🔴 Apr 6’s Top Cyber News NOW! - Ep 1104

A

All right, what's up, everybody? Good morning. How are you? Welcome to the party. Got a little scratch in my throat. Hopefully it doesn't turn into anything but. Welcome to Simply Cyber's Daily Cyber Threat Brief podcast. I'm your host, Dr. Gerald Ozier. And over the next hour, if you're looking to stay current on the top cyber news stories of the day while going beyond the headlines to get additional insights and additional value, well then stick around because that's what we do every single day here at 8:00am Eastern Time. Alongside right above my head, be simply cyber community. Coming to you live from the Buffer Rosa Flow studio. Welcome to the show. Get your coffee, let's get cooking. All right. Good morning, everybody. I am pumped to be here. Like I said, my throat is a little scratchy scratch. Woke up in the middle of the night, had to grab a little cup of water and be like, oh, no, I hope this isn't a thing. But good morning, everyone. Yes, Simply Cyrus Daily Cyber Threat Brief. Now listen, it's an hour long show, but it, we, we have a good time. We mess around. So what we argue is that 30 minutes of it is instructor led webinar. 30 minutes of it is all about good times. And if you're really into cyber security, the whole thing's all about good times. But I do want you to know every single episode of the Daily Cyber Threat Brief is worth half a cpe. So say, what's up? And Chad, very simple. Grab a screenshot once a year, count those screenshots up, divide by two. Because every CP is one hour long or one hour of education, we say that the show's half an hour, so, you know, basically that's what's cracking. So grab your screenshots, get your CPEs here and relax. Have a good time. Now, I also want to say shout out to all the first timers in chat. It is a federal holiday. I guess, you know, not to downplay Easter Monday, but I, I know Easter was yesterday. Happy Easter to everybody. For those who celebrate Easter, but my understanding is today's a federal holiday, so kids are on spring break, so I guess the whole week's a federal holiday. I don't know. I don't know. But I do want to say, what's up? If you are here for the first time, drop a hashtag first timer in chat. Hashtag first timer and chat. Definitely appreciate all y' all who show up today. And you know what the sad thing is? Threat actors don't take days off. Threat actors may celebrate Easter also, but they Commit crime every day. So that's what we're dealing with right now. So if you are a first timer, drop it in chat and we will welcome you with a John McLean emote and a John McLean sound effect. That sounds a lot like this. That's right. I am dragging my butt a little bit today. Not like a dog or anything, but did add some, some unfortunate news over the weekend regarding one of my puppies. Sadly, we had to say goodbye to him, so, you know, hearts and prayers and such, but it was unfortunate, so we're, we're dealing with that here at the Buffer Osier Flow Stead as well. All right, guys, what do we got here? Uh, listen, one thing that you're not going to understand or one thing that you may not know if you're new here, is that of the eight stories that we're gonna go through, I've researched and prepped for zero of them. Ain't nobody got time for that. That's right. So I don't know what's gonna happen. I don't know what the stories are. Sometimes there's a breaking story that the mod team will provide to get, to get start to get make sure that we cover it. But for the most part, I don't know what's coming. Now. This wild ride. Thanks, guys. I appreciate that. This wild ride that we're, we're about to take together. You know, there's, there's people out there in our industry who like what we're doing and want to support it. So I want to say shout out to the stream sponsors, starting with anti siphon training. Thank you. I'll show you a picture. I mean, if anyone cares, I'll wait till the Simply Cyber Mentor hotline or whatever like people have been sending me names from for the show. We're still sorting that out, but I'll show you a picture if anyone's interested later on. Hey, guys. Anti siphon trains disrupting the traditional cyber security training industry by offering high quality, cutting edge education to everyone regardless of financial position. And anti siphon training is just exceeding expectations this week, starting today. There may still be time. I don't know. Sometimes they, they shut registration off early. Looks like you could still register right now. Yes, there is time. Say you had plans this week and then they got destroyed and now you've got some free time. John Strand, Sock Core skills course authored by John, delivered by John, four days, 16 hours. Amazing course. I've taken John Strand's courses in the past. He is a gifted instructor. He's passionate for cyber security. And this is a great opportunity if you are looking to break in or you are a, you're a practitioner who just wants to, you know, refresh the basics. There's no shame and wanting to revisit the basics. Listen, if you're so down the, like, let me share a reality with you guys. Listen, by the way, this is another thing about this show that you should know. Like, I've got 20 plus years of experience. I'm very passionate about cyber security and I'm very passionate about helping people. So anytime I see an opportunity to go well beyond anything and give you insights that you wouldn't get in a textbook or a classroom, I'm going to do it. And this is one of them. It's a very, very, very common path in cyber security. So the chances of this being your path are very high. Okay. You start off as a generalist, right? And you're doing a bunch of different things, right? Maybe, maybe you're working in a sock, right? So you're like, I'm not a generalist, I'm a sock analyst. Yeah, yeah, you're a sock analyst. But you're, you're looking at everything and you're escalating things that you don't understand, right? Maybe your pen test or whatever. Like as you get to like year two, three of your career, you will start zeroing in on something so specific. Okay, Maybe it's detection engine. If you're in the sock, maybe you're getting into detection engineering or you're getting into management or you're getting into, you know, reversing binaries. Like you start working on malware analysis, whatever. Then years, like 5, 7, 8, 9, whatever, you become like a hyper niched specialist in that area. Okay. Which is great. You're the guy, you're the lady. Oh, you know what, Reach out to Jenny. She handles stuff like that. Perfect. But just because that's the case doesn't mean that you lose some of those fundamentals, right? You forget some of the things that you don't use. Right? It's just like any other muscle. If you're not using it, you don't, you lose it. So sock core skills is great for new people to get educated. But don't sleep if you've been around for a minute, don't be so high and mighty that you can't refresh yourself. All right, so that's what's up. Go toantisiphontraining.com. i. I'll link it in the chat below. But if you're listening on Spotify or something. Just go to antisyphontraining.com, click on Live training course calendar and you'll see it coming up today. I also want to say shout out to Flare. Flare. Big fan of flare. I'm excited. Flair's actually partnering with Black Hills pretty soon. I got some news about that coming out tomorrow. What? Did I just say that? Yes, yes I did. So stay tuned for that. But let me tell you about Flair really quickly. God, my coffee is not enough coffee today. Blair. Cyber Threat Intelligence Platform. Flair does two things for you. One, they go on the dark web and they crawl and they pull all of the dark web data, telegram channels of criminals, info stealer logs, leak sites, the works. Then they put it into their custom, you know, database, right? Like they're not unique database but like their special database and make an interface for you to interact with it, which is the power of flare. So if you would like to be able to quickly see if your organization's users have been compromised. If you want to see if you're going to be a target. If you want to see if your domain is being spoofed right now or typo squatted, come check out Flare. You can go for two weeks right now. If you go to Simply Cyber IO Flare, Simply Cyber IO Flare, you can actually get a two week free trial. No strings attached, no shenanigans, no bull crap. It's literally just prove that you're not a criminal, which is what the step one is, which I'd like to think is pretty easy for everybody in this community to prove they're not a criminal, a current criminal. Some of us have jaded past, you know what I mean? But once you prove who you are, you get access to the platform. I promise you and I, and this isn't like ad money or sponsor dollars talking like I literally promise you, you will see the value of this platform within a few hours of use. It is incredibly powerful. I'm a big fan of it. So Simply Cyber IO Flare, also really quick. Threat Locker, longtime sponsor of the show. They love what we're doing. They were the platinum, you know, Cadillac package sponsor for simply CyberCon 2025. They're going to be coming back for 2026, my understanding. So appreciate all their support and what they're doing. Let's hear from Dart Locker then get ready. Dab your face. Absolutely melted. I want to give some love to the daily Cyber Threat brief sponsor, Threat Locker. Do zero day exploits and supply chain attacks, keep you up at night, worry no more can harden your security with Threat Locker worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how Threat Locker can help prevent ransomware and Ensure compliance. Visit threatlocker.com Daily Cyber. All right everybody. Sean sailors 17 months. Very nice. Thrills with Mariam. Yes, thrills with Maram says I'm confused. Did he say this counts as cpe? Yeah, I say it every episode. It's in the intro. Check it out. I like let's peel it back. We have fun. I have sound effects. John Mlan shows up from time to time, right? We have fun. I'm wearing a cool shirt. I got gel in my hair, I got weird pink lights back here. But you know what? I also am a qualified instructor. I'm a qualified cyber security practitioner. 20 plus years of experience, a boatload of degrees to go with it. So this qualifies as an instructor led webinar, right? Because we're going through the top news. This is a threat brief for you and because it's an hour long show but only half of the show is like straight threat intelligence, the rest is goofing around. It's worth half a cpe. Make sure you check with your cyber security certification body for how do you qualify and some of them you can only use like 10 cpes towards instructor Le webinars or whatever. I mean if you guys want I, we can, we can flash this back. I could put on glasses, I could put on a, you know, a beige button down shirt with an ugly ass tie. I could change the background to a nondescript office space and then I could talk like this for 30 minutes about identity and access management. And it would still be an instructor led webinar. It would just be the kind that your dad does and it would suck. So let's sit back, relax, let the cool sounds of the hot news wash over us and let's get into doing modern cool threat briefings. For details from the CISO series, it's cybersecurity headlines.

