This week’s Department of Know is hosted by Sarah Lane with guests Jon Collins, Field CTO, GigaOm, and Adam Palmer, CISO, First Hawaiian Bank
Missed the live show? Check it out on YouTube
The Department of Know is live every Monday at 4:00 p.m. ET. Join us each week by registering for the open discussion at CISOSeries.com
VoidLink exhibits multi-cloud capabilities and AI code
Researchers at Ontinue analyzed a Linux-based malware framework called VoidLink that can persist across enterprise and multi-cloud environments, including AWS, Azure, Google Cloud, Alibaba, and Tencent. It steals credentials, fingerprints systems, escapes containers, and hides at the kernel level, while using encrypted traffic that mimics normal web activity. Analysts say the code shows clear signs of AI-assisted development, with leftover debug logs and structured phase labels, suggesting it was generated by an LLM with limited human review.
New zero-click flaw in Claude Desktop Extensions
LayerX researchers found a zero-click vulnerability in Claude Desktop Extensions that could let attackers execute code on a victim’s system using a malicious Google Calendar event, affecting more than 10,000 users and earning a CVSS 10.0 rating. The flaw stems from how the extensions chain tools together with full system privileges and no sandboxing, letting low-risk inputs trigger high-risk actions. LayerX says Anthropic declined to fix it based on the fact that the issue falls outside its threat model, because users choose which extensions and permissions to enable.
China rehearsing cyberattacks on critical infrastructure
Leaked technical documents reviewed by Recorded Future show China using a secret cyber-range platform called “Expedition Cloud” to rehearse attacks on the critical infrastructure of nearby countries. The system replicates real-world power, transport, and smart-home networks, letting reconnaissance and attack teams practice operations and analyze results in detail, potentially with AI-assisted automation. The platform suggests state sponsorship and potential evidence of China preparing offensive cyber campaigns despite official denials.
Huge thanks to our sponsor, Conveyor
Meet Conveyor’s new Trust Center Agent.
The Agent lives in your Conveyor Trust Center and answers every customer question, surfaces documents and even completes full questionnaires instantly so customers can finish their review and be on their way.
Top tech companies like Atlassian, Zapier, and more are using Conveyor to automate away tedious work. Learn more at www. conveyor.com.
Google-Intel security audit reveals TDX vulnerability
Google and Intel found five vulnerabilities and more than 35 bugs in Intel’s Trust Domain Extensions (TDX), a hardware-based confidential computing feature designed to protect virtual machines in cloud environments. One flaw could let a malicious host fully compromise a protected virtual machine and access its decrypted state. Intel says it has patched the issues, which were uncovered during a five-month joint security review by Google’s cloud security team and Intel researchers.
SolarWinds attacks highlight risks of exposed apps
Attackers are exploiting vulnerabilities in SolarWinds Web Help Desk, with incidents tied to Internet-exposed instances that gave threat actors an initial foothold, according to Microsoft and Huntress. CISA recently added a critical deserialization bug to its Known Exploited Vulnerabilities list, while scans found around 170 vulnerable systems online. Once inside, attackers used living-off-the-land tools and remote management software to move laterally, deploy tunnels and forensics tools, and target high-value assets.
135,000+ OpenClaw instances exposed to internet
SecurityScorecard researchers say more than 135,000 internet-exposed instances of the open-source AI agent platform OpenClaw are vulnerable, in part because the software listens to all network interfaces by default and a lot of users never change the setting. The tool’s been linked to multiple high-risk flaws and data-leak issues, and more than 50,000 exposed systems are still susceptible to a patched remote-code-execution bug. The platform’s design and widespread insecure deployments could give attackers access to credentials, files, and other sensitive data across both personal and corporate systems.
EU grants Google approval for Wiz
Google has secured unconditional EU antitrust approval for its $32 billion acquisition of cloud security firm Wiz, Google’s biggest-ever deal. European regulators said the purchase wouldn’t raise competition concerns because customers would still have alternatives to Google in cloud infrastructure, like Amazon and Microsoft. The deal was first announced in March of 2025 and is expected to strengthen Google’s cybersecurity offerings and its position in the cloud market.
(Reuters)