Brief #145: CISO Liability Hits 78%, Trump Bans Anthropic, Check Point's $150M AI Push

Happy Sunday!

In this week's brief:

• Israel-Iran Cyber-Kinetic Operation: Israel dropped Iran's internet to 4% connectivity during a coordinated military-cyber strike, paralyzing government agencies and IRGC communications.
• Shadow AI Is Bleeding You Dry: Insider risk costs hit $19.5M per org, and 73% of companies say unauthorized AI use is creating invisible data loss paths while only 18% have governance in place.
• Check Point's $150M Israeli Acquisition Spree: Check Point picked up Cyclops and Cyata to build out agentic exposure management and unsupervised AI agent security. 

Israel Launches Largest Cyberattack in History, Plunging Iran to 4% Internet Connectivity

• A massive coordinated cyberattack accompanied Operation "Roar of the Lion," dropping Iran's internet connectivity to just 4% of normal levels according to NetBlocks, while paralyzing critical infrastructure, government news agencies including IRNA and Tasnim, and IRGC communications systems.
• The operation combined electronic warfare, DDoS attacks, and deep intrusions into energy and aviation infrastructure, reportedly preventing Iranian forces from coordinating counterattacks and disrupting drone and ballistic missile launch capabilities.
• Security teams should treat this as a case study in how cyber operations now run parallel to kinetic military strikes, reinforcing the need for resilient, air-gapped backup communications and incident response plans that assume total internet loss scenarios.

Canadian Tire Data Breach Exposes 38 Million Customer Accounts Across Multiple Retail Brands

• Canadian Tire Corporation confirmed that an October 2025 breach of its e-commerce database exposed 42 million records containing 38.3 million unique email addresses, names, phone numbers, physical addresses, and PBKDF2-hashed passwords across Canadian Tire, SportChek, Mark's, and Party City brands.
• The dataset, now added to Have I Been Pwned, also included partial credit card data for a subset of users; 86% of the exposed emails were already present in HIBP from previous breaches, compounding credential stuffing and phishing risks.
• Organizations running multi-brand e-commerce platforms should audit shared database architectures for lateral exposure risk, enforce credential rotation across all linked storefronts, and deploy monitoring for targeted phishing campaigns using the exposed personal data.

North Korea's APT37 Deploys "Ruby Jumper" Toolkit to Breach Air-Gapped Networks via USB

• Zscaler ThreatLabz uncovered a five-tool malware toolkit (RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE) used by North Korean group APT37 to bridge air-gapped systems by weaponizing removable USB drives, hiding files in fake Recycle Bin folders, and replacing legitimate files with malicious LNK shortcuts.
• The campaign disguises a full Ruby 3.3.0 runtime as a USB utility (usbspeed.exe), hijacks RubyGems to auto-load malware every five minutes, and uses Zoho WorkDrive as command-and-control infrastructure, marking the first documented abuse of this cloud service by the group.
• Organizations relying on air-gapped environments for critical infrastructure or classified operations should enforce strict removable media controls, monitor for unexpected LNK execution and hidden directories on USB drives, and block unauthorized Ruby runtimes on endpoints.

Splunk Report: 78% of CISOs Now Concerned About Personal Liability for Security Incidents

• Splunk's 2026 CISO Report found that personal liability concerns jumped from 56% to 78% year over year, while nearly all respondents said AI governance and risk management now fall under their direct responsibility, expanding the role well beyond traditional detection and response.
• 85% of CISOs cited low cybersecurity fluency among non-technical executives as a collaboration obstacle, and 41% said they cannot directly correlate security ROI to risk mitigation, making budget justification and board communication persistently difficult.
• Security leaders should formalize documentation practices around risk decisions, build structured board reporting frameworks that translate operational metrics into business language, and proactively define AI governance policies before oversight gaps become liability triggers.

CISA Leadership Shakeup as Acting Director Removed Amid Government Shutdown and Geopolitical Tensions

• CISA's acting director Madhu Gottumukkala was moved to a different DHS role after a tenure marked by failed polygraph tests, uploading sensitive documents to public ChatGPT, and attempted removal of the agency's CIO, with Nick Andersen (executive assistant director for cybersecurity) now serving as acting director.
• The transition comes while two-thirds of CISA staff are furloughed during the DHS government shutdown, the nominated permanent director Sean Plankey remains stuck in Senate confirmation, and former officials warn that geopolitical tensions with Iran could trigger retaliation against U.S. infrastructure.
• For security leaders dependent on federal threat intelligence and coordination, this signals a period where CISA's partnership capacity is diminished. Teams should diversify threat intel sources and stress-test incident response plans that don't assume timely federal support.

Insider Risk Costs Hit $19.5M Per Organization as Shadow AI Creates Invisible Data Loss Paths

• The 2026 Cost of Insider Risks Report from Ponemon Institute found that average annual insider incident costs reached $19.5 million per organization, up 20% since 2023, with negligent employee behavior driving $10.3 million of that total across an average of 14 incidents per company.
• 73% of organizations say unauthorized AI use is creating invisible data exfiltration paths, yet only 18% have integrated AI governance into insider risk programs and just 13% have formally adopted AI into business strategy, leaving a massive visibility gap as employees routinely feed source code, legal documents, and architecture diagrams into public LLMs.
• CISOs should classify AI agents as insider-equivalent identities with delegated authority and access, invest in behavioral intelligence and privileged access management (which delivers $6.1M in average cost savings), and close the governance gap before shadow AI normalizes unmonitored data flows across the organization.

