Understanding how multiple AI models speak to each other and deciding which framework to use requires careful evaluation of both the business benefits of advanced AI orchestration and the cybersecurity implications of connecting automated services.
from darkreading https://ift.tt/VGDYhjr
via IFTTT
Agentic AI’s appeal is growing as organizations seek more autonomous and hands-off approaches to their security protocols as risks increase and threats become more sophisticated.
from darkreading https://ift.tt/mcGPTfM
via IFTTT
Last year, the escalating concerns about Chinese threat actors breaching U.S. organizations reached a crescendo as federal authorities issued increasingly urgent advisories about China’s “Typhoon” groups infiltrating U.S. networks, pressing organizations to take immediate action.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned that these groups were engaged in a host of massive intrusions, ranging from infiltrating telecommunications networks and sensitive law enforcement communication platforms in order to preposition themselves on critical infrastructure networks to destroy or disrupt services.
Since late January, however, the U.S. government has issued few alerts about Chinese or other nation-state advanced persistent threat actors (APTs), including Russia, North Korea, and Iran. Experts say that despite the lack of warnings, it is more important than ever to stay alert against these groups, particularly given that rapidly developing artificial intelligence (AI) technologies have enabled defenders to spot these threat actors at machine speed and stop them in their tracks.
“Your ability to respond quickly is really important,” Alex Stamos, CISO at SentinelOne, told CyberScoop. “You can’t spend fifteen, twenty minutes for your security operations center analyst to go to the bathroom and then come back and look at an alert and to make a decision because the threat actors are already ten steps ahead of you.”
“Chinese threat actors are going for very large-scale operations,” Alon Schindel, VP of AI and threat research at Wiz, told CyberScoop. “AI can empower cybersecurity teams to walk faster and reduce the number of issues. You can reduce the remediation time. That’s the thing.”
Experts emphasize that AI’s real value in identifying and halting sophisticated threat actors lies in its capacity to process vast amounts of information across an organization’s tech surface. It can then correlate that data to identify and potentially thwart suspicious behavior swiftly.
“AI is there to augment your efforts by tying in a lot of the disparate context or the context that’s lacking between different siloed systems,” Cristian Rodriguez, Americas Field CTO at CrowdStrike, told CyberScoop. “We are firm believers that AI helps bridge that gap across disparate data sources so that contextually there’s a better understanding of the steps that an adversary needs to take to be successful in their tradecraft.”
“To help and try to understand whether it is a real attack or whether it is just some other activity, whether it’s a false positive alert by a security product, you can use the context that you have from your actual production environment, from your code, and the threat detection products,” Schindel said. “You can feed an LLM with all this information, and within a few seconds, you can get a conclusion with a high level of confidence, whether it is a real attack or whether it is just a false positive or maybe some ordinary activity in your environment.”
Before AI, defenders had massive amounts of information compiled in different locations with little ability to tie events together occurring in different log sources across the tech stack. The logs did not traditionally go into a repository “that allows for hyper scaling and hyper analysis of what those data points mean when they’re put together,” Stamos said.
Most experts agree that the increasing adoption of cloud-based technologies is central to the problem of disparate data sources. As information moves between cloud and on-premises systems, it creates more avenues for threat actors to move around laterally within an organization.
“Very few companies have visibility across their cloud infrastructure and their on-premise tech in a way where they see all of it at the same time and detect and track a threat actor in real time across all of those different environments,” Stamos said. “And very few companies can respond fast enough.”
According to Stamos, this lack of visibility specifically benefits Chinese threat actors, notably in the Microsoft-based systems that dominate the enterprise sector’s cloud, security, and operating systems. “What [Chinese threat actors] have gotten very good at is chaining vulnerabilities across those three areas,” he said. “For example, you can have a cloud entry point where they can brute force a username and password.”
“That’s something that’s not getting logged, not getting alerted on,” Stamos said. “And so, they can just brute force for days until they find a user password pair that works for them and then use that against the VPN tied to Microsoft Active Directory, and then get onto the domain controller. Now, they can do a traditional domain controller attack. That’s not something you can do in the cloud; that’s only local.”
The combination of cloud-based technologies and stolen identities is at the crux of where AI can start shedding light on intrusions in a way that genuinely helps defenders. “AI can start to bring context around what are outliers within things like login attempts,” CrowdStrike’s Rodriguez said.
