, while callback phishing scams impersonating Microsoft and PayPal revealed how adversaries weaponize routine brand trust and QR codes. Nation-state and organized crime threats escalated, with the Sinaloa cartel hacking FBI phones to track witnesses, Salt Typhoon embedded in telecom networks, and Russia’s Gamaredon group deploying new stealthy malware in Ukraine. Joint U.S.-UK sanctions targeting ransomware host Aeza Group were a rare enforcement win, but platforms like Meta and GitHub were criticized for failing to promptly remove sanctioned actors like Liu Lizhi. Despite the rise in threat volume, the IRIS 2025 report showed a 33% drop in breach likelihood among Fortune 500 firms due to scaled cybersecurity investments, while smaller organizations continue to face increased exposure. Across the regulatory landscape, the Senate rejected a proposed moratorium on state AI laws, signaling increased jurisdictional complexity for businesses deploying AI. To support workforce readiness, NIST’s proposed updates to the NICE Framework and SFIA 9’s AI expansion aim to align cybersecurity skills with emerging risk areas. Finally, in Cybersecurity Today, Accenture’s Krish Banerjee emphasized that while AI offers transformative potential, most enterprises lack the governance maturity, data hygiene, and strategic clarity to implement it responsibly—reinforcing the need for strong oversight, defined value goals, and secure-by-design practices across the AI lifecycle.

ChatGPT Creates Phisher’s Paradise by Recommending the Wrong URLs for Major Companies

The Gist

Netcraft researchers have revealed that GPT-4.1 often delivers incorrect or misleading URLs when asked for login sites of major brands, creating a prime opportunity for cybercriminals. Their study showed that the AI gave correct results only 66% of the time, while 29% led to dead links and 5% to incorrect legitimate sites. Attackers can exploit these inaccuracies by registering unclaimed domains suggested by the AI and turning them into phishing traps. The problem arises because language models prioritize textual relevance over domain authenticity, making it easier for scammers to insert well-crafted fakes into AI outputs, as seen with fake Solana blockchain APIs used to deceive developers.

The Insights

As AI chatbots become more integrated into user workflows, organizations must educate employees about the limitations and risks of relying on LLMs for critical tasks like web navigation. IT teams should implement browser-based security tools and DNS filtering to block suspicious or newly registered domains. For AI developers, there’s a growing imperative to enhance URL validation and filtering mechanisms to prevent the propagation of phishable content. Users should also be trained to verify site authenticity independently, mainly when prompted for login credentials or financial data.

Vulnerable AI Is Shaping New Phishing Threats - TechNadu

Organizations Have a New, Unexpected 'Employee' Onboard Risks - AI Agents are Falling for Scams that Your Intern Would Avoid

The Gist

Organizations are embracing Browser AI Agents to streamline tasks like booking appointments and managing communications—but these tools have emerged as a critical cybersecurity liability. Research from SquareX reveals that these agents, which mimic human behavior online, are far more susceptible to phishing, malware, and permission abuse than even junior employees. In controlled demonstrations, these agents were tricked into granting unauthorized access to sensitive systems and entering login credentials on phishing sites, failing to detect red flags such as suspicious URLs or excessive permission requests.

Insights

The rapid adoption of AI automation should not outpace the implementation of appropriate security oversight. Security teams must rethink their frameworks to include AI behavioral monitoring, especially since Browser AI Agents operate with full user privileges, making their actions indistinguishable from legitimate users. Enterprises should consider deploying Browser Detection and Response (BDR) solutions and limiting agent permissions where possible. Additionally, AI agents must be subjected to security training simulations and sandbox testing, just like human employees are.

Burn It With Fire: How to Eliminate an Industry-Wide Supply Chain Vulnerability

The Gist

A simple typo—using http:// instead of <https://—laid> bare a massive supply chain vulnerability in Java builds: dependency downloads were unencrypted and easily intercepted. Jonathan Leitschuh traced the flaw from his own project to major open-source ecosystems, including JetBrains, Apache, Gradle, and more. He coordinated with artifact hosts like Maven Central, JCenter, and build tools (Gradle, Bazel, SBT, Maven) to block insecure downloads and introduced protective flags. He even automated patches across thousands of repositories, ultimately eradicating this vulnerability class from the Java ecosystem.