Trump Orders Federal Ban on Anthropic as Pentagon Designates AI Company a Supply Chain Risk

• President Trump ordered all federal agencies to immediately cease using Anthropic's technology after the company refused Pentagon demands to remove contractual restrictions on using Claude for autonomous weapons and mass domestic surveillance, escalating a months-long dispute over a $200 million classified network contract.
• Defense Secretary Hegseth designated Anthropic a "Supply-Chain Risk to National Security", a classification typically reserved for foreign adversaries, which could force any Pentagon contractor to prove they don't use Anthropic products, potentially threatening the company's broader enterprise customer base despite its $380 billion valuation.
• The immediate security implication: organizations with federal contracts should audit their AI toolchain dependencies for Anthropic exposure, while all enterprises should treat this as a case study in vendor concentration risk when building critical workflows on any single AI provider.

North Korean Contagious Interview Campaign Evolves with Custom Bytecode VM, GitHub Gists, and Akira Stealer Delivery via VSCode

• Abstract Security's ASTRO team documented new payload staging infrastructure in the DPRK-linked Contagious Interview campaign, now abusing GitHub Gists, Google Drive, short URL services, and custom domains alongside the established VSCode/Cursor tasks.json auto-execution vector that fires malware when developers open malicious repositories.
• A newly observed loader uses a custom stack-based bytecode virtual machine to execute obfuscated payloads, while one infection chain delivers PyArmor-protected Python that drops Akira Stealer, a commodity infostealer targeting browser credentials, crypto wallets, and chat applications, complicating attribution beyond typical DPRK tooling.
• Development teams should disable automatic task execution in VSCode and Cursor, enforce mandatory code review of .vscode/tasks.json before granting workspace trust, and treat any repository received through recruitment channels as hostile until verified by security.

OWASP Releases AI Red Teaming Vendor Evaluation Criteria for GenAI Systems

• OWASP published comprehensive vendor evaluation criteria to help organizations assess AI red teaming providers and automated tools, addressing both simple chatbots and advanced multi-agent systems with tool-calling capabilities.
• The guide identifies critical red flags including vendors using stock jailbreak libraries, lack of multi-turn testing capabilities, and inability to evaluate stateful systems with memory and cross-session behavior analysis.
• Organizations should prioritize vendors demonstrating green flags such as reproducible adversarial evaluations, custom testing with novel findings, human verification of critical results, and actionable remediation guidance mapped to business impact.

LevelBlue Acquires Fortra's Alert Logic MDR Business to Strengthen Global MDR Position

• LevelBlue, the world's largest pure-play MSSP, acquired the managed services division of Fortra's Alert Logic MDR, XDR, and WAF solutions as part of a broader strategic partnership.

• The acquisition expands LevelBlue's global footprint and provides Alert Logic clients with access to broader threat telemetry and accelerated detection and response capabilities across complex environments.

• Fortra will become a leading technology partner for LevelBlue, making its offensive and defensive security solutions available to LevelBlue's global client base while strengthening both companies' market positions.

Westcon-Comstor Acquires REAL Security to Enter Balkans Market

• Global technology distributor Westcon-Comstor expanded into the Balkans region by acquiring Slovenia-based REAL Security, a value-added cybersecurity distributor operating across eight countries since 2002.

• REAL Security has built market-leading cybersecurity expertise in Slovenia, Croatia, Bosnia and Herzegovina, Serbia, Kosovo, Montenegro, Albania and North Macedonia, connecting major vendors with resellers and managed service providers.

• The acquisition provides Westcon-Comstor with proven local capability and represents their first deal since acquiring AWS consultancy Rebura in January 2024, strengthening their European cybersecurity portfolio.

Check Point Acquires Cyclops and Cyata for $150 Million in Strategic Israeli Cyber Push

• Check Point is acquiring Cyclops Security (estimated $85 million) and Cyata ($8.5 million in previous funding) along with acqui-hiring Rotate's team, totaling approximately $150 million to expand its domestic Israeli cybersecurity capabilities.

• Cyclops offers an agentic exposure management platform built on cybersecurity mesh architecture that allows security teams to query their environment using natural language for vulnerability and compliance insights.

• Cyata specializes in securing unsupervised AI agents operating across enterprise environments, providing visibility and control over autonomous bots, copilots, and chatbots that can execute code and access sensitive data outside traditional identity frameworks.

Allama: Open-Source AI Security Automation Platform

Open-source SOAR alternative with 80+ integrations across SIEMs, EDR, identity providers, and ticketing systems, using AI agents (supports external and self-hosted LLMs via Ollama) to enrich, triage, and act on alerts through visual drag-and-drop workflows.

OpenClaw Scanner: Detect Autonomous AI Agents Across Your Environment

Free open-source scanner that identifies instances of OpenClaw (MoltBot) autonomous AI agents operating across corporate environments, including agents that can execute tasks, access local files, and authenticate to internal systems without centralized oversight.

Brutus: Multi-Protocol Credential Testing Tool in Pure Go

Open-source credential testing tool written in pure Go that ships as a single binary with zero external dependencies, replacing legacy brute-force tools plagued by dependency conflicts and integration gaps.

Thank you for reading this week's brief.

Whenever you're ready, there are three ways I can help you:

1. Get your cybersecurity product in front of 15,000 cybersecurity professionals on CybersecTools.
2. Position your product to sell to CISOs correctly. Positioning Advisory.
3. Get deep market intelligence on your company, competitors and the whole industry. Sign Up for Waitlist.

Talk to you in the next one.

Nikoloz