“Using legitimate credentials to get into your environment in lieu of having to use malware, for example, which is very noisy,” is how most unauthorized intrusions occur, Rodriguez added. “AI can act as that opportunity for analysts to scale themselves across these large data sets to contextually understand outliers for login attempts and outliers for authorization across applications. Think of identity, think of what’s happening on your endpoints, and what happens in your cloud workloads. Those are all major data sources a defender must use when responding or analyzing an attack.”
As beneficial as AI technologies might be in identifying and thwarting threat actors, experts warn that new LLM models and other AI technologies that defenders use to protect assets are themselves prized targets of threat actors. Even worse, these AI technologies can leak organizational secrets.
Chinese threat actors are “targeting these AI companies directly for their intellectual property, whether it’s ChatGPT, Gemini, all these new models,” Wiz’s Schindel said. “They are trying to steal information and then build their own versions that are based on what they stole as part of their threat operations.”
For some of these threat actors, “especially coming out of China and even North Korea, not only are they looking for or using identities, but they’re also looking for these custom large language models or any type of generative AI that you may be hosting within your own cloud services,” CrowdStrike’s Rodriguez said.
“The adversary is looking for misconfigured large language models and any type of other genAI that you may be hosting in your cloud because that can also act as an exfiltration point if they were to access those systems,” he added. “And you’ve inadvertently put sensitive information or IP into those systems. They can ultimately use some prompt engineering or even access to misconfigurations within those models to exfiltrate sensitive data.”
According to Stamos, very few organizations are currently using AI in a way that prepares them to tackle threats from sophisticated adversaries to provide real-time intervention. “Out of the Fortune 500, there are maybe 150 to 200 companies playing at that level,” he said.
Stamos said organizations “need to gather as much security telemetry as possible and have it in one data lake that can be queried quickly in real time. You’ve got to do that plumbing, and that’s hard.”
Rodriguez advises organizations to “secure your identities. That is number one. Ensure that you understand the identities that you have for these services, have things like multifactor authentication, and [see to it] that the privileges for these identities are regularly assessed to ensure that you’re not overextending access to any single or handful of identities within environments that are sitting in the cloud, for example.”
Even though using AI to battle Chinese and other threat actors is a complex and high-level task that might need experienced AI engineers to implement, Schindel says that most organizations can easily start the process without this kind of scarce talent. “The only thing you need is someone enthusiastic about AI on your team,” he said. “They don’t necessarily have any significant background with AI, just someone who can use it. These models are easy to use.”
The post AI can help defenders stop nation-state threat actors at machine speed appeared first on CyberScoop.
from CyberScoop https://ift.tt/VhbPvJC
via IFTTT
In this increasingly digital world, cybersecurity has become more than just an IT concern; it’s a critical aspect of every business’s strategy and operations. With the rise of cyber threats—ranging from ransomware and phishing to insider threats and advanced persistent threats (APTs)—securing your digital infrastructure is no longer optional, but a necessity.
While no system can guarantee 100% security (given the ever-evolving nature of cyber threats), there are essential strategies and practices that can significantly reduce the risk and strengthen your cybersecurity posture. Achieving “100% cybersecurity success” means taking a holistic, multi-layered approach that focuses on prevention, detection, response, and continuous improvement.
Here’s a detailed look at the essentials to achieve a near-total cybersecurity defense:
1. A Robust Cybersecurity Framework: Build from the Ground Up
To lay the foundation for comprehensive cybersecurity, it’s crucial to adopt a well-established cybersecurity framework. Frameworks like NIST (National Institute of Standards and Technology), ISO 27001, and CIS Controls are designed to guide organizations in building and maintaining secure systems and processes. These frameworks offer structured methodologies for protecting digital assets, setting clear guidelines on policies, procedures, and technologies necessary for cybersecurity success.
Key Areas:
• Risk management and assessment
• Data protection and privacy
• Incident response protocols
• Network security controls
Implementing these frameworks ensures that your organization’s cybersecurity strategy is both comprehensive and effective, addressing threats from multiple angles.
2. Employee Awareness and Training: The Human Element
One of the most vulnerable points in any cybersecurity strategy is the human element. Employees are often the weakest link in the chain, falling victim to phishing scams, social engineering tactics, or careless handling of sensitive data.
Employee training and awareness are fundamental to preventing breaches. Regular training sessions should be conducted to educate staff about:
• Recognizing phishing emails
• Best practices for password management
• How to identify and avoid social engineering tactics
• Data protection protocols and compliance regulations (like GDPR)
3. A Multi-Layered Defense Strategy: Defense in Depth
A successful cybersecurity strategy requires multiple layers of defense. This defense-in-depth approach ensures that even if one layer is breached, others will still protect critical assets. Implementing several layers of security reduces the risk of a successful attack.
