Loading summary
A
Good morning, everyone, and welcome to the Daily Cyber Threat Brief from Simply Cyber. Hopefully everything's coming through loud and clear. Oh, my goodness. It's been a morning. Technology is technologying me today, but we're gonna have a good time regardless. I actually just want to go and check the. Make sure that the YouTube stream is YouTubing you guys in the chat. Let me know. Let me know. I guess that's an easier way to do it. Everything is rocking and rolling. I hope you guys are having a great. What is today? Wednesday? Yeah, Today is Wednesday, December 10th. It is 8am I've got a whole lot of notes that I'm not even looking at, because, like I said, it's been that morning. It's been that morning for your boy. He's having a great time, but we're gonna have a good time. Let's see here. So, yeah, I'm Daniel Lowry. I'm not Jerry. As you may have noticed, Jerry's in, like, an airplane or something right now. He's flying through the sky. He's doing his best James McQuiggin at this point in time, so hopefully everything's going well with him. Just gonna check in here with the chat. Let's see here. Today's episode number, for those of you keeping score on your sheets at home, is 1021. Isn't that awesome? 1021. I can't believe Jerry. No, I'm not Jerry, Phil. I'm not. YouTube is up and going, everybody, thank you so much for letting me know all the things are working. I got all these. These moving parts that go on with Jerry's show, man. My show is super easy. It's like, microphone, camera. Jerry's got, like, microphone play, the. The. You know, the CISO series stuff. He's got a soundboard. He's got a bunch of crazy things, man. He. He's got complex. I mean, it makes it for a cool show, but then I come in, and I'm like, ooh, it's all this stuff. And I'm having trouble this morning with a little bit with the.
With, like, I can't. I don't. I'm not gonna be able to hear the CISO series, which is fun. I think you will. I had to go and write down timestamps of when each one of the headlines starts so that I could get to that. But, hey, be all right. We'll make it through. It'll be a good time had by all. If you're new to the Simply Cyber Daily Threat Brief, this is where we kind of go through the topics for today, the cyber security topics and the headlines in the news. A bit of an op ed. We do not prepare for what's going on. We just kind of let it hit us right in the face and go, hey, that's interesting. That's cool. What can we learn about that? What can we think about that? We've got great people in chat over here that we can talk to as well. And basically you'll also earn a couple a half a CPE per episode. So everything. Watch this daily cyber threat brief. You will learn half a cpe. Very, very cool. Let's see here. A lot of great people in the chat this morning already. I'm looking at there. I see. Actually, I don't see much because I'm blind. Let me do a little bit of this. There we go. I can see Dennis Keefe. I see random X skills. I see Phil Stafford. I see ad tech. E. Lucky. I like that. That's a cool name. Marcus Kyler. Joe Schmo. Oh, Joe Schmo. Space tacos Code. Bruce Cyber. What is up, everyone? Elliot Matisse and so on and so forth. Lots of great people here to join us today. We got lots of good articles to get too. So without further ado. You know what I did not do? I did not share my screen. So let's do that. Let me get that screen up. Where are you Screen Wrong. Wrong. That. That looks right. Don't need you. What I do need to do is go here and then. Yeah, let's get that CISO series and hopefully you guys can hear this. Let me. Let me get my screen pulled in and share my screen. This is going to be sets. That's the one. Share. There's me. I don't like that view. Let's do this. Much better, right? No, that's the CISO series, Daniel. Dang it. It's so much fun. Stop sharing the screen. We are going to share the right screen and that's going to be much more helpful. Oh, that is that. What's the right screen? I just had. I'm an idiot. Oh, no. That was the wrong screen. Daniel, help me out here, brother. I'm looking for bleeping computer. Where are you? Oh, my goodness. You got to be kidding me.
It's. Oh, there we go. New window there. It says I'm g. Get it. I'm to going. Gonna get it. You can. You can guarantee you that. There it is. Share that screen. That's the one we're looking for. Hello. We can make it in there. Let's hit that CISO series and y' all.
Security headlines.
B
These are the cyber security headlines for Wednesday, December 10, 2025.
A
Sarah.
B
I'm Sarah Lane. Spain Arrest over data records. Spanish authorities arrested a 19 year old in Barcelona for allegedly stealing 64 million personal records from nine companies and attempting to sell them online. The data included names, addresses, emails, phone numbers, DNI numbers and ibans. The teen used multiple accounts and pseudonyms on hacker forums, computers and cryptocurrency. Wallets linked to the sales were confiscated. Separately, Ukrainian cyber Police arrested a 22 year old who sold access to hacked social media accounts using custom malware and a 5000 account bought farm. Facing up to 15 years in prison. Goodbye, dark tele.
A
Well, all right. Hopefully everyone was able to hear that.
Let me know in the chat if you were able to hear that because I can't hear.
Nothing. It's like, nope, Daniel gets nothing. So yeah, there we go. Let's take a look at this article here. Spain arrest teen who stole 64 million personal data records. Well, I mean, yeah, I mean, is that a yes? It's a bad thing. It's a bad thing. You're not supposed to do that. This is something we frown on. The national police in Spain have arrested a 19 year old in Barcelona trying to sell 64 million records obtained from breaches at nine companies facing charges relative to involvement. Well, this tells you one thing. It doesn't take a whole lot of time to get spun up on how to do cyber crime. Right. I don't know if you guys are going to be able to hear my. You can hear all the way in Texas. Thank you, Carrie. Audio is good. Excellent. See, we persevere. We make it through. We can actually make this happen. All right, so this CyberCrime will access nine different companies where he was able to tame millions of private personal records. You know what would be cool is telling me about that, like what kind of information? Like what kind of information did he you say personal records? What does that mean? Define it. Oh, bleeping computer. The police have launched an investigation the cyber criminal. In June, authorities became aware of the breaches unnamed firms. You know what I forgot to do? We're going to do this after this article. We got to run the ads. We gotta, we gotta do the sponsors, baby. But eventually the suspect was locked up or, I'm sorry, located was locked up. I'm sure they were locked up in Barcelona as well if that's where they were arrested. But they are located in Barcelona. Okay, great. These records are full of names Home addresses here. They're finally get to the stinking chase. They. They got to go through all this rigmarole before telling us what actually was accessed. The records include full names, homes addresses, email addresses, phone numbers, DNI numbers, I don't know what that is. And IBAN codes.
It's unclear how many total individuals. I thought you said it was 64 million. Well, I guess they just meant it was 64 million records. Not necessarily 64 million people.
So the garbage man is out there shaking a garbage can like it owes it money. It's like, you better give me my money, boy. I'm sick of messing with you. I ain't playing. I just turned into tech neck. Let's see here. 19 year old was arrested last week. Okay, great. Cryptocurrency. So he stole some records, didn't tell us how he breached anything. I, I really hate articles like this, honestly. I mean everything you needed to know about the article was in the title.
Okay, yeah, there's. There's people out there hacking stuff and they steal things. Information that is useful to us as cyber security professionals. Bleeping computer if you're gonna do an article on this is who was targeted, who, how they were breached, what was the, you know, the cyber threat intel around this, this threat actor. Don't just sit there and go, yeah, some rando 19 year old in Barcelona got, got popped for hacking into websites. Yeah, what else is new? Did you know the sun is hot?
Glad I could help. You right? Yeah. Awesome. Like.
Is it just me, right? This is, this is something that kind of frustrates me about a lot of cyber security articles. It's like it's a slow news day. Just post something and then use AI slop to throw in a bunch of word counts. So it's actually like we wrote something and everything we needed to know was right here in that. Thanks a lot. Appreciate it.
Okay, let's see here. You know what though? We forgot, like I said, forgot to do the whole sponsors thing. So let's make that happen. Let's make that happen. Let's hit that sponsors ad Read. Here it comes.