The Insights

Eliminating a systemic vulnerability demands a multifaceted and persistent effort—from patching end-user projects and updating infrastructure defaults to coordinating across tools, servers, and maintainers. It takes automation at scale, diplomatic persistence, and coordinated pressure—even involving CERT/CC—to turn known weaknesses into obsolete risks. The lesson: real security isn’t just discovery, it's relentless follow-through across every layer of the ecosystem.

Drug cartel hacked cameras and phones to spy on FBI and identify witnesses

The Gist

The U.S. Department of Justice Inspector General’s June 2025 report reveals that Mexico’s Sinaloa cartel hired hackers to breach FBI personnel’s phones and local camera systems to track and target witnesses. The surveillance included intercepting calls, geolocation data, and following an FBI Assistant Legal Attaché (ALAT) in Mexico City via compromised cameras. The findings show that, despite the FBI's efforts since 2022 to address this “existential” threat, internal strategies remain disjointed, lacking apparent authority and sufficient action to counter ubiquitous technical surveillance (UTS).

The Insight

This incident highlights a critical blind spot in national security: even the FBI can be compromised through coordinated technical and human intelligence attacks. The report emphasizes that designating UTS as a top-tier risk is not enough—effective mitigation requires clear leadership, comprehensive vulnerability assessments, and decisive, well-resourced strategies. Without them, adversaries like cartels will continue exploiting gaps in surveillance defenses, reinforcing the urgent need for holistic, cross-agency countermeasures.

Drug cartel hacked FBI official’s phone to track and harm informants, report says - Ars Technica

Young Consulting Finds More Victims in Expanding Data Breach

The Gist

Young Consulting, now doing business as Connexure, continues to grapple with the fallout of a 2024 cybersecurity breach, as the number of affected individuals has surpassed 1 million. Initially believed to have impacted around 950,000 people, the company has now confirmed that 1,071,336 individuals were affected, as updated in a filing with Maine’s attorney general. Although not officially classified as a ransomware attack by the company, the BlackSuit ransomware group claimed responsibility, alleging it exfiltrated sensitive personal and insurance data. The breach compromised names, Social Security numbers, dates of birth, and policy details, with BlackSuit also claiming access to passports and internal documents.

The Insights

This breach underscores the long-term consequences of ransomware attacks and the intricacy of breach investigations. Organizations handling sensitive data, especially in the insurance and healthcare sectors, must prioritize comprehensive forensic analysis and layered cybersecurity defenses. Regular audits and clear communication protocols for breach disclosure are vital. Moreover, third-party risk assessments and continuous monitoring are crucial to mitigate threats from supply chain vulnerabilities. Offering victims identity monitoring services is a necessary, albeit reactive, step; however, proactive risk reduction and faster breach containment should be the strategic focus.

Axis Max Life Insurance Unit of Axis Bank and Max Financial Services India Announces Data Breach

The Gist

Axis Max Life Insurance, a joint venture between Axis Bank and Max Financial Services, confirmed a data breach involving unauthorized access to customer information. The incident came to light after the company received a tip from an anonymous source. In response, the firm initiated a comprehensive investigation in collaboration with information security experts to analyze logs, determine the breach’s root cause, and reinforce security protocols. Though the extent of compromised data remains undisclosed, the incident echoes a broader trend of increasing cyber threats in India’s financial sector.

The Insights

The breach underscores the urgent need for strengthened cyber resilience in the insurance and financial sectors. As regulatory bodies like the Insurance Regulatory and Development Authority of India (IRDAI) mandate IT system audits, organizations must ensure they’re conducting routine vulnerability assessments, implementing real-time monitoring, and cultivating a culture of incident readiness. The growing threat landscape, marked by a fourfold rise in cyber fraud in fiscal 2024 alone, calls for proactive defenses and transparent communication to maintain customer trust and regulatory compliance.