Core Layers Include:
• Firewalls and Network Security: These are the first line of defense against external threats. Modern firewalls should be capable of inspecting traffic for malicious activity and blocking threats in real-time.
• Endpoint Protection: All devices connected to your network, such as laptops, smartphones, and servers, need to be protected with antivirus software, endpoint detection, and response (EDR) systems.
• Encryption: Encrypting sensitive data, both at rest and in transit, is crucial for ensuring that even if data is intercepted, it cannot be accessed or tampered with.
• Access Controls: Implementing zero-trust architecture, where every user and device is continuously validated, ensures that only authorized individuals can access critical systems.
4. Incident Detection and Response: Plan for the Worst
No matter how strong your defenses are, there’s always a possibility that a breach could occur. Incident detection is crucial to minimize the impact of an attack. The faster you detect a breach, the faster you can respond and mitigate potential damage.
Key Incident Response Actions:
• Real-Time Monitoring: Utilize automated threat detection systems, such as SIEM (Security Information and Event Management) solutions, to continuously monitor your network and endpoints for suspicious activity.
• Behavioral Analytics: These tools help identify unusual patterns of behavior, which can indicate a compromised system or insider threat.
• Incident Response Plan (IRP): Having a clearly defined IRP ensures that everyone in the organization knows what to do in case of a breach. It should include protocols for containment, investigation, communication, and recovery.
5. Regular Vulnerability Assessments and Penetration Testing
Vulnerabilities in your systems can lead to potential entry points for attackers. Regular vulnerability assessments and penetration testing should be part of your ongoing cybersecurity strategy. These tests simulate attacks on your systems to identify weaknesses before cybercriminals can exploit them.
Penetration testing helps you:
• Identify software vulnerabilities, unpatched systems, and misconfigurations
• Test the strength of your defenses
• Provide insight into areas that need improvement
Frequency: Penetration testing should be conducted every 3-6 months, or whenever major changes are made to your network or infrastructure.
6. Data Backup and Disaster Recovery Plans
A strong cybersecurity strategy includes disaster recovery (DR) and business continuity plans. Ransomware attacks, data breaches, and system failures can bring business operations to a halt. To minimize the impact of such disruptions, organizations must have reliable data backup solutions and DR protocols in place.
Essentials of a Data Backup and DR Plan:
• Frequent backups: Ensure that critical data is backed up on a regular basis, and that backups are stored securely, ideally in multiple locations (on-site and off-site/cloud).
• Tested Recovery Procedures: Periodically test recovery plans to ensure that systems can be restored quickly in the event of a breach or failure.
• Separation of backup systems: Isolate backup systems from production networks to reduce the risk of them being compromised in the event of an attack.
7. Third-Party Vendor Risk Management
In today’s interconnected world, businesses often rely on third-party vendors for critical services, such as cloud storage, payment processing, and software development. However, these vendors can also pose a cybersecurity risk if their own security practices are weak.
Vendor risk management is essential to ensure that any third-party relationships do not expose your organization to unnecessary threats. Key steps include:
• Evaluating vendor security policies: Before onboarding any vendor, assess their cybersecurity policies and practices.
• Continuous monitoring: Regularly assess the security posture of third-party vendors to ensure they remain compliant with your organization’s security standards.
• Contractual Agreements: Ensure that cybersecurity expectations are included in contracts, specifying security measures, data protection requirements, and liability clauses.
8. Compliance with Regulatory Standards
Many industries are subject to strict regulatory frameworks that mandate specific cybersecurity practices. Compliance with regulations such as GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), and PCI DSS (Payment Card Industry Data Security Standard) not only helps businesses protect sensitive data but also ensures they avoid costly penalties.
Regular audits should be conducted to ensure your organization complies with relevant laws and regulations. Failing to meet compliance standards can lead to significant legal and financial consequences, as well as damage to your reputation.
9. Continuous Improvement: Evolving with the Threat Landscape
Cybersecurity is not a one-time effort but a continuous process. New vulnerabilities, threats, and technologies emerge regularly, and businesses must remain agile in adapting their defenses. Regularly review and update your cybersecurity strategy to stay ahead of evolving cyber threats.
• Stay informed: Subscribe to threat intelligence services to receive updates on emerging threats and vulnerabilities.