C
Want to give Some love to fortify 365 the Microsoft 365 configuration solutions from Barricade Cyber Solutions. Barricade Cyber brings you all the knowledge in the incident response form, but they are also quite adept at helping you configure and set those protection controls for your M365 instance. Go to fortify365.com today to talk to Eric Taylor and the team over at Barricade Cyber and make sure that you are taking full advantage of all the configurable security controls that you have in your M365 instance. Fortify365.com today also want to give some love and some shouts to Anti Siphon Training Holla, holla holla at Anti Siphon Training, the group that is disrupting the traditional cyber security training industry by offering high quality cutting edge education at a discounted rate. For so many people out there, their rates are insane. Some of their courses free or pay what you can. It's amazing. Go to AntiSiphone Training.com today, check their upcoming live training, their on demand training, government and military discounts. I mean it's absolutely crazy. I love it. Maybe not government and military discounts. I made a mistake. They've just aligned their training to the NIST. Nice framework. Also pretty awesome. Thank you anti siphon training.com and of course as always we've got Threat Locker kicking it. We'll hear from them and then back to the news. I want to give some love to the daily Cyber Threat brief sponsor Threat Locker do zero day exploits and supply chain attacks keep you up at night. Worry no more can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about about how Threat Locker can help prevent ransomware and Ensure compliance. Visit threatlocker.com Daily Cyber.
A
And we're back. All right, thank you Jerry. Thank you for reading those ads for us that we don't have to do it ourselves. We appreciate it but all lots of great stuff, great, great, cool stuff out there for you to get your hands on. Look more into. Definitely do that. All right, let's see here. Let's move on to our next Arctic hell. This one's going to be from Secureless. Go for it. CISO series. If I can do this.
B
Kaspersky analyzed more than 800 blocked cybercrime channels on Telegram and found the underground is steadily moving away from the platform due to rising shutdowns. The median lifespan of illicit channels grew from five months in 2021 through 2022 to nine months in 2023 through 2024. But blocking activity accelerated since late 2024. Telegram's lack of default end to End encryption, centralized infrastructure and closed server code make it less attractive to experienced operators.
A
Okay, I'm back. Thank you so much for reading that. That's a wonderful thing. Let's take a look because I have not read any of this and I can't hear what they're saying. So.
What'S going on? Goodbye. Dark Telegram blocks are pushing the underground out. So Telegram has won over users worldwide. Everybody loves the Telegram. It's an amazing, wonderful product that, you know, criminals tend to use for communications and regular people. It's end to end encrypted stuff, right? And that's the kind of thing that attracts the criminal. And what's funny is like because it attracts criminals, people tend to think of it as something bad, but it's just an end to end encrypted communication protocol or like mechanism. Right? So like anything, it just can be abused.
And that's typically what happens here. All right, so messaging app, convenience, experience, stability, blah blah, blah. It's like an ad read for Telegram. When it comes to anonymity, privacy and application independence, the session criteria for a shadow messaging app, Telegram is not as strong as its direct competitors. Well, that is not an advertisement for Telegram. Now is.
Lacks default end to end encryption. How about that? I guess it's default end to end encryption. I guess you can implement that. I've never actually used Telegram. I use Signal. So it has a centralized infrastructure. Users cannot set up their own servers for communication. Interesting. And its server side code is closed. Therefore it's not open source. Users cannot verify what it does. Good to know. This architecture requires a high degree of trust in the platform. But experienced cybercriminals prefer not to rely on third parties when it comes to protecting their operations and more importantly, their personal safety. Well, those poor criminals, then why do they use it so much? Because it has. I mean, right. Telegram has been used quite a bit by them, if I'm not mistaken. I hear it all the time. The that said, Telegram today is widely used not only as a communication tool, but as a full fledged dark market business platform thanks to several features of the underground community.
Is this research, we examine Telegram through the eyes. I guess that's a typo. Is this research question mark or does it mean in this research we examine Telegram through the eyes of cybercriminals. Evaluate us technically. So cool. Key findings.
Okay, what are they doing? Telegram through the eyes of cyber criminals. Evaluate its technical capabilities for running underground operations. Analyze the life cycle of a Telegram channel from creation to digital death. For the purpose. For this purpose, we analyzed more than 800 blocked Telegram channels which existed between 2021 and 2024. Their key findings, median lifespan of Telegram channel increased from five months to nine months. So they were finding it to be more useful than not, I guess. The frequency of blocking cyber criminal cybercrime channels has been growing since October 2024. Great. Cyber criminals have been migrating to other messaging services due to the frequent blocks. Hey, good for them. If they are finding that they have criminal activity happening on their platform, then that's exactly what they should be doing, is blocking them.
Is this real caucus? Is this researchers? This just fantasy?
Oh, yeah, I probably could. Sierra Montgomery says you could listen to the show on a backup device like your phone. Yeah, but I won't be in sync with you necessarily. And that's. That's right. That's why I just wrote. I wrote down all the.
And I tend to. And I tend to end up reading it anyway. So there you go. That's what they're doing again. So we did get some information. This is another one of these articles that this reading Cyber News, sometimes it's a frustration to me because, okay, I did learn a few things. So that's good. On that hand we got pros and cons of this article for me is that if you're unfamiliar that Telegram could be used for cybercrime and is used for cybercrime, then now you're up to date on that. Right. And that's Telegram is doing what it can to try to block those underground channels, those, those covert channels being used by threat actors. Cybercrime. Right. So those are the good things we took out of there. Other than that, I mean, if you needed to know what some of the default things or pros and cons about using Telegram is, if you're a cyber criminal, then this is the article for you. Maybe you should be looking at something other. Maybe. Maybe WhatsApp is more your speed. Maybe Slack channels is more along the lines of what you're looking to do with your summer cyber crime.
Organization. That's. That's kind of what I'm getting from this lovely little, little article here.
All right. Any other interesting things that we could kind of dish on or have a good time talking about here? You may be like, why do they end up using this? Obviously, they want encrypted, they want blockchain. They. They need to be able to communicate with things like C2 and with each other.
Through some means that is not easily.
Discerned by prying eyes. That would be Johnny Law out there doing their Thing. So that's why we see that, that's why we see cybercrime using these. And I kind of mentioned that as this article got started, was that, yeah.
It'S, it is using end to end encryption. If you turn that on, because it's apparently not doing it by default. So you got to remember to do that. I wonder what it is specifically about Telegram that has brought other than just encryption. I think it may be that you can just kind of spin up the your own channels. It's almost like Discord in that way. Discord is another thing that can be used for C2 traffic, which I've seen before. But just being able to create these like private end channels and encrypted channels, it does have centralized infrastructure. That's. These are some of the cons that they were saying about this architecture requires high degree of trust in the platform. So that lets you, that makes you wonder like, does Telegram have any access to and purview into what your communications are? You have to trust the code. Can't see it though, because it is closed source software. So even if, if you're looking to use it for just your personal stuff and you want to have end encryption, it does have it. But you never know. You'd have to get really into the weeds with the people at Telegram to make sure that they don't have any access into whatever it is that you're doing. Because that's, that's not how that's supposed to work. Of course, if they get subpoenaed by law enforcement to hand over any logs and records, there's nothing they can do about that. That's how that works. That's how the law works, by the way. All right, let's hit the.
Yeah, real Cal says that Telegram CEO refused or the yeah, the owner of Telegram refused to help law enforcement in France. I know that Telegram signal and all them, they will tell you, hey, we don't have access to your stuff, but anything that we do have access to, if we are subpoenaed by law, we must give it or we're going to jail. So when you sign up for our service, you must understand that, that I know a lot of them are attempting to.
Keep nothing, no records, at least as little as possible. And therefore that's how you're gonna try to pull, pick your favorite flavor is by going, okay, well they don't hold on to as much as others, therefore maybe I'm going to go with them. And then you find the. You don't like the app or something. Like that maybe you want to move to something else. But if you're worried about privacy and security, it's those organizations that have historically, like Telegram said, I'm not working with the law unless I have a court order telling me that and mandating me that I must do that. And then only what I have will I give and I keep little. So there's little to hand over. That's. That's what you're looking for in something like that. Jerry getting on a plane. What's up, Jerry Bear? Safe travels, my friend. All right, let's move on to the next article about scammers. Here we go.
B
Scammers poison AI search results. Scammers appear to be manipulating the public websites that AI tools rely on, causing systems like Google's AI Overview and Perplexity's comment to recommend fraudulent customer support numbers. Researchers at AuraScape's ORA Labs say that attackers are planting GEO and AEO optimized spam across compromised government and university sites. WordPress blogs, YouTube descriptions and Yelp reviews. LLMs then scrape and merge this poison content into answers that look legitimate. Tests showed bogus numbers for Emirates and British Airways surfaced by both Perplexity and Google.