Cyberattack Disrupts Arizona Candidate Portal During June Filing Period

The Gist

A cyberattack temporarily disabled the Arizona Secretary of State’s Candidate Portal during the critical June 2025 filing period. Detected during routine monitoring the week of June 23, the intrusion prompted a proactive shutdown of the portal to ensure the integrity of the system. Although the statewide voter registration database remained untouched, the disruption raised immediate concerns about the resilience of election-related systems. Secretary of State Adrian Fontes described the incident as part of a broader pattern of persistent and growing foreign threats to election infrastructure, while reaffirming the state’s commitment to transparent updates and operational continuity.

The Insights

This incident illustrates how even short-lived outages of election infrastructure can jeopardize public confidence and operational effectiveness. State and local governments must implement comprehensive monitoring and real-time threat detection systems, along with incident response playbooks tailored for electoral timelines. Redundancy strategies—such as alternative filing mechanisms and offline document submission options—are critical to maintaining election processes amid cyber disruptions. Additionally, election authorities should increase public communication channels to minimize uncertainty and keep stakeholders informed during such attacks. Continuous testing of electoral systems for vulnerabilities and ensuring collaboration with federal cybersecurity resources will be essential as election threats escalate heading into 2026.

Kentucky's Monticello Banking Company Disables Online Services After Cyberattack

By Dysruption Hub | June 30, 2025

The Gist

Monticello Banking Company, based in Monticello, Kentucky, suffered a cyberattack on June 30, 2025, forcing the institution to shut down access to ATMs, cash management platforms, online banking, and mobile apps. In addition to these services, regular phone lines were also impacted, prompting the release of alternate contact numbers. The bank emphasized that these disruptions were implemented to protect customer data and financial assets, and customers facing fees due to service outages are urged to seek assistance from bank representatives. The incident has disrupted normal banking operations and added pressure on customer communications.

The Insights

This attack highlights the escalating vulnerability of regional banks, often perceived as less fortified targets by cybercriminals. Financial institutions must prioritize network segmentation, real-time monitoring, and incident response drills to minimize service downtime and protect consumer trust. Moreover, ensuring multi-channel communication strategies during incidents—such as alternate contact methods—is critical. Customers should be alert for phishing campaigns and social engineering scams that frequently follow such disruptions. Proactive fraud monitoring, customer awareness campaigns, and prompt public updates can significantly reduce the aftershocks of a cyberattack.

Qantas Breach Exposes Data of 6 Million Customers via Third-Party Platform

The Gist

Qantas has confirmed a major data breach affecting 6 million customer records after cybercriminals infiltrated a third-party call center platform. The breach, believed to have stemmed from a social engineering attack, compromised data including names, email addresses, phone numbers, birth dates, and frequent flyer numbers. Fortunately, no credit card or passport data was involved. Despite the breach, Qantas reassured the public that its internal systems and airline operations remain unaffected. The airline promptly notified authorities and affected customers, and is collaborating with Australia’s cybersecurity agencies to investigate.

The Insights

This incident underscores the persistent vulnerabilities in third-party vendor ecosystems, even after governance improvements. Organizations must conduct ongoing risk assessments of not only their direct suppliers but also fourth-party affiliates. Social engineering remains a top attack vector, so employee training and incident simulation exercises should be regularized. The breach also echoes recent FBI warnings about ransomware groups like Scattered Spider, which leverage impersonation and help desk manipulation to bypass MFA. Companies should reinforce zero-trust architectures and apply FIDO2-compliant authentication methods to minimize these growing risks.

Catwatchful “Child Monitoring” App Exposes Victims’ Data

The Gist

The Android-based stalkerware app Catwatchful, disguised as a child monitoring tool, has leaked sensitive data from over 26,000 victims’ devices and exposed plain-text credentials of more than 62,000 users. Promoted as undetectable, Catwatchful secretly captured photos, messages, audio, camera feeds, and GPS data, storing it all insecurely. This breach is the latest in a troubling trend, joining others like Spyzie, Spyic, and mSpy, which have similarly exposed massive amounts of private information due to grossly inadequate security practices.

The Insights

These leaks reinforce the urgent need to treat stalkerware as a serious cybersecurity and human rights issue. Despite marketing as parental control tools, many of these apps are abused by domestic violence perpetrators and fail even the most basic security hygiene, creating dual harm: to victims and unwitting users. Organizations must raise awareness of the illegality and risks of such tools, while security vendors and regulators should pursue aggressive detection, takedowns, and penalties to stem their proliferation.

