In today’s cybersecurity news…
Major workforce cuts planned for CISA
The agency is working on plans to “slash staffing and spending amid increased scrutiny from the White House, which is still chafing over what it sees as CISA’s role in suppressing conservative viewpoints.” Half of its full-time staff – 1,300 people – face removal, along with 40 percent of its contractors, according to a source with direct knowledge of the developing plans, speaking to Recorded Future News. A timetable for the announcement is also not yet set, they said.
Microsoft warns Windows users not to delete ‘inetpub’ folder
This new, empty folder spelled inetpub was installed during its April 2025 Windows security update. This folder is part of the Microsoft Internet Information Services (IIS) web server platform, however after the new update, Windows users have found a newly created C:\inetpub folder on their systems, even if they do not use IIS. Although researchers at BleepingComputer believe the folder may be part of the remediation of a Windows Process Activation elevation of privilege vulnerability, Microsoft states this folder should not be deleted, regardless.
Data breach at testing lab affects 1.6 million people
A provider of medical testing services, Seattle-based Laboratory Services Cooperative, is now notifying 1.6 million individuals about personal information that was stolen in an October 2024 data breach. The data potentially includes PII along with medical treatment and care records and payment details including bank accounts and payment cards. Some of the victims are employees and some of the patients affected are Planned Parenthood patients.
U.S. to sign Pall Mall spyware pact
More developments from the recent Pall Mall conference, the State Department has announced that the U.S. “plans to sign an international agreement designed to govern the use of commercial spyware.” This comes just about a week after 21 other countries signed this “voluntary and non-binding Code of Practice outlining how they intend to jointly regulate commercial cyber intrusion capabilities (CCICs) and combat spyware companies whose products have been increasingly used to target civil society.” Although the Pall Mall conference took place just recently, the Code of Practice is the result of a year of diplomatic negotiations known as the Pall Mall Process.
Huge thanks to our sponsor, Vanta
We know that real-time visibility is critical for security, but when it comes to our GRC programs…we rely on point-in-time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta.
Vanta brings automation to evidence collection across over 35 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done 5 times faster with AI.
Now that’s…a new way to GRC. Get started at Vanta.com/headlines.
Improved Tycoon2FA phishing kit targets Microsoft 365
This is a phishing-as-a-service (PhaaS) platform Tycoon2FA, not Typhoon, which is already known for its ability to slip past multi-factor authentication on Microsoft 365 and Gmail accounts. Researchers at Trustwave now say that the threat actors behind this tool have added improvements such as the use of invisible Unicode characters to hide binary data within JavaScript. This “allows the payload to be decoded and executed as normal at runtime while evading manual (human) and static pattern-matching analysis.” Also on board, a switch from Cloudflare Turnstile to a self-hosted CAPTCHA rendered via HTML5 canvas with randomized elements, and the inclusion of anti-debugging JavaScript that detects browser automation and analysis tools.
Oregon Department of Environmental Quality suffers cyberattack
The Oregon Department of Environmental Quality, a regulatory agency that regulates the quality of air, land and water in the state, says it has found no evidence of a data breach following a cyberattack that occurred last week. Lauren Wirtis, a DEQ spokesperson for the department, said vehicle inspection stations were closed on Friday and that employee emails and servers are “expected to be down through the end of the week as the agency continues to check its computer systems.” The source of this attack has not yet been confirmed.
Gamaredon strikes military mission with infected USB drive
The Russia-linked threat actor known as Gamaredon, Shuckworm and Blue Alpha, is already known for its attacks and espionage activities against Ukraine. This latest attack focused on the military mission of an undisclosed country, based in Ukraine. According to researchers at Symantec, the attackers used an infected removable drive, to deliver an updated version of a known malware called GammaSteel.
Microsoft Recall continues to be a thing
Microsoft is quietly including the controversial screenshotting app into the Windows 11 Release Preview channel for Copilot+ PCs, signaling its near readiness for general availability. Designed to operate as a screenshot record of everything a person does on a Windows computer, it was withdrawn temporarily last year over security concerns. On Thursday, Microsoft put Windows 11 Build 26100.3902 into the Release Preview channel – the final stop before mainstream release – with Recall included. The company says Recall will be an opt-in feature that will roll out gradually.