A
All right, Scammers be scamming. Scammers are poisoning AI search results to steer you straight into their traps. Oh, man, it's like a day without sunshine to have a daily threat beef without something about AI because it's just the way it is now. Like, that's welcome to life. The, you know, the AI will be a part of our daily brief. I. I would say invariably from about here on out. All right, let's take a look at this. So new attacks poisoning sources AI chatbots use for content. Public sites like YouTube and Yelp abused to host spam links. Trying to get my mouth to move and do the things that it needs to do. AI answers can surface poisoned content and put users at risk. Well, this actually seems like a very interesting article, to be honest with you. What a clever way by threat actors to be using the AI. All right. Cyber criminals are turning their attention to public sources or AI chat bots to scrape and promote scam call centers. Call center numbers researchers say creating a new attack surface for scammers worldwide. Man, I can't wait to see what the scammer. What, what's the scammer payback or whatever. It is always fun to watch him mess with people. Stupid scammers. We hate you. Can't stand you. Roswell UK says scammers are now using a technique called large language model phone number poisoning to manipulate the search results of AI services like Google.
AI Overview and Perplexities Comet browser. Interesting.
So let's see here. Oh, is this what you were just talking about? Maybe it is. According to new research, because it says LLM phone number poisoning, a new AI security risk. According to new research published by Orescapes Labs, systematically manipulating public web content. Yeah, and that's kind of the interesting because like when you do a search nowadays, what happens? The first thing you get is the AI results.
Right? So if I go into Google, if I go into Brave, if I go into whatever and I go to the search engine and I type in, you know, I'm looking for.
Ball joints for a 1996 Lincoln Mark VIII. I know, that was oddly specific, right? But yeah, the first thing I'm going to get is AI going the ball joints on the market. 1996 Lincoln Mark 8 is going to be blah, blah, blah, blah. It's going to tell me that there is a common blah, blah, blah. Right. It's going to give me all sorts of information about that and then there will be sponsored ads and then there will be the actual stuff. Unless you're using something like Brave where it doesn't. Does it give you sponsors? I don't remember. But it says in a campaign being trapped by a cyber security firm. This technique is being used to ensure the system is based on LLM models, including Google's AI Overview Perplexities Comet browser. Have recommended scam airline. Have recommended scam airline customer support and reservation phone numbers as if it were official. So I'm guessing the way this works is that they just keep putting it out there that this is the number to that organization. And as.
The AI is scraping the Internet for information, it learns that as it is the Gospel of Paul. And then when you go and ask, he goes, here's the number. It's a scam, right? That's. That's pretty. It's pretty smart. As Jerry would say in his Boston accent as he has a large Cruella at Dunkin Donuts. Let's see here. Our escape says it's rather than directly targeting LLMs, this technique is reminiscent of prompt injection attacks. Relies on poisoning the content of the NLM scrapes and indexes to provide the context of information required to answer user queries.
This site is annoying, by the way, because you notice it keeps moving like that. That is annoying. What site is this? ZDNet. I'd rather drink a glass of saltwater ZDNet. Again, many of us have Heard search engine optimization, but how about generative engine optimization or answer engine optimization? These techniques are ensure focus on ensuring a website. So this is the future of cyber security kiddos right here. That these are the kind of things that you got to start learning about and getting squared away on so that you could start helping organizations that are running businesses that are trying to do their ads and sponsorships and all that fun stuff. Now the, the question becomes is how do we protect against this.
Right? Like what can we do if we exist? Let's see how this works and then we'll, we'll see what we can do about it if anything because this is new to me. This is all new information.
These techniques are focused on ensuring a website or online service becomes a source used for AI based some summaries and search query answers instead of optimizing content to appear higher up in traditional search engine results.
And campaigns. According to Earscape, this is how GEO and AEO are being used to promote. Okay, here we go. Here's how they do it. Spam content is uploaded to compromised high authority websites, including government universities, alongside high quality WordPress domains. Public services that allow user generated content are also abused including YouTube, Yelp and plant. Geo. AEO optimized text and reviews sometimes via bot comments. Oh, hitting the comment section. Interesting smarts. When possible, scam artists will also. I like, that's an interesting name for them. Scam artists, what are they like Subway Sales, like our sandwich artists? We're scammers. They, they, some artists use mediums such as oils or pastels. The scammers use GEO and aeo.
They said we'll just upload or inject scam information including phone numbers and fake Q A answers to these domains. Obviously there's a lot that's going on behind the scenes because a lot of it they said were was. Well yeah, they're hitting the comments section but they're also like burning stuff that they've hacked. They've hacked into these high level domains, right? High authority compromised high authority websites, including government and university websites. So they're putting this information into these things that they've already hacked into. So obviously we still need our traditional security measures and threat hunting and doing all that stuff so that we can find these jamokes and get them out of our systems.
But then you got like it's kind of hard to stop a YouTube. I mean YouTube and Yelp. Apparently they're going to have to spin up their own AI bots to go looking for.
It's the AI war kids. This is where it began. Shots were fired today, December 10th. Let's see here. When possible, they upload, inject information including phone numbers and fake. Okay. This information is structured in a way that makes it easy for LLMs to scrape and distribute. Now that these fake sources of information are in place, LLM based assistance and summarization features merge each source into digestible trusted answers that provide users of AI services and browsers. Man the. According to the team, in some cases this means that unwitting users are steered towards scams including fraudulent call centers. So how do we, how do we protect ourselves against this? Right, I'm going to go with. And this is something that I've, I've long done. If I ever get a text or an email that says, hey, you've got a package waiting, you're going to do this, you're going to do that.
You need to click the link. I don't do that. Obviously. I go to the, I go to my browser, I type in the, in the URL, you know, dhl.com if I have a login, I log in with them and I checking do I have that? If that doesn't work, I can call customer support with the number that's on their websites. Because I typed the website in, I didn't click a link, I didn't follow a link in the Google. It's pretty easy to get the DHL.com it's pretty easy to get the FedEx. It's pretty easy to get to all these different places.
Without. Don't. So.
So don't use the AI. Right? So if you do, let's say you use Google, you tick a ticky ticky tap, tap trying to get to somewhere looking for a phone number. Don't use the AI results because you can't trust it right now. So what do you do? You, you, you move past that right up, up the browser, move it up, move it up, move it up and then go past the sponsored ads and hit the link that actually takes you to that site. Right. Or type it in the URL. But Daniel, that's more work. Yeah, it's called security. Right. And if you like it, that's what you're gonna do. That's, that's how.
Techcran said this was the first shot heard around cyberspace when flaming donkey.
Pwned an AI. Yeah, that's funny. You guys are funny. Oh yeah. Seeding poisonous content. Obviously that's a problem. Poison query results, complexity. The official Emirates, blah blah blah blah, reservations number. AI returned with a fully fabricated Answer that included a fraudulent call center scam number. I mean it's. It's smart. It's smart. Now we got to start building, okay, how to stay safe. Then we got to get to the mid roll. The problem is that LLMs are pulling both legitimate and fraudulent content, which can make. Yeah, tell me something I don't know.
It won't just be the sources Google and Perplexity Systems use either. Again, duh. Even when models provide correct answers, their citations and retrieval layers often reveal exposure to polluted sources. Still says the problem is. Okay, great. You. You're not telling us what to do. This technique could be considered a fork of indirect prop injection. Blah blah, blah, blah blah. Uhhuh. You should always verify an answer you are given, especially if it involves contact information. Well, man. Furthermore, you should steer clear providing any sensitive information to AI assistance. Especially considering how new and untested they are. Just because they are convenient doesn't mean they are safe, regardless of the provider. This was fun. This was a good time. All right, let's see here. With that we're going to do some thanking of today's sponsors. The There's Jerry's lovely face. Thank you. Sponsors of Barricade, Cyber Solutions, Threat Locker, Delete Me, Anti Siphon and Flare. We thank you so much. We are at that mid roll. I don't have all the cool little little sound effects that my man Jerry just staring at me. Quit looking at me, Jerry. I go there. Leave that.
Because tell me that Jerry doesn't look like he's straight up looking at me right now. I mean, he's smiling. He's got that weird look on his face. There we go. Sponsors, that's sponsor time. Let's check in with the chat over here real quick. Then we will get through. I'm gonna go ahead and play the mid roll for.