B

These are the cybersecurity headlines for Monday, April 6, 2026. I'm Steve Prentiss. 36 malicious npm packages exploited to deploy persistent implants. Researchers at security firm SafeDEP have discovered 36 malicious packages in the NPM registry disguised as Strapi, CMS plugins, but which come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials and drop a persistent implant. They follow a naming convention starting with STRAPI plugin and then phrases like cron, cron database or server to fool unsuspecting developers into downloading them. A report published by Group IB in February revealed that software supply chain attacks have become, quote, the dominant force reshaping the global cyber threat landscape and quote, quote with threat actors pursuing trusted vendors, open source software, SaaS, platforms, browser extensions and managed service providers to gain inherited access to hundreds of downstream organizations.

A

Yeah, I mean we've been talking about supply chain attacks on open source software for a few years now, right? Solar winds Russia attacking SolarWinds, which is not open source software. So don't come at me but like the supply chain attack has been a thing, whether it's, you know, there's a couple of different ways to do it, but at the end of the day I feel like log4j back in December of 2021 kind of unlocked the, not the fee like so log4j wasn't a massive coordinated third party risk type attack thing, supply chain attack. It was just highlighting how baked in log 4J, which was like an Apache logging module was in enterprise systems and people started freaking out. And I feel like that was the turning point where threat actors were like bruh, like supply chain. Open source is everywhere. We can contribute to open source, we can socially engineer into these things. We can steal credentials and get into actual developer accounts which we just saw with the Axios npm. We can, we've seen instances where GitHub repo repositories are abandoned and then a threat actor takes on the, like basically resurrects that, that project and then starts doing that. So there are new, just like business email compromise. There are numerous ways to manifest the attack itself, but they are getting very high return on investment with these attacks. And what are they getting? Remember the people who are installing, the people who are installing NPM packages is not the CEO of the company, right? It's not VIPs, it's not my aunt Dorothea, it's not Carl in accounting, it is developers. Developers typically, you know, developers are not, I, I, I'm being playful. So if there's any developers. I used to be a software engineer, so I feel like I can say this, but like developers, software engineers, they, they want to, they're special, they're special snowflakes, they got to be free like they want like, you know, the Scene in Con Air where Nicholas Cage like lets his hair fly like this, this is, this is what I'm saying. Oh yeah, this is. Listen, right now this is what developers are in most enterprise environments. Okay, right here. Let me see. Come on. This is a developer on a Monday morning just walking in. I need. But, but if you take their access away, if you give them non priv access they're like ah, the raging. Because you know you're, you're squashing innovation, you're crushing their, their, you're harshing their mellow. Right, that's what's up. So when threat actors get credentials of developers and they get malware to detonate under developers permissions, they get a lot of access. They also get access to API keys because the developers all have the API keys because they're doing development and they're writing code that interfaces with other applications and systems. The whole CI CD pipeline gets, gets potentially compromised. Right? Yeah. So the TLDR on this one is the NPM packages which by the way NPM has been getting absolutely curb stomped the last like six months. So this should not be a news to your developers. Looks like if it starts with Strappy, that's a problem. Should be on the lookout for these things. There's malicious code embedded with the post install script which gets executed without requiring user interaction. So you never know it. Yep. So if you got a local redis server, it installs a, a web, a PHP web shell and reverse shells to Strapi's public uploads directory. So the threat actor can do whatever they want. They steal your crypto wallets. I, I didn't even get started about the. Yeah, thank you Jesse Johnson. I didn't even get started on developers like the ones with the man buns. They're the ones who are running crypto wallets on their work stations as well. So that's. You're gonna get got there. Reverse shells 444. All right, so it's not good. All right, here's the deal. This is a multi faceted incident response kind of situation. 1. All right, hard coded database creds and host names. If you can, you know, ask your developers not to, not to hard code creds into their software, that would be good. Have them reach out and get them. You could send that list to your development team, that whole like. So I'm going to drop a link to this story in the chat right now. If you're listening on audio only, just you know, Google 36 malicious npm packages, you'll get them. They all start with Strappy. If you have any of them installed, you should assume that you're compromised and rotate all your credentials. All your credentials. So if you were hoping to have an easy Monday because it's a federal holiday, you're not. You're not. You're gonna be grinding. In fact, you might as well thank your lucky stars that there's a lot of people who are not at work today, because the impact of you rotating on the creds is going to be lower. Unless you're like Netflix or something and then everybody's like, watching Netflix. Yep, this is a good one. I will say this is a, a good one for. This is a good one for, for people to study. It's, it's, it's rich in content. This story is rich in detail. This is a real attack with real impact. It's thought out. The threat actor has been very thoughtful about writing their payloads and getting into the open source software chain. So, yeah, it's a good one. I mean, it sucks. It sucks for us. But the final thing, you should take this with you. No matter what a threat actor, they're, they're like, they're like water, okay? Threat actors are like water. They're going to, to go like, you know how, like if you, you know, tip a, a jar, the water is going to find equilibrium. That's kind of what threat actors are. I don't know, my brain's a little foggy. Maybe, maybe this analogy doesn't hit. But, like, threat actors are going to find the easiest path in, or the one that has the highest chance of repeated success, and they're going to lean into it. Right now, supply chain attacks is working and they're going to do more of it. So educate your end users, educate your developers.s27y80 I didn't think it was a federal holiday either, but I'm being told by people that everyone's got Monday off except casually Joseph and me.

B

Hundreds of millions to be cut from CESA in proposed budget.

A

Yeah.

B

According to a summary released Friday, the president's fiscal 2027 budget threatens to slash CESA's budget by $77 million, although a separate budget document suggests a smaller cut of $361 million. The discrepancy is, quote, possibly due to the comparison points amid budget uncertainty for CISA's parent agency, the Department of Homeland Security. Prior to the current administration, the agency's budget had been $3 billion. It was noted by CyberScoop that the 2027 budget summary quote, recycles identical language from the 2026 budget summary of and makes references to ending programs that SISA has already shuttered. End quote.