• Engage with the cybersecurity community: Participate in industry forums, cybersecurity conferences, and workshops to stay informed about the latest trends and best practices.
Conclusion: Striving for 100% Success in Cybersecurity
While achieving 100% cybersecurity success is a complex and ongoing process, the principles above lay the groundwork for a robust defense. By adopting a multi-layered security approach, prioritizing employee training, establishing an incident response plan, and continuously evaluating your defenses, you can significantly reduce the risk of cyber threats.
Cybersecurity is not just a technical issue—it’s a culture that must permeate every level of an organization. With a proactive, well-rounded approach, businesses can maximize their chances of achieving “success” in cybersecurity, protecting their assets, reputation, and customers in an increasingly hostile digital landscape.
The post Essentials to Gain 100% Cybersecurity Success: A Comprehensive Approach first appeared on Cybersecurity Insiders.
The post Essentials to Gain 100% Cybersecurity Success: A Comprehensive Approach appeared first on Cybersecurity Insiders.
from Cybersecurity Insiders https://ift.tt/Hnjqhkb
via IFTTT
Cybersecurity researchers have detailed a now-patched vulnerability in Google Cloud Platform (GCP) that could have enabled an attacker to elevate their privileges in the Cloud Composer workflow orchestration service that’s based on Apache Airflow.
“This vulnerability lets attackers with edit permissions in Cloud Composer to escalate their access to the default Cloud Build service account, which
from The Hacker News https://ift.tt/6gvJXde
via IFTTT
The incident should serve as a critical wake-up call. The stakes are simply too high to treat AI security as an afterthought — especially when the Dark Web stands ready to capitalize on every vulnerability.
from darkreading https://ift.tt/iXOurH7
via IFTTT
As SaaS and cloud-native work reshape the enterprise, the web browser has emerged as the new endpoint. However, unlike endpoints, browsers remain mostly unmonitored, despite being responsible for more than 70% of modern malware attacks.
Keep Aware’s recent State of Browser Security report highlights major concerns security leaders face with employees using the web browser for most of their work.
from The Hacker News https://ift.tt/byDpvaC
via IFTTT
Microsoft on Monday announced that it has moved the Microsoft Account (MSA) signing service to Azure confidential virtual machines (VMs) and that it’s also in the process of migrating the Entra ID signing service as well.
The disclosure comes about seven months after the tech giant said it completed updates to Microsoft Entra ID and MS for both public and United States government clouds to
from The Hacker News https://ift.tt/xfieaZC
via IFTTT
Many small and medium-sized businesses (SMBs) operate under the assumption that cybercriminals won’t target them, believing their data or systems lack the value to entice hackers. After all, these businesses often can’t afford the hefty ransoms that typically interest cyber attackers. However, this misconception is increasingly outdated. Hackers have shifted their tactics and are now eyeing SMBs as prime targets.
According to a report by Dark Atlas, a web monitoring platform, cybercriminal groups, particularly those behind Akira Ransomware, have broadened their focus to include smaller businesses, launching double-extortion attacks. In these attacks, cybercriminals not only encrypt a company’s data but also steal it, threatening to release sensitive information unless a ransom is paid.
In 2024 alone, the Akira Ransomware group targeted over 350 organizations globally, generating an estimated $42 million in ransom payments. The majority of this money came from victims in North America.
How These Attacks Work
The method used by these cybercriminals is relatively simple yet effective: they exploit stolen credentials to infiltrate networks that rely on basic, single-factor authentication for security. Once inside, they deploy file-encrypting malware, locking up critical data and demanding a ransom for its release.
The primary targets are SMBs, often with fewer than 100 employees, who typically lack the robust IT resources needed to prevent or respond to such sophisticated attacks. Without dedicated cybersecurity teams, these businesses are particularly vulnerable, leaving them with little choice but to pay the ransom.
Key Targets and Profitable Regions
Research from Dark Atlas indicates that Akira Ransomware’s main targets in 2024 were organizations in North America, Europe, and Australia, where the value of cryptocurrencies against the dollar is high, maximizing the criminals’ profits. Sectors such as education, finance, healthcare, and manufacturing were hit the hardest, with some organizations in the defense industry also affected.
Should You Pay the Ransom?
While paying the ransom might seem like the quickest way to regain access to locked data, experts warn against it. Not only does paying ransom fuel further criminal activity, but it doesn’t guarantee that the attackers will actually provide the decryption key. Additionally, once a company has been attacked, it’s possible that they could be targeted again, especially if security vulnerabilities aren’t addressed.