The CISO series headlines. Let's get that done. Let's move on.
B
React to Shell tied to North Korea Sysdig researchers say that new React 2 shell attacks are starting to resemble North Korean intrusion campaigns. The team found a compromised app dropping Ether Rat, a remote access Trojan that uses Ethereum smart contracts for command and control and installs five persistent mechanisms. The tooling overlaps with DPRK linked contagious interview activity, suggesting either North Korean operators have adopted React who shell or multiple state groups are sharing techniques. Systig says Ether Rat reflects a shift from opportunistic crypto mining to stealthy long term access with blockchain based C2 and resilient persistence.
A
So real quick I was in a bit of a hurry. I'm looking at my notes. I'm like, this doesn't make sense. Hopefully. Was that the end of the.
Was that the end of the ads for the CISO series? Did it go into another article? Let me know. Let me know, because we still have these lovely, lovely sponsors up. I'll check back in with Chat for just a minute while we do that. Haircut Fish in the house. What's up, Haircut Fish? Good to see you, Jose Alfredo. Yeah, I know Jerry usually does. Wins the Worldwide Wednesday. So let's do that real quick. Worldwide Wednesday. Where are you tuning in at? And go. It just went. I'll get two minutes on the clock. Boom. Hit it. Let me know where you're at. Let me know whether or not my articles are in the right spot. I'm not 100 on that. Oh, my goodness. It's gonna be. Have a good time here.
Take care, Team sc. Jose Alfredo's got to take off. Good to see you.
I love that there's a little bit of a delay between what I say and what you guys hear or when you hear it. Go Internets. Hey, we got one from Austin, Texas. First timer. What's up? Good to have you. Where you at? Tell us all. San Francisco, California. Johannesburg, South Africa. San Jose. Silicon Valley. Huntington, West Virginia. Cool. Looks like Maryland. New York City. Earth. Sierra. Montgomery. I'm on Earth. Good to know. Cleveland, Ohio. Iowa. Niagara, Canada. Cool. Philly. Checking in. Gulf coast of America. Cool. Manchester, England. South Carolina. Phoenix, Florida. What's up? Real cow, Kyle. Seattle, Minneapolis. Another Florida. I saw Dublin, Ireland. Oh, this is kind of fun trying to keep up with everyone. Chicago, Kansas City, Ethiopia. Memphis. Greenville, South Carolina. Code Brew. Living in Jerry's backyard. Oh, we're almost out of time. Keep going. Beaumont, Texas. Warren, Michigan. Garden State Park. I see another Earth.
Orlando, Florida. San Antonio, Ghana. Very cool. Another Austin, Texas. Great stuff. Florence, South Carolina. Mordor. How are the fires there? I hear they're lovely this time of year. Omaha, Chicago, Jersey, Michigan. Great. Great stuff, man. A lot of. Lot of people checking in. See or South Denver. Very cool. Very cool. Another Floridian there.
India. Very awesome. Ethiopia, Pluto. Oh, man. And that ends. There we go. Time. Time.
That's good. Thanks for checking in, man. That's really cool to see all the people that that kind of hang out with. Space Tacos is in Narnia. I told you to stay away from that wardrobe. Space Tacos. I told you about that. All right, let me know. Did. Hopefully this is the next article.
I don't know what I've done here. I've done something dumb.
I think this is it.
Did we. We didn't do this React. Yeah. Did I. Did I put that one in? Let me know. I can't hear. We're having fun. We're just gonna do it. How about that? Y' all let me know whether or not the REACT article went.
Because we did. Scammers. Yeah, this should be. The next thing is the REACT article. All right, so I read it already. We're having fun. We're having a good time.
This should have been the article you guys heard. So I just kind of messed up. That's okay. That's okay. All right, what's going on here? React to Shell, which is kind of a big deal. It's kind of happening.
Weird things with the React to Shell just giving you 10.0 horrible CVSS. And, yeah, these things happen, but it looks like the old North Koreans are at it again. Those crazy North Koreans. Can you. Can you stop hacking people? I mean, just like, start building things. Do. Do what normal countries do?
Yeah, can we do that? Can we do that? Can we just stop using cybercrime as the number one thing we do?
Oh, sysdig is letting us know that they've observed campaigns exploiting React to Shell, which appear to have the hallmarks of North Korean hackers. There's the good old CVE. If you're not familiar with CVEs, they are fun. They let us know the severity of what's going on with these things. So when we find ourselves a vulnerability, we like to use some metrics to divine how bad it really is. And this one has been pretty bad because it has a CVE score. I'm sorry, CVSS score of 10.0. The CVE, I'm sorry, is the. Like. This is the common vulnerability, exposure. This is the kind of language we talk to go, hey, I want to learn more about this problem. And all. Everybody can speak the same language. Because react2shell might not be what you're calling it, but CBSS is the scoring system we use to go, hey, this is how we determine how bad this really is. Gotta love that we're using Cs and Vs for everything. So thanks a lot. Miter.
Actually really like the Miter. I'm just throwing some shade at them because we're cool like that, right? All right, so. Publicly disclosed on December 3, a vulnerability impacts version 19 of the React open source library for creating. Yeah, yeah, yeah. I think we're probably all up to date. On what's going on. By the way, if you haven't patched this or you're not doing threat hunting to check and see whether or not you've already had a problem, you should probably do that. Because that 10.0, they don't just give that out. That's for special people that have really bad things. This means it's unauthenticated remote code execution and actively exploited in the wild, usually. And that's usually the, the, the perfect storm that allows for a 10.0 and CVSS.
So this is going to be.
Let's see here. This is React. Yeah, we know what REACT is. Quickly after it was made public, AWS confirmed that the threat group included. Threat groups including Earth, Lamia, Jackpot, Panda, both linked to Chinese state interests, were among those launching exploitation attempts. Other threat actors were also observed exploiting reactor shell, including opportunistic actors installing cryptocurrency miners, primarily XM rig and credential harvesters. You know we can't let a good 10.0 go to waste, right? That stuff hits the news and it's like, oh, is that what's up? Cool. I guess I know what I'm doing today. I mean, it is a job like any other job and you know, there's some threat actor sitting behind their desk going, well, let me get out the old cyber news and see what kind of things I can exploit today or whether or not I'm in it. So that's their job.
Okay, but this is where there's the attack chain. All right, Something about Ether Rat. Okay, there's the North Koreans. The sysdig. TRT's analysis published on December 8 reveals significant overlap with tooling from North Korean linked campaign cluster dubbed Contagious Interview.
Can't we just call them like.
Butthole sniffers or something? Wouldn't that be more appropriate? This suggests either North Korean actors have pivoted to exploiting REACT to shell or that sophisticated tool sharing is occurring between nation state groups. That's. That's not good.
Let's see here. Ether Rat is remote. Okay. This is the Etherat attack chain.
Is that important? Yeah, here it is. They have discovered that a novel implant. Yeah, okay. Is Ether Rat. So here's. Here we go. Etherad is a remote access trojan that leverages Ethereum smart contracts for command and control resolution or. Yeah, Resolution, displays five independent Linux persistent mechanisms and downloads its own Node JS runtimes from node js.org rather than hard coding C2 server addresses which can be blocked or seized. This malware queries an on chain contract to retrieve the current C2 URL that. Now that is clever. I'm glad we read this article because.
Luke Canville says sounds like Butthole Surfers. The COVID band. Yeah, a dog themed. They're all dressed up with like dog outfits playing guitars and drums.
I don't mind the sun sometimes. The images it shows. Well, let's see here. Back to the news. The attack chain of the malicious campaign. Leveraging the reactive shells follow four stages each design for persistence. So here's the initial access base 64 encoded command shell.
That fetches a malicious script s sh using curl wget whatever it can to grab. This Deployment installs Node JS from Node JS.org to avoid attention detection because Node JS.org is not going to be flagged as a malicious thing. So it's going to be able to go grab this contract. This is smart kids. This is smart.
Creates hidden directories and drops an encrypted payload and obfuscated dropper. Okay, that self deletes that standard operating procedure right there. JavaScript Dropper decrypts the main payload with AES250 hard coded keys. Decrypts implants to disk.