A

All right, two things. One, I can confirm today is not a federal holiday, according to Gemini. I'm going to have to talk to my son and explain to him that he is incorrect. I just took it on face value, which it made no sense to me. I'm like, why are we celebrating the Monday after Easter? Like, we don't celebrate the Monday after the Super Bowl. And if there was ever a day that United States, Americans, you know, America wanted a day off. Right. Okay, so CEASE is getting budget cuts, not a political show. And if you're new, do we have any first timers here? I feel like I'm gonna. I'm gonna give a. I'm gonna. I'm gonna. I'm gonna dip my toe in this a little bit because I'm irritated, but I don't want to ruin this for any first timers. Is there any first timers here? All right. Trump budget proposal. Cut hundreds of millions from cesa. Yep. I mean, I don't know if you've been paying attention, but there's lots of programs that are looking to be cut. Health care, government aid. Cesa. Gotta fund the war machine. All right, so, yeah, dude, here's the thing. Cesa. CESA is the Cyber Security Infrastructure Security Agency. Is that right? I always. Cyber Security and Infrastructure Security Agency. Yes. Security is so hot that we got our name twice in the CESA title bra. Okay. All right. The proposed budget would cut deeply into an agency that started at roughly 3 billion, and it would substantially below that if Congress enacts the latest blueprint, slightly more than $2 billion in discretionary funding. I mean, okay, listen, I. I love CESA. I think CESA does great work. I mean, $2 billion, though, I. I don't know. Maybe I can't wrap my head around it, but $2 billion seems like a good budget. I mean, like, if you gave me $2 billion, I think I could make it work. The 2027 budget recycles identical language from the 26 budget. Okay, so they just open Google Docs, change the title. Okay, Okay. It gets rid of things that have already been cut. All right, so, all right, here's what I'm getting from this. I love cesa. CESA does a lot. It CSA manages the Known Exploited Vulnerability Catalog. CISA provides a lot of visibility into active threats. Cease is the one who notifies the federal government that they have X days to patch Citrix Net scalar vulnerabilities, etc, so definitely valuable cutting. It sucks. They still have $2 billion, I feel that. And it sounds like what they're cutting are programs inside CESA that already have been shut down. So it sounds more like this is like housekeeping of far as far as like, kind of like asset inventory, right? Like let's, for example, right, let's say that you do a house budget. Like, who does that? But like, let's say you do like an annual house budget and you have, you, you allocate $1,000 for lawn mowing, and that's like maintenance on the lawnmower, gasoline, yard bags, et cetera. Thousand dollars. But you moved into an apartment building that has no lawn, right? Like the lawn doesn't happen anymore. You're just, you're just like, all right, we could take that off the budget because it doesn't matter anymore, right? So.

B

Hackers exploit React to Shell in automated credential theft campaign bleeping computer is reported.

A

Do we have a first timer here? Rylan Robinson. Welcome to the party, pal. Welcome to the party. Hey, Rylan, hope you have a good time.

B

Putting on a wave of exploitation of React to Shell in a large scale campaign to automatically steal credentials. According to its report, quote, at least 766 hosts across various cloud providers and geographies have been compromised to collect database and AWS credentials, ssh, private keys, API keys, cloud tokens and environment secrets, end quote. This operation uses a framework named Nexus Listener and sends automated scripts to extract an exfil sensitive data from various applications. Cisco Talis is attributing the campaign to a threat group named UAT 10608 Fortnet.

A

Pat. All right, you can see what the story is here. One second, I just gotta, I, I just gotta do this one thing. He's not reply. Hold on, I'm, I'm trying to get Jesse Johnson's attention here and he's ignoring me. That's a question. It's a question. Okay, so listen, you can see the story here. If you're running vulnerable NextJS apps, you may be vulnerable to React to Shell. Now, I'm not going to spend much more time than this. A threat actor has automated basically credential harvesting. All right? Cisco Talos is reporting this. Cisco Talus is a great threat intelligence group. Okay? I love myself some Cisco Talus. One of my favorite people, Joe Marshall, is at Cisco Talis. Like, quick shout out to Joe Marshall. Not Joe Marshall, the 2017, 2018 men's basketball starting point guard at Shippensburg University. No, not him. Let's do this. This, this is my friend. I love this guy. Come on. Give me a picture of Joe Marshall. Computer. There he is. This guy right here. Okay, you want to talk? You want to talk? Someone who's passionate about helping people. This guy lives simply cyber core values. Also, he's like a wicked awesome. Not only a wicked awesome person, he's a wicked awesome ot ICS person. And I think he's quite the banjo player if I'm not mistaken. He's definitely an instrument player. Okay, so Cisco Talos is putting it out there. Here's what I want to tell you guys, okay? Like I said, I like to go down the path. You can, you know, this is a well documented story. You can look this story up and see if you're impacted. What I want to spend two minutes on is helping you with this CVE 2025. 55182. This has been around since 2025, right? This was a 10.0 critical vulnerability. This is being exploited actively by China. All right? Not that it matters, right? We're not xenophobic here. It's not like, oh, it's China. You better like increase like shields up. Like it could be. Dude, it could be the mooninites exploiting this. I don't care. It's being exploited in the wild by nation state threat actors. Number two. Number three, React to Shell was a really, really well known React to Shell. John Hammond, right? John Hammond did a v. You know. Hold on, not this one. John Hammond did a video on React to Shell three months ago. Three months ago. Three months ago. All right, so here's. Here's what I'm trying to tell you. If you are looking for an opportunity and maybe this isn't you, but like use this as a way. Vulnerability management is tough, okay? This. Let me just break this down. Vulnerability management is tough, okay? And what ends up happening is we as infosec people say, hey man, like we've got a big problem. You got to patch it. Ah, you gotta patch it. And we can't patch it though, right? Like just spoiler alert. We cannot touch the systems. We can't. Unless it's like the firewall or like security onion. It's like a security tool. We can't touch it. The application owner has to touch it. The IT people who support the application owner have to touch it. And if it's an enterprise mission critical application, like a hospital's EHR system or a manufacturing company's ERP solution, you definitely don't touch that. You Break that thing. You might as well go get a freaking your resume dusted up because you're going to get fired. All right, so having said all that, what ends up happening is you get a bug or vulnerability like this React to Shell that is being actively exp. Well, it's like a known issue and people were exploiting it back in 2025 and it was important to get on top of it. But if you get, oh, hey, like, we'll get to it when we get to it, right? This story right here is a perfect case study that you should flag and file away for f around and find out. Remember this. A vulnerability is a vulnerability is a vulnerability, period, End of, end of story. It's a vulnerability right done. Now, if it's being exploited yet, yes or no, it's a temporal thing. So if, like right now, if, like who he. What's it to? Shell came out today and we were vulnerable to it today. That doesn't mean we're exploited today. But every day that passes is one more day that a threat actor has an opportunity to develop a weapon or an exploitation tool in order to achieve exploitation of that vulnerability. So every day that passes, you are increasing your risk exposure because your attack surface isn't changing, which is why you want to patch. Because then you reduce your attack surface. You get what I'm saying? This reactive shell. We have had the answer for months. The answer to solve this problem for months has existed. So anyone, the 766 providers who got got by this React to Shell automated credential harvesting. Listen, my heart goes out to you, but at the same time, my guy, the. You've had the friggin. You've had the keys to the. Or the answers to the test the entire time. Like this is. You know what this is? Okay, like really quickly, final analogy. And then I'm gonna go on. And this isn't going to resonate with Kimberly in Miami because she's. She doesn't know what cold is. But for the mo. For a lot of us, okay, this is the equivalent of knowing that you have pipes or outdoor faucets on your house exposed and it's summertime and you're like, what's the big deal? What's the big deal? And then you get into the fall and you're like, I probably should do something about it. Then you get into the winter, a blizzard hits, your pipes freeze, your pipes burst, you got water all in your walls. And it's all because you didn't. You didn't insulate the outside pipes. Of your house, which you had the answers to the test the entire time. That's what this is. And honestly, it bothers me because you see this time and time again. And in our industry, we work so frigging hard to stay on the edge of these things, to help our businesses stay secure. And then you get this and it's like, what am I doing here? By the way? This is why vulnerability management analysts typically are the most apathetic people in, in our industry. And I say that with love. I was a vulnerability management analyst. It's, it's just, it's, it's, it's apathy central. Yes. In short, being lazy is bad. It's a job. It's a hard job. What we do is hard. What we do is relentless. Cyber security is not for everybody because it's incredibly demanding day in, day out, day in, day out. It is what it is. My guy. All right, thank you for coming to my fun. That wasn't really a TED talk, that was more like a Mr. Rogers gather round.