Bluetooth Vulnerability in Audio Devices Can Be Exploited to Spy on Users

The Gist

A recent investigation by German security firm ERNW revealed vulnerabilities in 29 Bluetooth-enabled audio devices—including products from major brands like Sony, Bose, and JBL—that could be exploited for eavesdropping and data theft. The flaws are linked to Airoha Systems-on-Chip (SoCs), commonly used in True Wireless Stereo (TWS) earbuds. Attackers can use these vulnerabilities to initiate calls and intercept conversations, with further access potentially exposing call logs and contact lists. However, exploiting the flaws requires the attacker to be physically close to the device, due to Bluetooth’s limited range.

The Insights

Organizations and consumers should be vigilant about Bluetooth security hygiene. Users are encouraged to regularly check for firmware updates from manufacturers and be alert to any unexpected disconnections or device behaviors, which might signal a hijacking attempt. IT departments managing large fleets of devices should audit and track Bluetooth device usage and educate employees on Bluetooth security best practices, especially in sensitive environments. Adopting a policy of minimal trusted device pairing and routine device resets can also help reduce the attack surface.

Microsoft, PayPal, DocuSign, and Geek Squad Faked in Callback Phishing Scams

The Gist

Cybercriminals are impersonating major brands, including Microsoft, PayPal, Adobe, and Geek Squad, in a wave of callback phishing scams that combine deceptive emails with QR codes and fake phone support numbers. These emails often carry blank bodies and convincing PDFs, tricking recipients into thinking they're from legitimate sources. Once engaged, victims are lured into calling fraudulent hotlines or scanning malicious QR codes, which either steal credentials or install malware. This campaign, observed between May and June, relies on brands used for routine business operations, making them particularly effective against small businesses and unsuspecting users.

The Insights

To defend against these scams, businesses must train their employees to recognize phishing indicators, including urgency, unknown senders, QR codes, and attachments from unfamiliar sources. Security awareness programs, paired with robust endpoint protection and email filtering, are essential. It's also critical to scrutinize any requests for personal data or remote access, even if they appear brand-authorized. Adopting zero-trust principles and maintaining updated phishing detection tools can help mitigate the growing risk of sophisticated callback phishing attacks.

5G Alternatives, Cyber Compass Blog, Cybersecurity Summer Camp 2025 (BlackHat, DEFCON, BSides)

The Gist

The Cybersecurity Club has released a fresh batch of educational and networking resources for its community of over 2,000 enthusiasts. This week’s highlights include a video workshop on alternatives to traditional 5G infrastructure, exploring community-led and cooperative solutions to counteract Big Tech dominance in digital connectivity. The club also spotlighted The Cyber Compass Blog, which delivers practical cybersecurity guidance for everyday users, regardless of their technical background. Finally, the club is prepping for its Cybersecurity Summer Camp 2025, with members planning to attend BlackHat, DEFCON, and BSides Las Vegas, offering unparalleled opportunities for learning, collaboration, and hands-on experience.

The Insights

For organizations and professionals looking to stay ahead in the cybersecurity field, engaging with community-driven initiatives like the Cybersecurity Club can be incredibly valuable. These forums not only provide access to grassroots insights and upskilling opportunities, but also foster collaborative learning and mentorship. Attending major industry conferences like BlackHat and DEFCON can further enhance awareness of cutting-edge threats and defense strategies. Additionally, exploring alternative digital infrastructure models can spark innovative approaches to data sovereignty and security, especially in regions dependent on external tech providers.

Senate Rejects Proposed Moratorium on State AI Laws

The Gist

The U.S. Senate has removed a controversial provision from a major tax-cut and spending bill that would have paused state-level regulation of artificial intelligence (AI) for ten years. The AI moratorium was eliminated by a 99-1 vote, following a failed effort by Senator Ted Cruz to push a compromise that would shorten the pause to five years and include exemptions for specific laws. Despite this, the Senate moved forward with passing the broader legislative package by a narrow 51-50 margin, with Vice President JD Vance casting the tie-breaking vote. The debate highlighted sharp divisions over how much authority states should retain in regulating emerging AI technologies and concerns about unchecked power in the hands of tech giants.