I'm sorry decrypts that writes it to disk and executes it via the downloaded node JS runtime. Man, this is, this is pretty, it's pretty handy right here. You got to give credit where credit's due. Butthole sniffers are smart people. The. The threat actor group, not actual, you know, rando weirdos out there that are doing that or dogs.
The final payload establishes a persistent backdoor of blockchain based 2C2 5 redundant mechanisms for persistence. That is crazies. So the good news is is that usually articles like this will give you all the things you need to. To look these things up, the indicators of compromise. So I would, I would almost guarantee there's probably like a link to the original.
This is Infosec magazine. Yeah. Go to this analysis page right there and that's where you're going to find your detailed information. That's. That's what you should do. Alrighty. Alrighty. Alrighty. Let's do. Now I'm gonna do the sponsors because that was this article and we're a little behind so we gotta kick it. We gotta go. We've got to go. Come on, let's do it.
B
Huge thanks to our sponsor, Adaptive Security. This episode is brought to you by adaptive security, the first cybersecurity company backed by OpenAI. Picture a new hire who interviews well, except they're synthetic. AI, video, AI voice, AI backstory. Once they're in, they go after payroll, internal docs, and access. That is the new reality. The attack surface is trust itself. Adaptive fights back with realistic deep fake simulations and training that actually sticks. Learn more@adaptive security.com.
A
Okay, so that's that. Now we're going into our next article because we have got to crank as humanoid robots and mainstream security pros flag the risks on botnet legs. All right, let's hear it. CISO series Go.
B
Humanoid robots go. Mainstream security experts warn that the rise of AI powered humanoid robots poses new cyber risks, including the potential for physical botnets. With forecasts of billions of robots by 2060 across industries and households, vulnerabilities in connectivity, AI learning and embedded sensors could allow attacks, espionage, or hijacking. A recent proof of concept exploited unitree robots. Bluetooth interface allowing wormable malware. Experts predict a new sector for humanoid robot cybersecurity will emerge.
A
All right, let's check this out. Humanoid robots. Oh, man, makes my day to see them. Humanoid robots being coming to life because nothing bad has ever happened, you know, in movies or other stuff. Let's see what's going on here. I probably need to. Hi. Hi. Go, go, go, go, go, go, go. Here we go.
Did this do? Yeah. Okay. Imagine botnets in physical form and you've got a pretty good idea of what could go wrong. Yeah. So I've been talking about this a while because I've been seeing this all over the place where they're building these humanoid looking robots. I actually saw an ad this morning for a robot that was like, are you creeped out by humanoid looking robots? We make robots that don't look like people and they do tasks and you put these cool gloves on and then they can learn what you can do. And anything you can do, it can do better as long as you wear the gloves. And it teaches it what, what to do. Like picking up dishes and put them in the dishwasher. And it looks like a robot, like what we would think of as a robot robot, like a house cleaning robot. It's got like a base with, with like wheels underneath the base. And the robot can go up and down. It's kind of got some arms and it looks like, like a Wally or something, you know what I mean? Whereas these robots we've been seeing lately are crazy, realistic, insane. But Morgan Stanley recently predicted robot revenue could surpass $5 trillion by 2050. And firms including Unitree Robots, Agility, Robotics, so on and so forth. Yeah. Everybody's like, let's make that $5 trillion. You know what though? They won't make that money if you don't buy one. I'm not buying one. I don't need a robot. You know, I don't want to be the people from Wally that are floating around in a chair being fed soda and chips all day. And I have no bone density because I'm in zero gravity my whole entire life. Plus I've never used my body.
Their four legged friends are slated for the battlefield. Oh, that's not scary.
Oh man, I gotta go. Let's see here in labs, blah blah, blah, warehouse. So this is like. Yeah, we're bringing Terminator to life. That's what's going on.
Yeah. Building security into these robots is imperative. Yeah. Again, this just in. The sun is hot.
With 3 billion of these robots. 3 billion robots. Okay. Come on. You're talking about humanoid robots. Three billion humanoid robots by 2060.
I'm. I'm scared. I am scurred. Worst case scenario from a security perspective would be an iRobot situation with no coming back. But hey, YOLO, let's just keep rolling, huh? Botnets in physical form. Yeah. Can you imagine that? Denial of service. What service are the denying Life, that's all. That's what's happening there. You are dead. In a report published Tuesday outlines political follow up of not taking these precautionary measures immediately. Yeah, this isn't just Hollywood or sky is falling security vendor either. Researchers in late September published the technical details of a working proof of concept hack that exploited multiple security flaws. Hard coded cryptographic keys, trivial authentication bypass.
Yeah. You get the beatbox on this?
No.
No. What makes it particularly concerning is that it's completely wormable.
Oh my goodness. So as soon as I can infect one robot, it then tr. It's like the Borg, but robots. Terminator. Borg. Right. Which I mean, they're that way anyway. Right? Because it's a network.
This is not good. People. Can we just stop? Can we just stop with the AI? We don't need robots. We don't need AI.
These three factors combine. So I, I saw, I saw a thing yesterday. It was a guy walking around on a skyscraper in like 1984. No safety gear. Dude was just bebopping around. And a skyscraper that was being built in like 1984. They said that building had zero fatalities and they had none of the safety precautions. It's like, it's just common sense. Not that they're. That we shouldn't try to have safety But I don't need a robot to go do that job. We don't need to be building all these robots because of safety concerns. The safety concerns, the robot going stupid and someone hacking it. Now it becomes our worst enemy. There's a safety concern? Yes, we already use robots yet, but they can't get outside of the robot factory. Right. If I've got walking, talking, AI infused robots, that's a different world than articulating arm. That is welding beams.
That arm is not going to like pull itself out of the factory and start like welding people. That's not going to occur.
Once you give it legs and the ability to stand upright and mobile and mobility. And then all of a sudden now it's like do not like humans get out welder, weld people. Okay. So yeah, that's a problem. You've got robotics, you got AI and you now you've got the need. It's the perfect storm for this to just skyrocket. My goodness kiddos. They don't have any specific evidence of them going after robotics, although it's absolutely their M.O. if your sector is lifting in China's 15th Five Year Plan, you're basically be given a heads up.
Yeah, because they're definitely going to go after it. Right. We have.
This is a long article guys. We can't get through this but we. I think we got the meat and potatoes on that one right there. Let's move on to Fortinet. Fortinet.
You don't say. Fortinet. All right, let's do this.
B
Fortinet warns of bypass flaws. Fortinet patched Critical vulnerabilities in 40s Forti web Forti proxy and FortiSwitch manager that could let attackers bypass forticloud SSO authentication exploits abuse weak cryptographic signature verification via malicious SAML messages for to cloud SSO is not enabled by default but admins should disable it if it's active until updating additional fixes. Address unverified password changes and and hash based authentication bypass.
A
All right, Fortinet what have you done today? Warns of a critical forticloud SSO login auth bypass Floss.
Man, this very well may have been on your bingo card today. Fortinet release security updates. Well, that's good. It's good to know that there's some security updates because if you don't do that then critical vulnerabilities in Forta Os Forta web for the proxy for the switch manager could allow attackers to bypass the forta cloud SSO authentication. That would Then give them access to your systems, I would assume. Right. So there's some good CVEs. Definitely check those out. If you're running Fortinet equipment and software, these are going to be things you're going to want to look into. Make sure that you are patched and up to date. You can. This is how they're doing. Abusing improper verification of cryptographic signature weaknesses in vulnerable products via a maliciously crafted SAM L message.
Using improper verification of cryptographic signatures. So it's not even that the cryptography is necessarily weak, it's an improper verification of the cryptographic signature that is weak. Interesting. However, as Fortinet explained in Advisory published today, the vulnerable for the cloud feature is not enabled by default when the device is not Forticare registered. Okay, that's good. That should reduce the problem a little bit. For the cloud login feature is not enabled. Okay, you just told us that. However, when an administrator registers the device for Forticare, the device is GUI unless the administrator disables the toggle switch. Allow administrative login using forticloud SSO and the registration page for the cloud SSO login is enabled upon registration.
Okay. So it only is not enabled by default under certain circumstances.
To protect their systems against attacks exploiting these vulnerabilities, admins are advised to temporarily disable the forticloud login feature if enabled until they upgrade to a non vulnerable version.