The post Akira Ransomware shifts focus to SMBs first appeared on Cybersecurity Insiders.
The post Akira Ransomware shifts focus to SMBs appeared first on Cybersecurity Insiders.
from Cybersecurity Insiders https://ift.tt/vwYe7Lr
via IFTTT
A security architect with the National Labor Relations Board (NLRB) alleges that employees from Elon Musk‘s Department of Government Efficiency (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity. The NLRB whistleblower said the unusual large data outflows coincided with multiple blocked login attempts from an Internet address in Russia that tried to use valid credentials for a newly-created DOGE user account.
The cover letter from Berulis’s whistleblower statement, sent to the leaders of the Senate Select Committee on Intelligence.
The allegations came in an April 14 letter to the Senate Select Committee on Intelligence, signed by Daniel J. Berulis, a 38-year-old security architect at the NLRB.
NPR, which was the first to report on Berulis’s whistleblower complaint, says NLRB is a small, independent federal agency that investigates and adjudicates complaints about unfair labor practices, and stores “reams of potentially sensitive data, from confidential information about employees who want to form unions to proprietary business information.”
The complaint documents a one-month period beginning March 3, during which DOGE officials reportedly demanded the creation of all-powerful “tenant admin” accounts in NLRB systems that were to be exempted from network logging activity that would otherwise keep a detailed record of all actions taken by those accounts.
Berulis said the new DOGE accounts had unrestricted permission to read, copy, and alter information contained in NLRB databases. The new accounts also could restrict log visibility, delay retention, route logs elsewhere, or even remove them entirely — top-tier user privileges that neither Berulis nor his boss possessed.
Berulis writes that on March 3, a black SUV accompanied by a police escort arrived at his building — the NLRB headquarters in Southeast Washington, D.C. The DOGE staffers did not speak with Berulis or anyone else in NLRB’s IT staff, but instead met with the agency leadership.
“Our acting chief information officer told us not to adhere to standard operating procedure with the DOGE account creation, and there was to be no logs or records made of the accounts created for DOGE employees, who required the highest level of access,” Berulis wrote of their instructions after that meeting.
“We have built in roles that auditors can use and have used extensively in the past but would not give the ability to make changes or access subsystems without approval,” he continued. “The suggestion that they use these accounts was not open to discussion.”
Berulis found that on March 3 one of the DOGE accounts created an opaque, virtual environment known as a “container,” which can be used to build and run programs or scripts without revealing its activities to the rest of the world. Berulis said the container caught his attention because he polled his colleagues and found none of them had ever used containers within the NLRB network.
Berulis said he also noticed that early the next morning — between approximately 3 a.m. and 4 a.m. EST on Tuesday, March 4 — there was a large increase in outgoing traffic from the agency. He said it took several days of investigating with his colleagues to determine that one of the new accounts had transferred approximately 10 gigabytes worth of data from the NLRB’s NxGen case management system.
Berulis said neither he nor his co-workers had the necessary network access rights to review which files were touched or transferred — or even where they went. But his complaint notes the NxGen database contains sensitive information on unions, ongoing legal cases, and corporate secrets.
“I also don’t know if the data was only 10gb in total or whether or not they were consolidated and compressed prior,” Berulis told the senators. “This opens up the possibility that even more data was exfiltrated. Regardless, that kind of spike is extremely unusual because data almost never directly leaves NLRB’s databases.”
Berulis said he and his colleagues grew even more alarmed when they noticed nearly two dozen login attempts from a Russian Internet address (83.149.30,186) that presented valid login credentials for a DOGE employee account — one that had been created just minutes earlier. Berulis said those attempts were all blocked thanks to rules in place that prohibit logins from non-U.S. locations.
“Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating,” Berulis wrote. “There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers.”
According to Berulis, the naming structure of one Microsoft user account connected to the suspicious activity suggested it had been created and later deleted for DOGE use in the NLRB’s cloud systems: “DogeSA_2d5c3e0446f9@nlrb.microsoft.com.” He also found other new Microsoft cloud administrator accounts with nonstandard usernames, including “Whitesox, Chicago M.” and “Dancehall, Jamaica R.”
A screenshot shared by Berulis showing the suspicious user accounts.
On March 5, Berulis documented that a large section of logs for recently created network resources were missing, and a network watcher in Microsoft Azure was set to the “off” state, meaning it was no longer collecting and recording data like it should have.