The Insights

This decision illustrates the growing tension between federal oversight and state autonomy in technology governance. As AI technologies proliferate, organizations must track both federal and state-level developments to maintain compliance and mitigate regulatory risk. Businesses leveraging AI should prioritize ethical use, transparency, and user protection, particularly in sectors dealing with consumer data, children’s privacy, and digital likenesses. The collapse of a federal moratorium also signals potential fragmentation in AI compliance standards, reinforcing the need for robust internal AI governance frameworks that can adapt across jurisdictions.

Big Tech’s Mixed Response to U.S. Treasury Sanctions

The Gist:

In May 2025, the U.S. Treasury sanctioned Funnull Technology Inc., a Philippines-based provider linked to hundreds of thousands of pig-butchering cryptocurrency scams. Its operator, Liu “Steve” Lizhi, was also sanctioned for facilitating infrastructure that led to over $200 million in fraud losses. Despite these measures, Lizhi continued operating accounts on major U.S. tech platforms, including Facebook, GitHub, PayPal, and Twitter/X. His LinkedIn profile remained live until media pressure prompted its removal, and Meta only took action after being contacted for comment. GitHub, while locking some accounts, continues to host Lizhi’s public code repositories, raising concerns about compliance and potential platform misuse. Silent Push researchers identified Lizhi as a central figure in U.S.-targeted scam operations, yet many of his digital footprints persist online ( Brian Krebs , KrebsonSecurity .

The Insights

This case highlights the inconsistent enforcement of sanctions across tech companies, particularly in comparison to the financial sector. While banks typically act swiftly, platforms offering free services lack robust screening mechanisms, enabling sanctioned actors to maintain a presence. Organizations should implement automated watchlist screening and risk-based monitoring to detect sanctioned users. Additionally, public platforms must strike a balance between open-source transparency and legal obligations, especially when malicious actors exploit these services for cybercrime infrastructure. For cybersecurity teams, this event underscores the importance of continuously monitoring external dependencies and third-party integrations, as threat actors are increasingly operating in plain sight within legitimate ecosystems.

Sanctions Impact Aeza! U.S. and UK Team Up to Shut Down Russia’s Ransomware Powerhouse

The Gist

The United States and United Kingdom have issued joint sanctions against Aeza Group, a Russian-based cybercrime syndicate accused of supporting global ransomware and data theft operations. The U.S. Department of the Treasury’s OFAC announced the measures on June 1, targeting Aeza’s bulletproof hosting services, associated companies, and leadership. Aeza allegedly enabled attacks by shielding cybercriminals using tools like Meduza and Lumma malware, impacting sectors from tech to defense. The coordinated effort also exposed a fake UK-based front company used to obscure Aeza’s illicit operations. The sanctions freeze Aeza’s assets and prohibit U.S. entities from engaging with them, marking a significant disruption to the group’s global infrastructure.

The Insights

These sanctions emphasize the growing role of third-party infrastructure providers in facilitating cybercrime and the effectiveness of international partnerships in dismantling such networks. Organizations must strengthen vendor risk management, especially in evaluating hosting and cloud service partners for potential misuse. Enhanced threat intelligence sharing and zero-trust architectures can mitigate exposure to hidden backend services used in ransomware campaigns. This event serves as a call to action for companies to reassess their cybersecurity dependencies and implement robust policies for due diligence and compliance with global sanctions lists.

Gamaredon in 2024: Cranking Out Spearphishing Campaigns Against Ukraine With an Evolved Toolset

The Gist

Gamaredon, a Russia-aligned APT group linked to the FSB, focused exclusively on Ukrainian governmental targets throughout 2024, intensifying its spearphishing campaigns and evolving its malware arsenal. ESET Research uncovered the group's deployment of six new tools and significant upgrades to older malware, incorporating stealthier methods such as hiding code in registry keys, leveraging Cloudflare tunnels, and targeting USB drives. Their expanded use of third-party services, such as Telegram, Dropbox, and Cloudflare, to mask command-and-control infrastructure highlights an increasing sophistication. A rare propaganda payload was also observed, opening a Telegram channel instead of exfiltrating data, signaling hybrid influence-cyber tactics.