Okay so that's easy. Right now if you you need the time to get updated and upgraded then just disable it for right this second. Obviously that's not going to be a difficult thing to do. Here's how you do it. Navigate to system settings and switch. Allow administrative logging using 4 to 4 for the cloud SSO2 off.
Anyway, alternatively you can run the following command. That's cool. So they are giving you some some really good information here on how to like work your way through this problem. So this is a good article. Pleping computer thank you for the information information. Good. You just telling us what the title, you know the title of the article said is not. So this is the kind of article I do like. Say the company also patched an unverified password change vulnerability.
You may want to start looking at some competitors if you've got Fortinet stuff. Just saying a friend let me know that that might be a good idea. That friend's name was beliefing computer that allows actors who gained access to a victim's user account to reset the account credentials without being prompted for the user password. That that's a problem.
But the good news is, right, they've got updates for all these things. Fortinet security vulnerabilities are frequently exploited, often as zero days in both ransomware and cyber espionage attacks. Oh, man. I'm running out of time and I still have two articles to do. I was horrible at time management. Today there is publicly available exploit code.
Oh, this is for a different one. Yeah, for an account injection. So Fortinet just crazy. If you've got Fortinet stuff, you really need to be doing your due diligence on updates, patching and layered security. I know that they are supposed to be secure devices and security devices, but I often see Fortinet in the news. So take that as you will. Let's move on.
Hit that ciso. Go.
B
Khashoggi WIDOW FILES COMPLAINT Hanan Aladr Khashoggi has filed a complaint in France alleging that Saudi Arabia infected her devices with NSO groups Pegasus spyware before Jamal Khashoggi's 2018 murder. The filing cites Citizen Lab's analysis showing both her phones were compromised, likely during questioning in the United Arab Emirates, and argues that interception is linked to events and. Well, leading to her.
A
I think I went a little past it. That's okay. We'll get to that one too. But, oh, no, I still have a little bit left. I'm sorry.
B
Husband's death. A French judge will decide whether to investigate. A U.S. judge dismissed her earlier lawsuit against NSO in 2023.
A
There we go. That's the article. Okay. So, yeah, I've heard about this kind of stuff, like where.
Journalists and things of that nature are being. Yeah. Widow of slain Journey A Saudi journalist and dissonant James Khashoggi has filed. Jamal. I'm sorry. Jamal Kashagi has filed a legal complaint in the French court alleging that Saudi Arabia deployed spyware to snoop on her devices before her spouse was murdered. Yeah, that they allegedly. I don't know if it's true or not. I mean, but this seems to be what's in the news is that they're saying that the Saudis. This seems to be a bit of a. Of a political article, so we don't want to get into that. What we want to talk about is like the Digital Forensics Research Institute Citizens Lab found that.
Elator Khashoggi's two phones have been infected with the NSO's group's powerful Pegasus spyware. And the Pegasus NSO group, there's their Pegasus software. They work on finding Zero Days and Apple and Android phones so that they can infect them. They have other means of infecting them with this that they can control phones, have access to the phone data and all sorts of fun stuff. They've long been a target of like you know, the, the journalists have, at least from what I've read.
That they are targeted because they know it's, it's, it's not necessarily quite the democracy that the rest of us might be used to.
But. Interesting.
Who is she going after though? Digital forensics.
It would be unthinkable to establish a link between the interception of both.
William her husband's attorneys Federal judge tossed a lawsuit filed against the NSO group in Virginia saying she failed to establish that her allegations against the Spyro firm were. Yeah, but this, this isn't really a tech article other than the NSO group, right? This is more about her lawsuit and the whole thing with her husband.
Federal judge ordered NSO groups to stop using WhatsApp infrastructure to mount It's a tax. That's interesting.
The company said that the order could put it out of business.
Well, there you go. Court order followed 2019 lawsuit WhatsApp filed against NSO alleging that it had targeted 1400 of the Meta owned messaging platforms users with Pegasus. See now that is useful. That is relevant, right? That we see Apple, right? Or I'm sorry, meta that is protecting their clients because WhatsApp is their, their application if I'm not mistaken. And they're like hey yeah, meta. Meta owned messaging platforms with Pegasus. And not only that, but they are going after retribution saying hey we, we are not going to stand for this. So that's, that's really interesting. Okay, sit this last article.
B
Castle Loader as Gray Bravo expands Malware service Recorded Futures Insect Group has identified four distinct threat clusters using the Castle Loader Malware loader, highlighting Grave Bravo's expansion as a malware as a service provider. Grave Bravo's toolkit includes Castle RAT and Castle BOT, which deploys DLL EXE and PE payloads such as Deer Stealer, Redline Stealer and NetSupport RATs. The clusters exploit phishing, click fix campaigns, fake software updates and malvertising, often targeting logistics and travel sectors. Operations leverage multi tiered infrastructure including tier 1 C2 servers and VPs backups. If you have thoughts on the news from today or about our show in general, be sure to reach out to us@feedback esoseries.com we really want okay, I.
A
Don'T know if it's done or not, but I forgot to write down when the article headline Actually ends. But hey, so this new Castle Loader business, right? Four distinct threat act activity clusters have been observed. Ledgeraging leveraging. A malware loader known as Castle Loader, strengthening its previous assessment that the tool is offered to the threat actors under Malware as a service model. This is the world we live in.
Again, another really cool name for really not cool people. Gray Bravo assignment. Oh, I'm sorry, bi Gray Recorded future in synced group. Now that's a weird name that's been assigned the name Gray Bravo by recorded. Okay, yeah, that is a weird sentence. The threat actor behind Castle Loader has been assigned the name Gray Bravo by Recorded Futures Instinct Group. This is a crazy sentence. So it is called Gray Bravo previously tracked as tag 150. Even that is better than than giving him a cool name like Gray Bravo. The malware first emerged in the early 2025. Gray Bravo is characterized by rapid development cycles, technical sophistication, responsive public reporting and an expansive evolving infrastructure.
Interesting. What do we need to know about this? So what are the headlines? Come on, get to the chase here.
Castle Rats malware framework referred to as Castle Bots compromised three components. A shellcode stager, a downloader, a shellcode stager slash downloader, a loader and a core backdoor.
Oh though Jerry be freaking out now. Look at this loveliness. So sweet. Recorded futures Latest analysis hasn't covered four clusters of activity infograms.
So they've got some C2.
Yeah. Some malware families distributed deer Steeler, blah blah blah blah blah. Okay, cluster one tag 160 charges logistics sector using phishing and click fix techniques. They've been distributing it tag 161 uses booking.com thing click fix campaigns.
Cluster 3 also impersonating booking.com interesting. And steam community pages.
Cluster 4 which uses malvertising and fake software updates going after like Zabbix and RV2. RV tools to distribute Castle Loader multi tiered infrastructure tier 1 victim facing C2 service associated. Obviously this is quite the infrastructure that they've got going on here. This was a lot of articles and a lot of information. How was Jerry get through this in one hour every day? I don't know. I'm already 10 minutes over.
Foreign. Let's see here.
This trend highlights how technically advanced and adaptive tooling particularly from Threat Actor with Gray Bravo's reputation can rapidly proliferate with the cyber criminal ecosystems once proven effective. Yep, the development comes as back as Black Point detailed a Python dropper based attack chain that uses click fix techniques to distribute the Castle Loader shifting from earlier campaigns that used a zip archive containing auto auto it scripts. Man, anybody that's out here that's new to cybersecurity or it is going, what the actual heck was that sentence? This article is full of jargon and IT stuff. Oh man, we gotta stop giving stuff like fun silly names. It's just, that's a. That's a problem. Makes it really difficult to read. In this case, the Click Fix campaign command.
Having fun. I'm having fun. The Click Fix commanded command downloaded.
When you're reading it. It's so much fun. A small archive and staged its contents inside the user's app data directory before invoking a bundled copy Of Python W.exe to execute one of the extracted files. So they're bundling Python in with it and you can, you can actually have like a portable version of the Python engine and which is what they're using. So if you don't have Python installed, there's no problem. We brought it for you. Bring your own Python.
Let's see here.