Berulis said he discovered someone had downloaded three external code libraries from GitHub that neither NLRB nor its contractors ever use. A “readme” file in one of the code bundles explained it was created to rotate connections through a large pool of cloud Internet addresses that serve “as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.” Brute force attacks involve automated login attempts that try many credential combinations in rapid sequence.
The complaint alleges that by March 17 it became clear the NLRB no longer had the resources or network access needed to fully investigate the odd activity from the DOGE accounts, and that on March 24, the agency’s associate chief information officer had agreed the matter should be reported to US-CERT. Operated by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), US-CERT provides on-site cyber incident response capabilities to federal and state agencies.
But Berulis said that between April 3 and 4, he and the associate CIO were informed that “instructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report.” Berulis said it was at this point he decided to go public with his findings.
An email from Daniel Berulis to his colleagues dated March 28, referencing the unexplained traffic spike earlier in the month and the unauthorized changing of security controls for user accounts.
Tim Bearese, the NLRB’s acting press secretary, told NPR that DOGE neither requested nor received access to its systems, and that “the agency conducted an investigation after Berulis raised his concerns but ‘determined that no breach of agency systems occurred.’” The NLRB did not respond to questions from KrebsOnSecurity.
Nevertheless, Berulis has shared a number of supporting screenshots showing agency email discussions about the unexplained account activity attributed to the DOGE accounts, as well as NLRB security alerts from Microsoft about network anomalies observed during the timeframes described.
As CNN reported last month, the NLRB has been effectively hobbled since President Trump fired three board members, leaving the agency without the quorum it needs to function.
“Despite its limitations, the agency had become a thorn in the side of some of the richest and most powerful people in the nation — notably Elon Musk, Trump’s key supporter both financially and arguably politically,” CNN wrote.
Both Amazon and Musk’s SpaceX have been suing the NLRB over complaints the agency filed in disputes about workers’ rights and union organizing, arguing that the NLRB’s very existence is unconstitutional. On March 5, a U.S. appeals court unanimously rejected Musk’s claim that the NLRB’s structure somehow violates the Constitution.
Berulis shared screenshots with KrebsOnSecurity showing that on the day the NPR published its story about his claims (April 14), the deputy CIO at NLRB sent an email stating that administrative control had been removed from all employee accounts. Meaning, suddenly none of the IT employees at the agency could do their jobs properly anymore, Berulis said.
An email from the NLRB’s associate chief information officer Eric Marks, notifying employees they will lose security administrator privileges.
Berulis shared a screenshot of an agency-wide email dated April 16 from NLRB director Lasharn Hamilton saying DOGE officials had requested a meeting, and reiterating claims that the agency had no prior “official” contact with any DOGE personnel. The message informed NLRB employees that two DOGE representatives would be detailed to the agency part-time for several months.
An email from the NLRB Director Lasharn Hamilton on April 16, stating that the agency previously had no contact with DOGE personnel.
Berulis told KrebsOnSecurity he was in the process of filing a support ticket with Microsoft to request more information about the DOGE accounts when his network administrator access was restricted. Now, he’s hoping lawmakers will ask Microsoft to provide more information about what really happened with the accounts.
“That would give us way more insight,” he said. “Microsoft has to be able to see the picture better than we can. That’s my goal, anyway.”
Berulis’s attorney told lawmakers that on April 7, while his client and legal team were preparing the whistleblower complaint, someone physically taped a threatening note to Mr. Berulis’s home door with photographs — taken via drone — of him walking in his neighborhood.
“The threatening note made clear reference to this very disclosure he was preparing for you, as the proper oversight authority,” reads a preface by Berulis’s attorney Andrew P. Bakaj. “While we do not know specifically who did this, we can only speculate that it involved someone with the ability to access NLRB systems.”
Berulis said the response from friends, colleagues and even the public has been largely supportive, and that he doesn’t regret his decision to come forward.
“I didn’t expect the letter on my door or the pushback from [agency] leaders,” he said. “If I had to do it over, would I do it again? Yes, because it wasn’t really even a choice the first time.”
For now, Mr. Berulis is taking some paid family leave from the NLRB. Which is just as well, he said, considering he was stripped of the tools needed to do his job at the agency.
“They came in and took full administrative control and locked everyone out, and said limited permission will be assigned on a need basis going forward” Berulis said of the DOGE employees. “We can’t really do anything, so we’re literally getting paid to count ceiling tiles.”
Further reading: Berulis’s complaint (PDF).
from Krebs on Security https://ift.tt/1Itx7py
via IFTTT