The Insights

Organizations, especially those in high-risk geopolitical regions, must strengthen their email security defenses and endpoint detection tools to counter advanced spearphishing attacks. Gamaredon's reliance on legitimate cloud platforms for infrastructure shows that standard domain blocking is no longer enough—behavioral analytics and threat intelligence integration are vital. Additionally, security teams should monitor for lateral movement using USB drives and unusual script executions tied to fileless malware. Regular threat hunting and IoC sharing among allied organizations remain crucial to detecting and mitigating persistent threats like Gamaredon.

Fortune 500 Cyber Spending Pays Off: Large Enterprise Risk Falls 33% Despite Rising Threats

The Gist

The Cyentia Institute's IRIS 2025 study reveals a surprising trend in the cyber landscape: despite a 650% rise in security incidents since 2008, large enterprises—especially those in the Fortune 500—are seeing a 33% drop in breach likelihood thanks to substantial cybersecurity investments. The research, covering over 150,000 incidents from 2008–2024, indicates that cyber risk has become highly contextual, with variations across industries and organization sizes. While smaller firms face rising threats, some industries like retail are improving due to better compliance and payment security, whereas others like professional services and critical infrastructure are entering higher-risk zones. Ransomware, credential compromise, and system intrusion continue to dominate the threat landscape, with evolving tactics like Cloudflare-powered C2 infrastructure reshaping modern cyber risk.

The Insights

Organizations should move away from one-size-fits-all cyber strategies and instead adopt tailored risk management models that align with their sector, digital maturity, and exposure. Large enterprises can take credit for scaling cybersecurity investment, but must now focus on maintaining real-time visibility and refining their response protocols to keep costs contained. Meanwhile, smaller organizations and critical infrastructure sectors must invest in proactive measures like threat intelligence, resilient architecture, and regulated response playbooks, or risk falling behind. The report underscores the importance of dynamic risk assessment, stressing that a security strategy anchored to outdated threat assumptions is not only ineffective but dangerous in today’s fluid cyber environment.

Top FBI Cyber Official: Salt Typhoon ‘Largely Contained’ in Telecom Networks

The Gist

The FBI’s Cyber Division recently confirmed that the Chinese-linked hacking group known as Salt Typhoon has been contained within U.S. telecom networks, with active infiltration halted and their presence locked in. Despite this containment, the group remains a latent threat, as they retain footholds in critical systems that could transition from espionage to destructive cyber actions if triggered.

The Insights

While resilience and victim support are top priorities, FBI Cyber Chief Brett Leatherman emphasized that offensive operations against Salt Typhoon are still pending further attribution and coordination. With nine U.S. telecommunication firms affected, the bureau maintains ongoing engagement with every victim, yet recognizes the challenge in fully removing hackers who’ve embedded persistent access. Looking ahead, the FBI is also monitoring threats from North Korean “scam IT workers,” noting their stable tactics but growing risk of intellectual property theft or third-party access brokering. This situation underscores the need for telecom operators to aggressively pursue complete network sanitation and for law enforcement to ramp up attribution and coordinated measures before transitioning to offensive cybersecurity strategies.

ESET Threat Report H1 2025: Key Findings and Cybersecurity Implications

By Editor, ESET, July 1, 2025

The Gist

ESET’s H1 2025 Threat Report reveals a rapid evolution in the cyber threat landscape, with several developments demanding urgent attention from organizations. Among the most striking findings is the emergence of a novel social engineering tactic known as ClickFix, which saw detections surge over five-fold compared to late 2024. Additionally, Android adware threats ballooned by 160%, fueled by evil twin fraud tactics and a proliferation of potentially unwanted applications. While ransomware attacks and threat actor groups continued to rise, the total value of ransom payments actually declined, suggesting shifting strategies among both attackers and victims.

The Insights

The report underscores the need for organizations to bolster their defenses against social engineering threats, especially those that exploit mobile platforms. The growth in adware and PUAs highlights vulnerabilities in user behavior and app ecosystems, making employee awareness and endpoint protection vital. The drop in ransom payments, despite rising attacks, suggests victims are increasingly turning to incident response and recovery rather than negotiation—pointing to the value of pre-established backup and recovery plans. Companies should also anticipate evolving ransomware tactics and remain vigilant as the attack surface continues to widen in 2025.