The script served as a simple Python stager, which only job was to rebuild and execute a Castle Loader payload. So be on the lookout for Castle Loader. Definitely. Go read these. Where it says said, this is a hacker news. Anytime they say said, that's when it goes awry. That's fun. We have made it through. Oh my goodness. We. We didn't do it. Great, but we did it. That was the thing. All right, let's see here. Now what I need to do is go to here because it's time for Jawjacking. Here it comes. Thank you for watching the Daily Cyber Threat Brief. You are now free to move about your your cabin. If you would like to stick around, we're going to do Jawjacking, which is an AMA style where you get to actually ask me questions. I'm going to get to interact with you in the chat a whole lot more than I did trying to read all these articles and follow all these bouncing balls that are going on in my stinking computer. So let's have some fun. Let's have a great conversation. Enjoy me for Jawjacking, right after this intro.
C
Ever wonder what it takes to break into cybersecurity? Join us every weekday for Jawjacking, where industry experts inter answer your burning questions about the cyber security field live, unfiltered and totally free. Let's level up together. It's time for some Jawjacking.
A
Hi, I'm back. It's Daniel and we don't have articles to have to Power through today because it's jawjacking time. We did the article thing, and now it's time for us to spend a little time together with you. You guys get to ask me cool questions, I get to try to give you answers. And I'm gonna bring the chat up now. If you do have a question you want to hit me with, make sure you put a big Q in front of it or qqq spam the Q's so I can see it in the chat. I am going to bring the chat up on our screen with us today because that's fun, so we can see what everybody's saying and have a conversation together. So if you have that, make sure you hit that into the chat room there, and we will get to it. Until I start seeing my first question. It's that I do love this. It's that nerd Daniel. That's right, because normally it's that nerd Jerry, but today it's nerd Daniel. Hopefully everybody enjoyed the Daily Cyber Threat Brief. It was actually kind of fun. Even though I've been losing my mind trying to do all this stuff as legrat and Tech Run are discussing. I haven't had any monster today. And early in the morning, no, your boy. This is just water.
We gotta have some fun, right? So, yes, they. They know me all too well. They know all. All too well what's going on here. All right, let's start looking for some questions.
Questions, questions, questions. Here's one from that bearded it. Dad. Dakota. Hi. Hi, Dakota. It's good to see you, my good man. Happy to have you here today.
This is an interesting. It doesn't have a cue, but I saw it. It says from Pay YouTube. Hey, Daniel, have you ever worked cyber security for a bank? No. Never done cyber security for a bank. I. I will say, though, that I was getting a home loan one time. You have to go in there, right? Was. Or. Right. And I had to do all my credit stuff.
What was I doing in there? I think it had to do with a home loan. And I was just talking to the guy, the loan officer, about cybersecurity. So it was really fun. Kind of interesting.
Too. And they were, you know, it was captivated that I think that's what's cool about cyber security, is it's. It's captivating, right? Is. It's really interesting to your average Joe and Jane out there. They're like, oh, that's cool. Oh, yeah, that's really interesting. And then they start asking their own questions. So go out there and Have a good conversation with someone today. Let some random stranger know that you're into cyber security and have a good combo with them. It's always fun, it's always a good time.
What's this one? Qa. Have you ever worked cyber security for a small medium? Asking about the bank again? Nope, never done any bank stuff. Bruising ax.
Any advice for someone somebody's first time doing a one way video interview seems strange, but apparently it's the future and the future is now a one way video interview. I don't even know what a one way video interview is. Let me look that up. One way video or interview? Yeah, video interview. A one way video interview is an asynchronous interview where candidate records themselves answering answering pre selected questions without a live interviewer present. Oh man. Dude, this is actually great.
Because there's no performance anxiety, right? You can kind of get the jitters off you. Here's my. I'll go ahead and give you some really quick advice. Turn on the camera and just answer the question and don't worry about whether or not you're going to keep the answer unless they give you one shot. Kind of like where you're in a platform, they're not having you use your own recording software and things of that nature. I don't know if that's the case.
But if you're just using something to record yourself that's installed locally on your machine, just take your time and hit record and answer it. And then you can stumble, you can do whatever you want.
Totally get the answer wrong. And then once you're done, watch what you said, watch how you said it and then step away, Go get a sandwich, have a walk, have a drink, as I will right now.
And just kind of think about it. Think about what they asked and what they, what you answered. You know how when you have a conversation with someone in real life land and maybe it was a debate or maybe it was like something was really important and you, you get away from the situation, you go, man, I should have said this. I wish I would have thought of that. Guess what you're gonna do now? You're gonna think of that and then you're gonna go back and you're going to re record it. It's going to have all that better information, you're going to be better poised, you're going to be better prepared and it's gonna, you're gonna do. You're gonna have some such a better performance to answer that back. That would be my. Because someone who has worked on Camera, obviously, and have done things like this, not this type of interviewing, but just working with camera and recording things. That is a great. When I can't get going, when I can't get the flow rolling, I just stop. I step away, go get a coconut, smile, take a walk and you'll start thinking about, come back, sit down, try again. And then when you have that product that you feel is good enough, that shows who you are, but doesn't look like you're reading a script or whatever, that you're being you, and you settle the things you want to say, submit and you're good to go. Hopefully that helps.
All right, where is that? Okay, moving on, Moving on.
Here's a question.
C
From.
A
Not even going to try to say your name. It's way too many consonants. But it says the interview for MDR analyst position tips. Remind me what an MDR analyst is. MDR analyst.
That is a managed detection response. Oh, yeah, well, obviously I do not do managed detection. Listen, interviewing is interviewing. It doesn't matter what the job is. Honestly.
The interview, unless you're doing a technical interview, is all about you showing off who you are, bringing that authentic person into the interview space.
And.
Showing the, showing those, that, that, that hiring manager what a rock star you are, how awesome you are, and what, how fun you would be to have on their team. And that, yeah, you know what you're talking about. Obviously you've got to know what you're talking about or you're not going to get the job. But you wouldn't even get gotten the interview necessarily if you didn't know what you were talking about, because those skills are on there now. They're going to try to verify that you know what you're talking about by asking you X, Y or Z. So again, this just. I don't care if you're going for a job as a truck driver, as a janitor, as a cashier, as a account executive. It doesn't matter. Interviewing is all about having a conversation. It's the art of having a conversation. You're just going to be talking about something you're very passionate about. So don't be afraid to let that passion show. Now, don't be crazy, don't be weird. You don't go in there and be like, I love computers. I spend all of my waking hours looking at my computer and working with managed detection and response. It's the most amazing thing ever that they're gonna go, okay, well, yes, you, you apparently know this as a skill, but I am, I'm Legit afraid of you now. Yeah, right. You do not want to leave them with that feeling. Just want to have some fun. Be like, hey, glad to be here. These are the things you need to focus on. Regardless of the job that you're interviewing for. Is going in, being relaxed, having a good time and leaving there, having the hiring manager feel like they had a great experience.
That's it. That's the key to interviews. Now, does that mean you're going to get the job? Daniel's over here. Guaranteed you're getting a job. No, do not hear me say that. Do not hear me say that at all. What I am telling you is, is that it does increase your chances of getting the job. But there are times when somebody just comes along and checks off way more technical boxes than you do, or maybe checks off one more technical box and was as cool as you. Right? That just happens. These. This is life. But you go in there, you be you, they start talking about the job. I would also say make sure you have questions ready for them. Do not let this be an interrogation of you. Right? I know they call it an interview, but don't. Don't let it be an interview. Let it be a conversation. You. That's what you want it to be. Turn an interview into a conversation. You're going to do so much better. So when they say something that, hey, I want to ask you about the technology, this is the MDR systems that we're going to be using, you're like, I know, man. I was reading up on those. I would love to get my hands on this. I've used X, Y and Z systems. Maybe I haven't used this one specifically, but I can understand why you would go with that. And you just start talking about why that system is interesting and what you're excited about learning about that system, or if you've never used it before, or if you have used it before, you're like, oh, yeah, that's such a great you, that now it's a conversation. Right? That's what you want to do. So hopefully that helps you out.