B

Just actively exploited vulnerability in 40 client ems. Fortinet has released out of band patches for this flaw, which has a CVSS score of 9.1 and which has been described as a pre authentication API access bypass leading to a privilege escalation. The issue affects 40 client EMS versions 7.4.5 through 7.4.6. It is expected to be fully patched in the upcoming version 7.4.7, although the company has released a hotfix to address it. In the meantime, successful exploitation of the flaw could allow an unauthenticated attacker to sidestep API authentication and authorization protections and execute malicious code or commands via crafted requests.

A

Do they say hot fix? You know what else is hot? That Hansel's so hot right now. Oh, yeah. Hot fixers are so hot right now. I do want the community to know. I spent a. I spent a few days with Bilbo, the real Bilbo, and I don't even know if he's in chat. He's a left coast guy, but real Bilbo and I spend time together at rsa. I got the inside scoop. Real Bilbo is the most Fortinet sycophant there is, but he switched roles recently and he's, he's coming around to like, exploring other tech stacks, not just Fortinet. It's probably not fair that I'm, I'm bringing this up while he's not actively in chat, but. Ah, what are you gonna do? All right, so listen. Fortinet patches actively exploited vulnerability Fortinet must have like an entire team that are just actively patching vulnerabilities. They're constantly getting ramroded. Dude, it's like Coach Z from Home Star running. It's like, nice job, nice patch. Listen, Fortinet releasing out of band patches. If you see the term out of band patches, that should make your butt pucker because there are patch cycles and if it's, if it's bad enough, they will do an out of band patch cycle which is, you know, there's a communication element, there's a burden element to it. You don't do out of band patches just because you're feeling frosty. You do out of bound patches because it's bad. Okay, so out of band. You definitely want to get on top of this. It impacts the fort a client ems, which I guess. What does this stand for? Enterprise Management System. Let's see. So many acronyms. All right, hold on. What is ems? Okay. Endpoint Management Server. Okay. All right, so their endpoint Management Server, which is not good, right? Yeah, Micah Romine knows what's up Esco07. I'll show you in a second. I'm assuming you're younger. So Homestar Runner was like the original, like one of the original like Internet vibes. I guess that was on. What was that technology Adobe had? Action Script, was it? All right, listen, Endpoint Management is serious. We use things like SCCM or what, what's the other one there? Basically, in any organization of any size, you're going to have a centralized management console with for IT people to manage endpoints. It would be ridiculous, ridiculous to expect an engineer to walk and touch every single computer in your business. So in order to do mass patching, jump into a machine to help an end user rotate creds, whatever, you have to have centralized management fortinet or for a client ems. My understanding is got to be that like that solution. As an example, now there is a pre authentication API bypass that leads to privilege escalation which by the way is weird right away because it's pre authentication and privilege escalation. So I don't really understand like what are you escalating if you don't log in? I'm sure it makes sense. An unauthenticated attacker can execute unauthorized coder command via crafted requests. All right, I hate to be a pecker head here, but I'm going to. My throat hurts. So my irritable factor is elevated to, you know, two factors. It's. It says, it's described as a pre auth API access Bypass, which I'm totally cool with. I am on board all the way up to that. Leading to privilege escalation. That is where I'm not cool. This should say leading to remote code execution, in my opinion. Again, I don't research or prep these stories, but check it out. Pre auth API, you're not authenticating. There's no login. My guy, you're not logging in. You're bypassing the login. Instead of going, listen, this is the equivalent. Like instead of walking into the lobby of the business and swiping your badge and then entering the elevators and going upstairs. This is just like using a red bull wing suit, jumping out of a hot air balloon and coasting into a window on the top floor. That's it. You're bypassing authentication. There's no privilege escalation. You might be able to execute privileged commands, but you can also execute non privileged commands. It's a. It's an auth bypass. All right? Even this thing says you can execute unauthorized code or commands. That's remote code execution, dude. All right, all right. Zero day exploitation of this one earlier this week in one of their honey pots. This is a great use of honey pots. So let me tell you two things. Number one. Well, let me tell you three things. I'm gonna. First, I'm gonna look this up. Whoops. We'll go to EPSS lookup. This is Barricade Cybers, EPSS tool. Very low chance of getting exploited in the next 30 days. 300ths of 1% chance. So. I don't know, man. It's conflicting, right? They don't typically do out of band patches, but the chances of you getting hit aren't very high. So maybe you don't spend your political capital getting this one through. The second thing I want to tell you is that they're using honey pots. Oh, Gene Devonish, new audience member. Welcome to the party, pal. Gene Devonish. Thanks, Cheddar Bob. Honey pots are an awesome way to test for active exploitation of vulnerabilities. It's also if you put a honeypot inside your network. Very, very high fidelity, alert of compromise.

B

Huge thanks to our sponsor, Vanta. Risk and regulation is ramping up and customers expect proof of security just to do business. Vanta's automation brings compliance, risk and customer trust together on one AI powered platform. So whether you are prepping for a SoC2 or running an enterprise GRC program, Vanta keeps you secure and keeps your deals moving. Learn more@vanta.com CISO that is V A N T A.com CISO.

A

All right, everybody, welcome to the party. I want to say thank you all for being here today. We're a couple minutes over, but you know what? We're having a good time. That's what the point of the show is. We're mixing business with pleasure. This is the mullet of cyber threat briefs. Shout out to Threat Locker. Anti siphon and flare for kicking it. Appreciate you guys. Guys. Every single day of the week has a special segment. And Mondays is Simply Cyber Community Member of the Week. I have the genuine pleasure to recognize one of the Simply Cyber Community members. Call them out, just celebrate them. And Threat Locker sponsors this segment itself, the Simply Cyber Community Member of the Week. Which means this is what it means to be sponsored by Threat Locker. I get to give the Community Member of the Week a hundred dollar Amazon gift card and it features feels delightful every single time I do it. Thank you all for being here. Hashtag Team sc. This week, Simply Cyber Community Member of the Week. She has received the Simply Cyber Community Member of the Week award in the once before. But I wanted to bring it back because she's been just straight crushing it. Ladies and gentlemen, Shimiria Gonzalez. Listen, she's been actively working in the women's channel on Simply Cyber's Discord server. We're going to start getting more female representation on the jawjacking panels. She stood up the Houston local Simply Cyber Community member. She's been actively helping people in the Discord server. This woman's awesome, big fan of Shimeria. She even, she even texted me and told me how to pronounce her name correctly because I was doing that wrong. So shout out to Shamira Gonzalez for being an awesome Simply Cyber Community member. And I genuinely appreciate you. So please connect with me, Shimaria, to get your Amazon gift card or, or your Simply Cyber merch. But we've been doing the gift card for a while now and it seems to be working. All right, guys, let's get our la la la on you. All right, for all those who are maybe getting deployed or whatever. For those who can't make it, let's get our lalas. All right, let's finish strong, everybody. I forget who asked about the cp Strayman. Stray, Miriam. Hopefully you're getting value from the show.