Malvertising & TDS Cloaking Surge in Complexity and Impact

The Gist

New research reveals a sharp rise in the sophistication and frequency of malvertising and Traffic Distribution System (TDS) campaigns, with malicious actors increasingly exploiting digital ad ecosystems to deliver malware. Tactics such as ad cloaking, forced redirects, and fake update prompts are being deployed through platforms like Keitaro, with reports indicating that 1 in every 90 ad impressions posed a threat in 2024. Real-world attacks involving malware like Lumma and SocGholish highlight how adversaries use conditional redirects and cloaking to evade detection. Attack chains now often span high-reputation ad networks, CDN services, and even government-trusted domains.

The Insights

The continued evolution of malvertising and TDS tactics demands that organizations move beyond traditional security layers. Deploying advanced tools like DNS telemetry, redirect chain mapping, and headless browser simulations can reveal cloaked behavior and malicious payload delivery paths. Security teams should also emulate these tactics in lab environments using TDS frameworks and fingerprint-based detection tools to refine defenses. As threat actors pivot toward exploiting ad trust and session-based redirects, enterprises must establish proactive threat hunting routines, especially across third-party ad integrations. Integrating real-time behavioral analytics and high-churn domain monitoring will be essential to detecting and stopping future cloaked malvertising threats.

The ROI of NHI Security: Why Investing in Machine Identity Protection Pays Off

The Gist

Modern enterprises increasingly rely on non-human identities (NHIs)—machine credentials like service accounts, bots, and API tokens—which now vastly outnumber human users in digital ecosystems. These identities can access sensitive data and systems, making them high-value targets for cyber attackers. Real-world breaches at companies like CircleCI, Okta, and Slack illustrate how compromised NHIs can lead to costly disruptions and reputational damage. Despite this, most organizations lack adequate controls to monitor and manage NHIs, posing a growing risk to business continuity. Regulatory mandates and customer trust demands now require more than ad hoc protections. The article highlights how investing in policy-based NHI security solutions, such as those offered by Cerbos, can significantly reduce breach costs and streamline compliance and operational efficiency.

The Insights

Organizations must begin treating machine identities with the same rigor and governance as human ones. This includes implementing centralized discovery, credential rotation, and policy enforcement to ensure NHIs follow least-privilege principles and are continuously monitored. Investing in these tools can dramatically reduce risk while enhancing developer velocity and audit readiness. By doing so, enterprises can prevent operational bottlenecks, accelerate digital transformation, and demonstrate to regulators and clients that they are secure by design, thereby transforming a traditional security liability into a strategic business enabler.

SFIA 9 Expands AI and Software Engineering Capabilities

The Gist

The SFIA Foundation has launched a newly updated AI skills landing page that consolidates its approach to AI competencies within its SFIA 9 framework. This comprehensive update supports job mobility, task automation, and helps define responsibility levels for AI oversight. Emphasizing durable professional capabilities over specific tools, it also aids in identifying which human tasks remain post-AI implementation. The framework reinforces alignment with AI governance expectations, especially in managing high-risk tools like generative AI in HR. Additionally, SFIA has released a new mapping between SFIA 9 and SWEBOK v4.0, creating a navigational bridge between software engineering knowledge areas and SFIA competencies. An interactive PDF connects directly to SFIA’s definitions, aiding both professionals and educators. To further promote understanding, the SFIA Framework Foundation Test is now available online—free until September 2025—offering a certificate and optional digital badge.

The Insights

The expansion of AI within SFIA’s competency framework signals an important step toward standardized AI literacy and responsible implementation. Organizations can benefit by integrating these tools into workforce planning, role design, and AI governance strategies. Mapping to SWEBOK ensures technical alignment with industry standards, helping HR, L&D, and cybersecurity leaders validate and future-proof workforce competencies. With AI transforming tasks rapidly, frameworks like SFIA 9 serve as a foundation for ethical and accountable AI adoption, while promoting continuous upskilling and secure operational design.

