"New data from The Conference Board and The Business Council shows 65% of blue-chip CEOs now rank cyberattacks as a top business risk, outpacing every other threat category. That's up from 56% just one quarter ago. Cybersecurity now ranks ahead of inflation, geopolitical instability, trade disruptions, and broader economic uncertainty risks. For years, cybersecurity professionals have argued that cyber risk is a business problem, not just an IT problem. Based on this data, CEOs now strongly agree." - Danny Jenkins
From the ThreatLocker blog
LLMShare, business email compromise, and ISO 27001 guide
What's happening: The LLMShare campaign is a malvertising campaign that abuses Google Ads to send users searching for ChatGPT to a malicious page hosted on chatgpt.com. Clicking on the ad took users to a legitimate chatgpt.com/s/ URL, a shared content link from OpenAI which displayed a fake outage notice, and encouraged users to download the desktop app instead. Push Security noted the fake outage notice was generated from custom HTML and CSS rendered by a ChatGPT prompt, making it a web page inside a web page.
Why it matters: The domain belongs to OpenAI, so reputation-based controls and domain-focused rules are less likely to flag the content as suspicious. The infrastructure was also designed to evade vulnerability scanners. When tools like URLScan visited the site, they were directed to a harmless website. Real users on the other hand were directed to the malicious content.
The big picture: Trust is a liability, and attackers will exploit it wherever possible. That is why Zero Trust focuses on what can execute, not only where it originates. See how Zero Trust could stop the LLMShare campaign.
What's happening: BEC is one of the most financially devastating cyberattacks, and the fact that attacks often originate from legitimate accounts makes it especially dangerous. BEC attacks often involved executive impersonation and fraudulent invoices. They are more targeted than phishing campaigns and rely on deception and urgency rather than malware deployment. Common indicators include urgent payment or wire transfer requests, contact outside business hours, and instructions to bypass standard approvals.
Why it matters:Remote work and the reliance on cloud email platforms have made BEC more successful and more profitable for attackers compared to technical exploits. Attackers are exploiting people more than software.
The big picture: Containing BEC requires Zero Trust. Training employees to recognize common threats is not enough in the face of AI-generated, highly personalized phishing emails or voice phishing attacks. How Zero Trust can help contain BEC.
What's happening: ISO 27001 is a globally recognized framework for information security. It is a risk-based standard that instructs companies to assess their specific risks and apply the controls that apply most directly. Companies maintain compliance internally by following the standard's rules, and to achieve certification, an accredited third-party auditor must review your Information Security Management System (ISMS). Finance and healthcare organizations often use ISO 27001 as the foundation of their legal requirements, and SaaS companies often need certification to work with enterprise organizations.
Why it matters:Being ISO 27001 certified, rather than just compliant, offers a competitive advantage. It signals to prospects and customers that you take security seriously, and it can reduce friction in sales cycles. ISO 27001 also maps cleanly to GDPR, CCPA, HIPPA, and NIST CSF, reducing compliance effort.
The big picture: While customers and partners want to see certifications like ISO 27001, attackers don't care. Obtaining ISO 27001 certification is a long, complicated process, but defense doesn't stop once it's achieved. Your complete guide to ISO 27001 compliance and certification.
Zero Trust World isn't your average cybersecurity conference. At ZTW27, you'll get:
More hands-on labs, learning experiences, and CPE credit opportunities
The industry's leading speakers, podcast hosts, and hackers
Networking with 2,000+ security and IT professionals
Join us February 17-19 at Loews Universal Orlando:
Hotel booking info to be announced in the coming weeks.
Threats you need to know
Attackers manipulate AI and Mini Shai-Hulud is back again
Attackers manipulate Meta's AI support to compromise accounts
AI support bot is easily fooled
What's happening: Instructions on how to trick Meta's AI support assistant recently circulated on Telegram, and shortly after, the official Instagram accounts for the Obama White House and Chief Master Sergeant of the U.S. Space Force were compromised. The exploit is remarkably simple. The attack involved a VPN connection and IP address in or near the target's location, requesting a password reset, and telling the support bot to send the reset code to a new email. Meta announced that the issue was resolved and no back-end database was breached.
Why it matters: AI support bots are heavily used in the context of account recovery, both on social media and elsewhere, and this incident highlights how they can be socially engineered just as easily as people.
The big picture: Maintaining control and visibility into AI tools remains a weak point for many organizations, and its importance grows daily.
@redhat-cloud-services packages backdoored with credential-stealing worm
What's happening: On June 1, multiple packages under the Red Hat npm namespace were backdoored to target npm tokens, GitHub tokens, cloud credentials, and secrets. The campaign, codenamed Miasma, closely resembles the Mini Shai-Hulud project from TeamPCP. Red Hat confirmed the compromise affected hundreds of Node.js components but stated that no compromised versions are used by any Red Hat software.
Why it matters:It is not yet known who is behind the attack. TeamPCP open-sourced attack tools linked to the Shai-Hulud worm making it easier for threat actors to replicate similar attacks and harder for defenders to identify them. Evolving from previous versions, this malware has been found to generate a uniquely encrypted payload for each infection, making detection and tracking more challenging.
The big picture: This is a notable evolution in the cybercrime ecosystem where threat actors learn from previous campaigns and modify them to evade defenses. It also highlights a growing trend of attacking CI/CD pipelines, workflows, and more processes that support enterprise and Dev/Ops environments. Read the full Miasma threat analysis from ThreatLocker Threat Intelligence.
ThreatLocker events
Meet the Cyber Hero Team in person at these upcoming events
Identiverse | June 15-18 Las Vegas, Nevada
Kaseya DattoCon Europe | June 16–18 Prague, CZ
RMISC | June 23-25 Denver, Colorado
SANSFIRE | July 14–15 Washington D.C.
Black Hat USA | August 1–6 Las Vegas, Nevada
Technology in Government | August 4–5 Canberra, AU