B

Cert EU Cyber Agency Attributes European Commission Data Breach to Team PCP. Following up on two stories we brought you in the past couple of weeks, the European Union's cybersecurity agency Certeu announced on Thursday that the hacking group Team PCP conducted The massive data breach at the European Commission. The hackers did so by breaking into the Commission's AWS account. It stole about 92 gigabytes of compressed data. The hack relied on the misuse of a secret Amazon API key and involved the Commission's Europa EU platform, which lives on AWS cloud infrastructure and is used by EU states to host websites belonging to block entities, end quote. It was shiny hunters that then accessed the stolen data.

A

Yeah, it says they broken but like guys, I know that this is becoming like more and more or whatever. I think I made a LinkedIn post recently. Threat actors aren't hacking in, they're logging in like 1995. Johnny Lee Miller would be so disappointed that there's no zero day next level hack source. It's all like steel creds log in. And you know, honestly, like I said before, threat act, threat actors aren't going to change their. If it's working, they're gonna keep doing it like it's simple as that. That's why, that's why we have threat briefings. That's why I sit up here every Monday through Friday and yell into this microphone about best practices. If you do the things, the threat actors will have to change or they'll have to give up. All right, so misuse of API keys, let's see. All right, so cyber officials at the Commission. So by the way, like you could just do this for your own aws, your own AWS infrastructure, but you can set detections and they got warned there was potential misuse of APIs, potential account compromise. By the way, when you get these notifications, I will say maybe I'm just grizzled at this point, but like when I get these notifications, my stomach doesn't drop immediately. It used to. But like when you get these kind of notes, it's. You're like, oh God. Oh. Which by the way is why you should practice what to do. I don't know, maybe we should invent a term for it. Let's call it tabletop exercises. You should practice. What would happen if you got these notifications? Where do you go? Who. Who knows what. Who do you contact? All right, let's see. All right, this all goes back to the trivy compromise, which again, supply chain attack. This was a open source. What? I'm not printing anything. Open source vulnerability scanner. Yep, this team PCP is partnering with the. Who did they say? Scattered Spider Shiny Hunters, Lapsis group, whoever, they're all working together. So not good. I don't know if this data is Going to have any like downstream impact, but. Right. Sean Sailor says funny thing is no one knows anything about anything. That's right. Yeah. So anyways, all I would say is this was a very real attack on aws. So make sure that you have all the best practices, educate your end users on best practice, educate your developers on best practices. Have detections in place, alerts in place in your AWS infrastructure. Manage management rights. Right. Don't allow like you should. Here's the thing, like AWS or, or Azure, whatever you're doing, just like your on prem infrastructure, you shouldn't give everybody domain admin. How about you don't give everybody like ultra privileged rights in aws? I know it results in fewer phone calls to the help desk. Fewer. Less complaining. Sorry, less complaining from the developers. But this is what happens. Are you willing to have less complaining from the developers for a month in order to deal with a week of absolutely being hosed by a threat actor? I don't think it's worth it.

B

Emergency communications system suffers a cyber attack. No, not Massachusetts Specific communication system is used by several small towns across northern Massachusetts. The Patriot Regional Emergency Communication center said quote, the intrusion impacted town and public safety computer Systems. End quote. 911 phone systems still works, but non emergency and business phone lines are out of service. The towns affected, Pepperell, Ashby, Dunstable, Groton and some others serve as a regional hub for receiving emergency calls and dispatching police, fire or medical services. No further details about the hack or the group behind it have yet been released.

A

All right, all right, all right. So a little for those who don't know, I'm from Massachusetts. Okay. I mean I, I live this low country life now because I'm soft and I like warmth and I hate snow. But this isn't good. So they do say 911 systems are still working. Of course most I, I, I listen, I've never rolled out a 911 emergency system, but for the most part, anytime there's a local municipality compromise, the 911 fire, police, emergency vehicles, that's never compromised my, I would assume that it's on a separate system. No big deal. Now one thing that everybody should be mindful of, rural, rural towns, they often have very limited services, right? Like you see this in healthcare a lot. Like there might be one rural hospital within 45 miles of like, you know, a rural community. And guess what? It's great. You own 50 acres of land and your property's worth like $75,000 and you're living your best life because you you know, you got land, you got privacy, and it doesn't cost a lot of money. But at the same time, you know, it's a four hour drive to Costco, right, Or whatever, you know, three hours to a grocery store. So in these regions, these rural areas, they rely on, you know, basically community as well as emergency systems like this. So this one's kind of screwed. There's not much to say here, right? Like, I'm sure they'll get it back up and running. Unfortunately, I will say that you got to remember local municipality, state, local municipality, that is government. They're non profit entities, right? If they were for profit entities, your taxes would be ridiculous and you'd be complaining. So they're asked to do more with less. And unfortunately, they don't typically have dedicated cyber people. And it's like one IT lady who's like, basically looks like the spongebob squarepants where he's like doing eight things at once with his arms. That's what's going on in these local municipalities also. Only because it's Massachusetts. And they, they mentioned some of these towns. Dude, I went to school at UMass Amherst, which is in western Mass. Very like farm country. UMass itself is like an, an aberration. It's like a city in the middle of nowhere in the Pioneer Valley. But these towns in northwest Mass that like Pepel, Ashby, Dunstable, Groton, we got North Adams, we got Belittown, we got Pittsfield up in there, Athol, you know, like this is like it just so many of them like the, the, the, the, the opportunity for Massachusetts accents is like out of control there. I'm just, and just give, just get a couple more really quickly. We got Williamstown, North Adams, Adams, Clarksburg, Florida, Monroe Row, Heath, Colrain, Layden, Boston, Northfield, Charlemagne, Buckland, Shelburne. Okay.

B

Hymns and hers suffers Zendesk related BREACH Hymns and Hers is an American telehealth company specializing in the direct to consumer healthcare space providing subscription based treatments for hair loss, ed, mental health, skin care, weight loss and other conditions or needs. Bleeping computer was told that the threat actors used the Okta SSO account to access the Hims and hers Zendesk instance where they stole millions of support tickets in early February of this year. The information exposed, quote, may include names, contact information and other unspecified data likely related to the support request submitted in each case. But the company underlined that no medical records or doctor communications were compromised.

A

All right, so like it might seem, it might seem that this is like not a big deal. Because medical records weren't, weren't compromised. But you know, hims and hers. I think this is targeting, this is like modern health care, right? So like ED for men, hair loss for women, weight loss, skin care, right. Like everybody wants to get an Ozempic shot nowadays, right? Like the cheat code for health. So yeah, it's a billion dollar enterprise and they got hacked. Now it says Zendesk, which is typically your support system, right? Customers, customers call in and say, you know, I got a problem. All I would imagine is this is going to result in. Hold on one second. So this actually looks like it's not even a problem with hims and hers. This seems like it's a problem with Zendesk where the octa single sign on account. Yeah, it's not clear to me what you know. So single octa single sign on accounts, right? Like it's like you log in once and then you have like a token that allows you get access to other things. I don't know which okta single sign. Like I don't know who the federated authentication was. Like who was the actual authentication server. So like listen, when you have like, like when you log into a, when you log into like a website and there's like a click here to use your Google creds or click here to use your Facebook creds or click here to use your Amazon creds to log in. Instead of like the user account there's like this identity provider and then I think it's called service provider but it's basically the authentication backend and the identity is like the identity that you're going to use on the website and then the authentication service provider is the backend, the Google, the Facebook, the Amazon or whatever and they partner that. That is called federated authentication. And with single sign on that's a user experience where you don't have to authenticate repeatedly. You just authenticate once single sign on as the name suggests and then you can kind of motor through with like. It's basically like proving who you are at will. Call when you get your ticket and then you get the all access badge around your neck with the red lanyard and then you just walk around the concert. You're like all access, all access, all access. That's what single sign on is. So someone got the single sign on, compromise it and then they were able to walk into third party cloud storage services like Zendesk and be like all access, all access. And then they dumped all the support tickets again. I think that the real impact here is less to him and hers, the telehealth company, I think it's much more around the customers of him and hers being fished by like, like they're gonna know, like, okay, like, you called in about your, your, your weight. So we're gonna message you and say that like, you know, you're, you've been like shortlisted for a new drug, but it cost a thousand dollars to get on the, the list. Do you want to do it? It's basically preying on people's vulnerabilities, which is gross. Okay.