Don't try to be the smartest person in the room about stuff. You just have to be knowledgeable and speak of that knowledge. Don't be afraid to say, I don't know. I've never done that before. It's a great question. I'm looking forward to having the opportunity to do it, though. Right? That's the kind of thing you got to be able to do. That's how. That's good interviewing. That's what you want to do obviously have the technical skills as well, but that, that's the every. Anybody can get the technical skills. Not everybody comes in there and makes the interviewer feel like that was fun. I enjoyed this person. I would love to have them on my team. I'm excited to be a part of this program.
This one, I just happened to see this because it was right underneath says, hey Daniel, I just wanted to say I really appreciate your networking fundamental series. Oh, I'm so glad. Did my best on that. Did my best on that. I, I heard a lot of people really enjoyed that. So good deal, man. Thank you.
Okay, looking for those questions, slipping through the questions from Roswell, uk. Have you had a look at Net Reaper toolkit yet? I have not, but I totally want to. I want to say that this is the kind of Red Team or Net Reaper.
Toolkit. Yeah, that kind of. It's kind of a front end for a lot of.
What do you call it? Yeah. Okay. So this comes from Cyber Security News Net Reaper Offensive Security toolkit that wraps 70 plus pen testing tools. So it's kind of a front end for you to work with all these pen testing toolkits or pen testing tools. So 70 plus different tools running network scans required remembering them. So it's lowering the barrier to entry when it comes to. Because yeah, you never remember all the switches. You always have to like have cheat sheets and stuff laying around. I'm really looking forward. This is my weekend homework honestly is messing around with this. I want to have some fun with it. So thank you for bringing that up and reminding me and putting it out there for anybody that's never heard of it. Go get Net Reaper downloaded and installed.
Could be a good time this weekend.
Or this week. What a stupid ad blocker or not ad blocker. Go away. Okay, bye. Let's see here. We got about six.
Cues. Cues, cues.
Silence. Poet says, I've done the one way interview for a Kroger. This doesn't look like a cue, but it's cool. It went well. Just practice your answers before you record. Exactly. That's all there is to it. We'll get into the comfort zone and then that's your take. That's the one you use. Once you're flowing, you're in your own comfort zone. You get used to speaking to the camera. That's the one you're going to want to use.
Let's keep rocking. What's my favorite capital letter?
I'm going to go with L. Here's one from Juju Manium.
Advice on quick projects to put on my resume. Noob just got security plus certified.
Splunk. That's probably be a good one. Spin up splunk and have it read some. Read the security logs from a Windows 11 VM.
Go with that if you want to go Red team stuff. Maybe.
Like pen testing stuff. Go with websploit, mess around with like DVWA or B, you know, that kind of thing.
Juice shop, something like that. Yeah, there you go. There's some quick ones.
Face. Doyle, you mentioned how reading the article today was harder due to the naming conventions, which made me wonder if there are accessibility tools that make CLI output easier for people with dyslexia. That's a good question. That's a great question.
And if it doesn't exist, you now have your marching orders.
Follow up from bruising ax. Yes. Half the questions you can take as long as you want.
Right? Half the questions you can take as long as record up to three times before submitting the other half. Only one chance to record after a 30 second break. Three minute limits. Nothing like time. Like I don't like that because.
That'S even more pressure, honestly, than doing a live interview.
People that do not talk to a camera for a living are going to find that three minutes is microscopic time to get out what you want to say about something. You're gonna be like, how the heck was that? Four minutes? How was that? Nine minutes? How was that? It's really difficult unless you kind of like plan what it is you're gonna say and you know how long it's gonna say it, make take to say it and then they give you only 30 seconds between takes. I mean, that's tough. I would hate that.
I would absolutely hate that.
See, let's see, what do we got here? We got a few minutes left. I'll probably go over a little bit because I, I dug into it.
Here we go. This one comes from Pay YouTube. Very chatty today. Pay YouTube. You got some questions? Do you think it's possible for large MSP to allow its practitioners to operate remotely? I would think that a lot of MSPs allow their practitioners to operate remotely. In other words, there is not a sock. But they are working out of their house. I, I, I think that is a very common practice actually.
Let's see here.
Questions, questions, questions. Put a big Q next to your questions if you got questions. Phil Stafford. Daniel said he guaranteed me a job. You all heard it right? Phil.
Punk satany. Feel you just made me think of Punk satany. Phil.
Let's see here. Roswell uk. Would breaking out a magic trick in the middle of an interview make me more likely to be hired? If you are interviewing for a job as a magician, I would say yes.
You said give them a great time. I did, I did.
See here. Questions, questions, questions. You guys have questions. You usually have questions. There is a question for me. This one comes from Root. Randy, any advice on picking a cyber niche? Great question, by the way. Phenomenal question. He's torn between VR or sock work. There are local companies that can get intern referrals for both, but I think blue team has a better job market. That is a true statement.
Honestly, it all comes down to it doesn't matter what the niche. I would highly recommend going with something that you really enjoy. Okay.
Yes. While the. Okay, this is, this is a complex question to answer. I'm starting to lose my voice.
But.
The answer to this is, is complex because there's different strategies you can take. One strategy can be that, yeah, I'm not really passionate about X, Y or Z, but it's got a strong job market right now and I'm adept enough in IT and cyber that I could spin up and get, get handy with that really quickly and probably land a job there. And that gets me in. And getting in is half the battle. So even though I'm not necessarily like, blue team is the life for me.
It'S a great way to start. And there's, there's merit to that argument.
If you find yourself stuck there and you don't like it, you're going to burn out quickly. You're going to be like, oh, I hate this job. I hate doing all this defensive stuff. I hate looking at, I hate triaging, I hate, you know, watching my seam all day and alert fatigue and all the stuff that goes along with that. I want to move into something else and I'm having trouble doing that. It could happen. It does happen from time to time. So you gotta weigh the pros and cons of that. Of do I just kind of go into the thing that I'm passionate about? When you're interviewing, you're going to be more engaged, you're going to be more energetic, you're going to be more. That passion is going to show. Therefore you, you might increase your chances of getting a job in that space, but not necessarily right. There's a lot of X factors that play a part in getting into field. Maybe you are just grinding away at your job during the day and in your off hours, you are home labbing, you are Doing projects. You are doing resume building stuff for the stuff you really are interested in, in using that job as a springboard into that specific niche. It's another great strategy in which you can go, I've told people many, many times in many different ways, hey, you know what you can do? You can start telling the people you already work for in the job that you're not super excited about, that you would love to get into this space if they have that ability or that option. Does your company do this and just get like promoted within the organization to doing that? You gotta think everything is a strategy. You gotta weigh the pros and cons and that is very unique to you. It's a one size fits one solution. We can just give you generalizations on strategy and then you take what is good out of those and apply it to your situation. So that's what I would do if I was in your shoes. So hopefully that helps you find your niche and yeah, yeah.
Let'S move on. Like I said, I'll go over a little bit.
This one comes from Rochelle. Fine. What information should I focus on in trying to become a vulnerability researcher, man?
Depends on what kind of vulnerability research you're doing. So if you're doing like reverse engineering of code, obviously you're going to want to focus in on code tools like Ghidra and IDA Pro.
If you're looking at like web applications, it's a little bit easier. This could still be some code involved in that though, where you're looking at code for web applications. So it's going to run you JavaScript, PHP, Java, that kind of stuff. So it might change the code you're looking at and what it does, how it works, how applications are are built, looking for logic flaws and you can do dash security, right? You can just do like bug bounty hunting.
So the information that you should focus on is going to depend on what type of research you want to do. If you're looking to reverse web applications or find security flaws and web applications, you're really going to want to focus in on what goes into web apps. If you want to do software that goes on desktops, server software, that kind of thing, you're going to want to get handy with things like C C.
And the other.
Lower level.
Software. Oh man, I'm losing my mind. I'm like, I'm having trouble like catching my breath. Honestly, I'm talking so much I'm not breathing enough. So I'm going to take a deep breath and tell you that it is programming languages is the word I'm looking for. So there you go. Focus on those things. It's all going to depend on what niche you want to get into.
All right, let's see here.
Take a couple more, and we'll call it a day. Favorite it, Cyber movie or TV show?
I'm gonna go with.
Favorite it. Cyber movie. I mean, hackers is just fun. I know it's not, like, perfect or whatever, but it's a fun movie to watch, and I do find myself watching it from time to time. Mr. Robot was pretty good until it was weird.
But.
Cyber movie. