Risky Business #787 -- Trump fires NSA director, CISA cuts inbound

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news:

• Oracle quietly cops to being hacked, but immediately pivots into pretending it didn’t matter
• NSA and CyberCom leaders fired for not being MAGA enough
• US Treasury had some dusty corners it hadn’t found China in yet, looked, found China in them
• …which is a great time to discuss slashing CISA’s staffing
• Ransomware crews and bullet proof hosting providers are getting rekt, and we love it
• And Microsoft patches yet another logging 0-day being used in the wild.

This episode is sponsored by Yubico, makers of Yubikey hardware authentication tokens. Yubico’s Vice President of Solutions Architecture and Alliances Derek Hanson joins to discuss how the consumer-centric passkey ecosystem has become a real challenge for enterprises. One that Yubico is actually ideally positioned to solve.

This episode is also available on Youtube.

Show notes

• Oracle privately confirms Cloud breach to customers
• Oracle have finally issued a written notification to customers about their cybersecurity incident.
• Head of NSA and US Cyber Command reportedly fired | Cybersecurity Dive
• Trump fires numerous National Security Council staff - The Washington Post
• Trump administration under scrutiny as it puts major round of CISA cuts on the table | Cybersecurity Dive
• Hackers Spied on US Bank Regulators’ Emails for Over a Year - Bloomberg
• This is how Jeffrey Goldberg got added to the Signal chat
• Cybercriminals are trying to loot Australian pension accounts in new campaign | The Record from Recorded Future News
• $500,000 stolen in Australian super fund data breach | Superannuation | The Guardian
• Australian regulator pulls licenses of 95 companies in effort to crack down on investment scams | The Record from Recorded Future News
• Everest ransomware group’s darknet site offline following defacement | The Record from Recorded Future News
• On March 28, 2025, a threat actor leaked internal data from Medialand, a major bulletproof hosting (BPH) provider long linked to Yalishanda (LARVA-34).
• There's a ransomware group named DragonForce going around hacking its rivals. After Mamona and BlackLock, the group has now hacked RansomHub
• The DragonForce ransomware group hacked two rivals this month
• CISA, experts warn of Crush file transfer attacks as ransomware gang makes threats | The Record from Recorded Future News
• Kill Security Campaign Targets CrushFTP Servers
• National Vulnerability Database | NIST
• Microsoft patches zero-day actively exploited in string of ransomware attacks | CyberScoop
• Exploitation of CLFS zero-day leads to ransomware activity | Microsoft Security Blog
• Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure (CVE-2025-22457)