B

Engineer admits to locking thousands of Windows devices in extortion plot.

A

Oh, it's been a minute.

B

According to court documents, 57 year old Daniel Ryan Rhyme from Kansas City, Missouri has pleaded guilty to locking Windows Admins out of 254 servers as part of a failed extortion plot that targeted his employer, an industrial company headquartered in Somerset County, New Jersey. He did so by remotely accessing the company's network without authorization using an administrator account. He allegedly scheduled tasks on the company's Windows domain controller to delete network admin accounts and to change the passwords for 13 domain admin accounts and 301 domain user accounts, end quote. Which had a cascading effect on the servers of his employer's network. He also scheduled some tasks to shut down random servers and workstations on the network over multiple days. And this all occurred in November and December 2023. He sent emails that threatened to shut down 40 random servers daily over the next 10 days unless the company paid a ransom of 20 bitcoin, which was worth about $750,000 at the time. The hacking and extortion charges to which he pleaded guilty carry a maximum penalty of 15 years in prison.

A

This guy is such a, like a dork. Not a dork. Like such a dumbass. All right, so this guy, listen, if you thought of. Hey, you know what? Like, I'm just gonna, like, all these threat actors are getting paid. I'm gonna go ahead and do it myself. Who knows better than me? I'm gonna change the domain admin's name password to the Frozen crew, which is hilarious because you can't see the password. So number two, I'm going to delete network admin accounts. Then he randomly encrypts like 40 machines or he randomly screws with 40 machines. He demands 20 Bitcoin. Dude, I have never seen a, I've never seen a, like a, A part time bush league cyber hacker attacker. Threat actor. Like pretend he's wearing like a spirit Halloween. Threat actor Costume. Okay. I've never seen these people be successful. I don't know where he did this attack from. Probably logged in as himself, The victim. Network administrators discovered that all victim1 domain admin accounts were deleted. I mean it definitely looks like, it definitely looks like a threat actor attack, but forensics investigators found that one second so honor, about November 25, the attack started happening. So this guy used what's called a logic bomb. You may have heard the logic bomb term on your cisp or security plus, that's what's up. Logic bomb. Okay. For some reason they had forensic investigators in there on November 22. So three days before it went ham, they had people in there. So I don't know why they had a three day head start. But then it says he used a hidden VM in his, in his account to search the web for information on clearing logs, changing domain. Yeah, and this right here is why. This guy is terrible at cybercrime. Like, like, you know, at the, at criminal con 2026, flaming donkey's gonna be like hilarious like, dude, you can't search from a work computer. Which is essentially what he did. He created a vm, called it hidden. Good luck with that. And then searched for how to commit his crimes. One week earlier. Okay, so here's the deal. This is insider threat all day, every day. He's 57 years old. He was trying to get his, you know, basically his retirement covered. And he's going to potentially go to jail for 15 years, which would bring him out at 72. His skills are probably not going to be employable at 72. So I hope his backup plan for retirement is in place. So anyways, tldr insider threats, a real thing. You got to be careful about that. If you wanted to. See, the thing is, you can't search on people like you can't unless you're doing TLS decryption encryption, you're not going to be able to see an end. A user in your environment's Google searches when they're searching for command line to remotely change local admin password, you're just not. Yeah, he could have found out he was getting laid off. His contract could have been coming to an end. He could have had numerous things. He could have been realizing that AI was going to eliminate him. He could have learned that he didn't have a retirement plan. He. Or shoot, he could have. He could have liquidated his house and his retirement, not told his family, and bet it all on poly market that Artemis 2 wasn't gonna work. Or you know what I mean, like, who knows what this guy's doing? I know what he's. I know what he's not doing. Getting away with it. Oh, Regulators. Moun, Bro. Don't be shy. All right, guys. We did it. We did the thing. We wrapped it. It's been an hour. Happy Monday, Guys. It's been Monday, April 6, 2026. This was episode 1100 and something. I definitely had a great time. My throat feels better, surprisingly, even though I've been talking all day. Sorry, I cussed a little bit. There was a Massachusetts story. When I get close to Massachusetts, I start swearing more. If you know me personally, you know this is a fact. Also, this is a family friendly show, so I do try to do exactly. I try to make it friendly accessible, or family accessible. Stick around. I'll be here to answer your questions with Cyber Mentor Hotline. Maybe we'll go with that. I don't know. Either way. I'm Jerry from Simply Cyber. Shimeria Gonzalez is in the chat. Shamira, if you missed it, you were the Simply Cyber community member of the week. So I'll connect with you in dms. I'm Jerry from Simply Cyber. Thank you so very much. If you had a great time, stick around. If you didn't, before you leave, please drop a comment on a constructive comment on why you didn't have a good time. I'm always up for professional development. Until next time, stay secure. Again, don't go anywhere. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered and totally free. Let's level up together. It's time for some jawjacking. What's up, everybody? I'm your host, Jerry Guy. This is Cyber Mentor hotline. That's right, 30 minutes. You call in with your questions and I'll give you answers. It's very simple. Drop a queue in front of it if you want. Just for the sake of the community. Since this is a little bit more relaxed, I do want to say I, Nadine and I, Mrs. Ozier and I had. It was a horrible. It was just a bad, bad situation. Late Friday night, about 10pm I don't want to get into the details, but I do want to say shout out and love. I'm probably gonna start crying if I spend more than a minute on this. This is my dog, Ripley. Ripley passed on Friday night. Really tough. But we loved him. He was good. He was great. He was great. He was a great dog. All right, let's do some jawjacking. If you got questions, put them in chat. We are ready for you. Space Tacos did not have a good time because her job's keeping her from partying. I like it. Goat Cinchio says all his. All the east coast friends swear like sailors. Yeah, Wicked. Crazy. Thank you, Shimiria. Yes, wicked is definitely a thing I do. Thanks, guys. I appreciate it. I'll let Nadine know, too. So first question is reek 1592 says, is the comptia sec A? Oh, my gosh, bro. Is the CompTIA SEC AI worth it? Hold on. Where's that question? Here it is. So listen, I have not studied this yet, so I don't know. Here. Let's just take a look at it together, okay? And I'll render an opinion based on just what I'm seeing. You gotta remember, like, Comti is definitely, like, doing a, a, a, a race to get that money, right? All right, so. So this is designed to help you secure, govern and integrate AI, AI concepts, AI systems, leverage AI to work, automate, navigate, grc, fr. All right. You know what I mean? It doesn't look bad. It doesn't look bad. There's nothing really else out there that I have seen reek. The two things I would say, one, it does look like it's covering the things you would want to do with AI. There are a lot of tools out there, but like, chat, GPT and Claude kind of reign supreme. So this is definitely AI tool agnostic. It would be worth learning more about it. Take it easy, Jesse. But the one thing I would say about this cert and every. Every cert out there, Reek, is that, you know, are people in the market asking for it, right? Are you a. If you spend the money and the time on this, are you willing to. Like, is. Is anyone willing to pay you because you have it, right? I mean, that's the whole point of getting it, isn't it? So I would. I would ask that question. I might. I'm taking a couple weeks off. Like, for me, quote, unquote, off at the end of April. So I was gonna do the anthropic AI courses and I was going to do. Or the two things I was gonna do. Shoot, I forget the other thing. Honestly. But maybe I'll work this in. It depends. How much does this cost? I'm not like, super geeked up to spend 300 bucks, All right? I don't know about that. I. I don't. I don't wanna. I