Approaching July 17 Deadline: Provide Your Comments on Proposed NICE Framework Update

The Gist

National Institute of Standards and Technology (NIST) 's NICE Program Office has proposed updates to the NICE Workforce Framework for Cybersecurity, specifically targeting the Cybercrime Investigation Work Role (IN-WRL-001) and the Artificial Intelligence (AI) Security Competency Area (NF-COM-002). The Cybercrime Investigation Work Role revision was developed in collaboration with the FBI and Department of Justice, offering a more granular alignment of Tasks, Knowledge, and Skill (TKS) statements. Meanwhile, the AI Security update expands on knowledge and skill areas to better reflect AI-related risks in cybersecurity. These proposals aim to keep the framework aligned with real-world practices and emerging tech challenges. Stakeholders are encouraged to provide feedback by July 17, 2025, as part of the framework’s collaborative revision process. Submitted comments will be reviewed for integration into the next NICE Framework release. NIST invites professionals to explore the proposed changes, join the NICE Framework Users Group, and ensure their insights shape the next evolution of U.S. cybersecurity workforce standards.

The Insights

These proposed updates are crucial for aligning cybersecurity training and job functions with current threat landscapes, particularly in areas like AI security and digital forensics. Organizations should use this as an opportunity to reassess their internal role descriptions, skill matrices, and training paths to ensure alignment with evolving federal standards. Participation in the public comment process also empowers enterprises to help mold future-ready cybersecurity roles and remain synchronized with national workforce development strategies.

AI and Cybersecurity: Enterprise Risks, Digital Sovereignty, and Responsible Adoption

Overview

In this episode of Cybersecurity Today, host Jim Love conducts an in-depth interview with Krish Banerjee, Canada Managing Director for AI and Data at Accenture. Their conversation explores how artificial intelligence is reshaping cybersecurity strategy, enterprise operations, and digital sovereignty in Canada and beyond. With a focus on actionable insights for executives, this discussion addresses the widening gap between perceived AI preparedness and the real-world governance and safeguards needed to manage its risks.

Enterprise AI: From Hype to Risk Readiness

Banerjee emphasizes a growing concern: most organizations believe they are prepared to adopt AI but lack the governance frameworks to do so securely. As AI systems become embedded in core business processes, poor data hygiene, unclear objectives, and underdeveloped controls are creating gaps ripe for exploitation.

Building Value-Driven AI Systems

The conversation highlights the importance of defining value upfront. Rather than chasing trends, Banerjee urges enterprises to ask: What business outcome are we trying to achieve with AI? This approach requires strong data foundations, clearly defined KPIs, and the talent needed to integrate and maintain AI tools across departments.

The Sovereignty Factor: Canada’s AI Crossroads

On digital sovereignty, Banerjee points out that Canada has a unique opportunity to lead in responsible AI—but faces challenges from fragmented strategies and inconsistent adoption across industries. He calls for coordinated national efforts to create secure, scalable, and citizen-aligned AI systems.

Open-Source AI and Democratized Innovation

Open-source AI is framed as both an opportunity and a risk. While it offers access to advanced capabilities for smaller organizations, Banerjee stresses that without proper governance, open-source models can introduce security gaps and unintended consequences.

Agentic AI: Power with Boundaries

Looking ahead, Banerjee describes agentic AI—systems that can act independently to solve problems and optimize workflows—as a major breakthrough. However, he cautions that without transparency and oversight, such systems could behave unpredictably. Governance, monitoring, and alignment with organizational values are non-negotiable.

Actionable Guidance for Leaders

Executives are advised to:

• Embed AI governance at the planning stage.

• Treat AI as both a multiplier of risk and a strategic advantage.

• Invest in explainability and regular bias audits.

• Demand transparency from vendors across the AI supply chain.

• Prepare their workforce—and their children—for an AI-integrated future.

About the Author

Jim Love is the host of Cybersecurity Today and a longtime technology strategist. He frequently engages with thought leaders across cybersecurity, data governance, and enterprise IT to help organizations understand and respond to evolving digital threats. This episode features guest Krish Banerjee, Canada Managing Director for AI and Data at Accenture, whose work focuses on integrating responsible AI into national and enterprise-level strategies.