This week’s Department of Know is hosted by Rich Stroffolino, with guests Brett Conlon, CISO, American Century Investments, and Jason Thomas, senior director, technology security, governance, and risk, Cystic Fibrosis Foundation.
Missed the live show? Check it out on YouTube.
The Department of Know is live every Friday at 4:00 p.m. ET. Join us each week by registering for the open discussion at CISOSeries.com.
In this week’s cybersecurity news…
‘Nightmare Eclipse’ drops Windows 0-day
Just hours after Microsoft’s biggest Patch Tuesday ever, the security researcher known as ‘Nightmare Eclipse’ released exploit code for a new Microsoft Defender flaw called RoguePlanet they claim works on fully patched Windows 10 and 11 systems. The bug could let an attacker gain SYSTEM-level control of a machine, and early testing by security researcher Will Dormann of Tharros Labs suggests the exploit is viable, though not completely reliable, it involved a race-condition. Researchers at ThreatLocker also confirmed its viability. ‘Nightmare Eclipse’ backed away from earlier threats of a big July vulnerability dump, saying the latest exploit took more time and effort than expected. But said that they had several Defender exploits still in their bag.
Anthropic releases Claude Fable 5
Ever since Mythos Preview was announced, everyone has been itching to get access to Anthropic’s new model. A general release of Mythos still seems to be a way off, but Anthropic is getting closer, releasing the “Mythos-class” Fable 5 model. Anthropic says this model operates similarly to Mythos in terms of knowledge work, vision, and long-running tasks,, but has targeted blocks in place. For areas ripe for misuse, such as cybersecurity and biology, Fable 5 will fall back to Opus 4.8-level performance. Anthropic claims that 95% of sessions run on Fable 5’s native capabilities and that external bug bounty and read-teaming efforts failed to uncover critical bypasses or universal jailbreaks.
GitHub to disable npm install scripts by default to stop supply chain attacks
GitHub has announced what it describes as “breaking changes” coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats. These changes are designed to deal with attack techniques that abuse the “npm install” command to trigger the execution of malicious code using npm lifecycle hooks. GitHub describes install-time lifecycle scripts as the “single largest code-execution surface in the npm ecosystem.” The idea going forward is “to require explicit user approval before code execution is initiated automatically during “npm install” as opposed to being trusted by default.
French government messaging service breached
The digital affairs directorate of the French government, DINUM, warned that threat actors breached the government encrypted messaging app, Tchap. This service was developed by DINUM with the French cybersecurity agency ANSSI back in 2018, based on the Matrix protocol. DINUM said a threat actor gained access to the service through a compromised user account. A threat actor taking credit for the breach said they stole hardcoded LDAP credentials shared by the French tax authority and stole over 13 gigabytes of documents, as well as information on over 73,000 accounts. DINUM said it blocked access to the compromised account and is reviewing logs to see what conversations they had access to.
Huge thanks to our episode sponsor, Doppel
They use one connected attack chain to hit your brand externally, infiltrate your inbox, and manipulate your team.
Stop playing whack-a-mole with fragmented tools. Doppel unifies Digital Risk Protection, Human Risk Management, and Email Security into one unified platform.
One attack chain. Three pillars of defense. Zero blind spots.
Secure your enterprise relentlessly at doppel.com.
CISA wants federal agencies to patch, lickity-split
The agency is tightening federal patching requirements, giving other agencies three days to fix the highest-risk vulnerabilities, specifically flaws that are actively exploited, internet-facing, automatable, and capable of giving attackers control of a system. CISA officials say this is necessary because AI is making it easier for attackers to find and exploit vulnerabilities at scale. CISA says not every bug needs urgent attention, but those dangerous ones can’t sit unpatched for weeks anymore.
A big week for Miasma worm attacks 73 Microsoft GitHub repositories (Combine with below)
The ongoing self-replicating supply chain attack campaign hit 73 Microsoft-owned GitHub repositories “across four of its GitHub organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs, according to OpenSourceMalware. The development has forced GitHub to disable access to those repositories. As opposed to being a standalone attack, this particular campaign involves the “re-compromise of the “durabletask” PyPI package, which was infected by TeamPCP last month to deliver an information stealer on Linux systems.”
In related news, the source code for Miasma was briefly published on GitHub through compromised developer accounts. SafeDep researchers say the release appears intentional and reveals a highly advanced framework that steals cloud and developer credentials, compromises software packages and repositories, and even targets coding tools like Claude, Gemini, Cursor, Copilot, and Cline.
(The Hacker News, BleepingComputer)
Judge throws the book at AI
File this under too good to pass up. Senior United States District Judge for the Northern District of Mississippi, Sharion Aycock, issued a sanctions order against both sides of a federal court case, saying “this court is yet again “burdened with addressing AI hallucinations in court filings.” The case involved a contract dispute with the city of Aberdeen, Mississippi, about unpaid legal fees. However, both sides cited nonexistent, hallucinated cases in their arguments, in what was described as “paying for ChatGPT to argue against itself.” Judge Aycock canceled the trial, disqualifying all four lawyers involved, barring two from appearing in court for two years, and issuing fines up to $3,500. One attorney, Kathleen Wilson, had already been cited multiple times for AI-hallucinated filings, going back to January.