don't Wanna. I don't wanna spend 300. If anyone at Comptia wants to give me a voucher, I'll take it. But then I'm going to tell you what I think about it. So. Caution. Alrighty. Good question. Nick Dixon. Jerry, you did a great interview with AJ Yawn a while back about GRC Engineering. Is there a way to. Oh yeah, GRC engineering. I was going to take the anecdotes training for GRC Engineering. Thank you. Is there a way to carry out those principles for a small mid sized business not using Cloud? Yeah, I mean if you could write some scripts that can interface with Active Directory. I'm assuming this can be done with PowerShell, right? If you could write some scripts that can interface with Active Directory and pull like, you know, things like how many endpoints are checking into the domain? How many endpoints are like, you know, password. Reese, like when was the last time passwords are reset? Are there any outliers? Are there any accounts that don't have MFA enabled? How many domain admin accounts are there? Remember guys, basic, let me, let me just define something, okay? All. All GRC Engineering, in my opinion, okay, all GRC engineering is. I'm slightly simplifying this, but all GRC engineering is. Is the same thing you did as a GRC analyst, except you're writing code to be able to do the thing you were doing as an analyst faster and with. With greater visibility. Right? Because it used to be if you were going to audit something, say there's a thousand endpoints in the environment you're going to audit patch management, right? You might sample 10 random endpoints out of that environment and that's your sample set. And depending on how those 10 perform, it represents the overall set. So like let's say one of the endpoints isn't patched. Well, then you would say, oh, there's 10 endpoints in the entire infrastructure that are not patched. Or a hundred because 10% weren't patched. GRC Engineering can say we looked at all 1000 today and 37 aren't patched. Right? So that's what GRC Engineering is. So yes, Nick, I would say, I'm assuming you have Active Directory, right? You said not using cloud. If you're not using some centralized management thing like Active Directory, then probably not. But look into PowerShell shim area. Sending love. Thank you Triton. Sending love on the My puppy Ross the boss. Thank you. QDG0891 thanks guys. GRC Guardrail Slay Killer. Slay Killer said they took the SEC AI, it was okay. Shimiri's got the same shirt on. Definitely a sick shirt. I wear it as often as I can. If you got questions, drop them in chat. Silence Pod. Any advice on how to create decision scoring system? Ooh, decision scoring system. I mean, I always like game theory. Silence Poet. Personally, like, I mean, it's pretty simple, but like, you know, pros and cons, right? If, and, and the thing is, if you're going to do pros and cons, you have to be objective. It's very easy to be biased and like, like kind of like influence the choice that you actually want. So if your choices are quit your job and start your own business or stay at your current job, you know, what are the pros, what are the cons? And then kind of like list them out and then if you want to give them a score, you can. I, you know, besides that, I mean, I've never really used a decision scoring system. I, for me, in my decision scoring, I guess I typically try to think thoughtfully on a decision before I make it. One thing that I'm very guilty of. Oh, Cyber Risk. Which, thank you very much, I appreciate it. One thing that I'm very guilty of is I typically take a lot of time to make a big decision because I really want to think through it. But then when I make it, I make it and I, I, I lean into it, right? So like for example, quitting my job to go full time on my own business, you know, that was like a couple years in the making because I wanted to make sure financially I was stable. I want to make sure my annual monthly recurring revenue was enough to support my house, my, my family. Before we got married, my wife and I, like, I wanted to like, live together for a year. I feel like if you can't live together for a year, you're, you know, you could, you could love each other all you want, but if you can't live together, that's going to be a problem long term, right? So things like that. Question from Rados Technical. Cyber experts can demonstrate their experience by showing their CVEs, GitHub's projects. What can GRC experts do to demonstrate their skills to potential employers? Good question. Well, two things. One, I got a video for that. Give me a second. Here we go. Look at this. Who has that? Rados. So this video, want to stand out with Cyber GRC Labs. This is portfolio right here. This is the whole video I made on this. I'll go ahead and drop a link to it at Rad. I don't get it. When I try to type in someone's name it doesn't auto pop like they're no longer in chat. Like I. It takes a second to get to people's questions. There's the GRC portfolio Rados. If you're in chat, still say what's up? And then I'll spend a minute talking about this but otherwise I'll assume that you have left the chat. Straw hats X says I'm working on this Target and Hacker1. I find their admin login portal and IAM portal but it's from Octa. Target uses Octa Working on these domains will be in target scope. I don't think so. I, I don't know about that. Straw hat sec I would be very very careful for me I can't answer that question. Straw hat sec but what I would do is because Okta Duo these federated authentication platforms exist, I would be stunned if HackerOne doesn't have guidance on how to handle this particular situation. I think attacking their identity and access management portal, assuming it's in scope from their terms would be fine. Attacking Okta would not be fine in my opinion. But I would check HackerOne's terms. What's your thoughts about managed sock solution? Managed sock if, if you're talking about MDR manage detection and response like companies like Expel Arctic Wolf, you know etc like MSSP Solutions, they're great. It's. Dude, there's a brick. There's a big chasm between having an outsourced sock and having an in house sock and it's straight cash homie. Straight cash homie. I've. I've been, I've built a cyber program for a 750 million dollar manufacturing company. Annual revenue 750 million. And they needed, we needed SecOps and there was no way they were going to hire like 3, 4, 5 employees and pay for a tech stack. It's so much cheaper to spend. I think we spent like $220,000 a year on a Managed Detection and Response 24. 7 solution. So yeah, managed SOC is wonderful until you're like a Fortune 500 company and you're going to have an in house soccer. I just found out AJ yawn the other day and it's Grz. Wait a minute. What does this. Hey Harish, is GRC Engineering that will be losing to AI? No, I don't think so. I think if anything GRC Engineering will leverage AI to be more effective. But yeah, GRC Engineering is the, is the future. It's the way. If you're into grc, you should definitely get familiar with GRC engineering. It's going to be a key differentiator. Is the CISA worth it? Cisa, which is the ISACA Certified Information Systems Auditor Cert. I just got a master's in. Is Smiling Cello. Absolutely. CISA is absolutely worth it. I'm going to bring it up right now. I had cisa. I let it expire. I only say that so you think I'm not just blowing smoke out my butt. Here we go. This is the cisa. In the world of grc, CISA is highly respected and it basically means you're. You're good to go. Audit stuff. So definitely get it. What's your verdict on Open Claw in the secure environment you were setting up? Was it worth it? So, Ray, wow. I will tell you. I. I found Open Claw to be more hype than. Than practical. It was a lot of sizzle, not a lot of steak. I. I did have mine incredibly hardened, which was great. There's some skills that I never installed that a lot of people install. But it was too risky for me at rsa. I spoke to DJ Sampath who's like VP of AI Platform and Software at Cisco and they released at RSA something called Defense Claw, which is like. It's like an entire security suite for Open Claw that basically will look at skills before it installs them. It'll do all sorts of sanity checks and stuff in the two week window when I'm not. When I'm taking some time off. And by taking time off, I'm just doing some housekeeping internally of my business. I plan on installing Defense Claw and letting you know. So as it currently stands, I would I listen given the choice. If I had one tool I would use Claude Co work. That's what I would use. Open Claw is cute, but I found it to be, you know, a lot of sizzle. The cool thing about Open Claw is that you can talk to it through Telegram. What was the biggest cybersecurity story of the week last week? I was on vacation. Oh, without question. Cyber Risk. Which Axios? NPM Axios. Let's see. So this is John Hammond, of course. So Cyber Risk. Rich, go check this story out. NPM Axios hack. This is like one of those hacks that's like very wide reaching impact. So that's what's up. What project would you recommend to do first? To do my first infosec analyst roller garbage. Are you saying you have the job already? And what's the first thing you should do at work or are you saying you want to be an analyst and what should you do? I guess I'll answer both. If you're at work, one of the first things you should do. Well, two things you should do. Number one, you should ask your boss what's their biggest pain point. So then you could start working on that and be an absolute rock star. Number two, you need to assess the current state of the environment. Now normally this is like a CISO role or a senior person, but you need to figure out where your current state is. That way, if you're going to actually adhere to some type of framework like CIS18 or N CSF, you have a starting place. Also, if you're just looking for some quick wins Cyber James End user awareness training start a, you know, a once a week little quick hit email out to the organization or schedule. Ask like the CFO if you can meet like when they do their weekly team meetings. If you can be there for the first five minutes and just share a little awareness training nugget that's specifically curated for the finance team and then do it for the research team, then do it for the developers, then do it for the accountants and do it for the executives. All right, continue to look through chat noob One client in tier one sock. One client is a dev environment. Wrote ticket on command line. Got flack from the company's contact for creating the ticket. Best way to handle huh? One client is a development environment. I wrote a ticket on a command line. Well, I guess the question is who gave you flack? Your boss or the client? You know, because here's what I would say. I, you know, as far as handling the situation, say no, I, I appreciate that but you know, obviously I wouldn't say obviously but like I'd be like it. It appeared to be a problem. I my job is to identify problems and open tickets so they get investigated. I'm very grateful that this was a false positive, but my job is to flag these things. Any socket Dan Reardon casually Joseph and Chad if you want to comment on B Dubs B Dubs S660 on this question, I don't think you should ever apologize. Now if you're just ham creating tickets for no reason, I wouldn't do that. But like what if, what, what do they expect you to do? Whoever gave you flack kind of sounds like a peckerhead. What helps you stay focused on your work when so many things are pulling your attention? Huh? Dan Reardon's always asking like thought provoking questions. I Don't know, Dan. I guess it's not necessarily one thing that keeps my focus. What I will say is that. And. And this is. I've said this before, so this is for everybody. I. I try to time box my time, right? So, like, I'm at work right now. I'm gonna focus on work. I'm gonna get work done. Work, work, work, work, work. And when 5:30, 6:00 clock hits, I don't want to work anymore. I want to be family. I want to be husband. I want to be dad. I want to be, you know, doing the things. So in my career, I have slacked off, okay? I have effed around. I'm sure many of us have. Right? And then you procrastinate. Delay, delay, delay. And then six o' clock comes and I leave and want to be dad and want to be husband. But now I've got this like, I don't know, like, emotional debt sitting on me that I know I didn't do what I was supposed to do. And then I fret about it and I'm anxious about it and I don't like it. So because I don't like that feeling, it's very easy for me to be like, hey, if you don't want that feeling, put your head down and grind and get it done. And then, you know, I feel great, which. Which by the way, is a double win because I. I choose to work so hard during my working hours that if I get sick or, you know, something bad happens or whatever, I actually don't feel awful because I feel like I'm. I'm so far ahead that I can sustain a few down times. Right. Hopefully that answers the question. Plus, like, I mean, I love cyber security. I like, I am. Dude, I am so fortunate. Trust me, I am not aloof to how fortunate I am that I get to just educate and stream and talk cyber security and hang out with you. Like, it's freaking awesome. Like, my job's awesome. All right, what are some things you wish you did earlier in your career when attending in person conferences? Oh, escoal07, you said something during the threat brief that I said you were young and maybe. Oh, oh, oh. Home Star Runner. Listen really quickly, just so everybody, this is Homestar Runner. This is. Do the. This. This was like amazing before the Internet. This is like 2001 strong bad. Such a solid character. Coach Z. Strong bad emails. Dude, I'm gonna drop a link to this. This is. You want to go down a. If you don't have much to do today? This is a great rabbit hole to fall down. What are things you did earlier in your career you wish you did earlier when attending in person conferences? Okay, so when I attended in person conferences, I would, I would put my head down, I would just go to the talks. I thought all the value was in the talks. The talks are fine. Not even close to the value. The value is in meeting people without a question. Everybody's pre approved as cyber people who are into going to conferences, right? So say, what's up? Another thing that I wish I did earlier in attending conferences, sometimes I'd go to a conference and you go into a talk and the talk sucks. And like I would just sit through the talk and be like, I guess this was a dude. No, like get up and leave. Like if the talk sucks, your time is important move. Also, I never did CTFS because I was like intimidated by CTFs. I would, I would recommend do some CTFs because you can meet other people. Another thing I didn't do in attending conferences, like, I don't know, like when I would talk to a vendor, I'd be like, what do you do? All these. But like, in reality it'd be better to like talk to like, hey, like, you know, what are you guys up to? Like, what have you seen in the market? Like, kind of like bigger questions. Also, also, also try to coordinate with other people and meet them there so you can meet more people. All right, continuing to look through chat guys. Great questions today. Great questions today. You guys are very awesome. Is there a big difference between the CCSA and other GRC auditing certs? Space tacos? I don't really know. What I would say is like sisa. In my opinion, SISA is like recognized as like the cert. As far as like auditing for grc, I think it's comprehensive. I don't know much about CGRC or internal auditing certs. I'm sure they're fine. I just, from a market perspective, I know that the CISA has gravity. Can you make a GRC engineering course? That's a tricky answer. Yes, I could make one. It would take me a while and I'm, I've been very bad about making courses simply Cyber Academy is, you know, I, I nurture it, I feed it, but I'm not growing it. I just, it's too much, too much going on. Dan's asking, answering the bdubs question. Thank you, Dan. Looking at chat really quickly, the system is down. Shimaria says, for a second I thought said system of a down. Very good. Band. Can we get GRC templates? What would be your daily helpful tools? No, I mean, I make a lot of bespoke stuff. The thing is, if you use repeatable things, which is fine, people start getting like tuned out on them. So I can't really offer that to you. Straw hat Sec is volunteering at B sides. Very nice. I would definitely get that done. Volunteering at B sides is really good. Kishan says I'm humble af. Thank you, Kishan. I'm not sure what I said, but I appreciate that. Dude. We're all just trying to figure it out. All right guys, it's 9:33 foreign. We're gonna giddy on up out of here. I want to say thank you all so very much for being here. I. I genuinely appreciate it. We're off and running on this beautiful Monday morning. I just want to give a quick shout out really quickly holler to if you are looking or thinking about getting your CYA plus Jesse Johnson and Tech Ricky combined. They're like wonder twins. They are joining forces to do a slay cysa plus YouTube channel project. So if you'd like to learn or practice the CySA plus and get it with some other people, definitely look into that. Just contact Acid Burn on Discord or Tech Ricky. I don't know what Tech Ricky's name is on Discord, but go on, get that code brews in here. He probably knows Tech Ricky's handle. I'm Jerry, your chat. Have a wonderful Monday and until next time, stay secure.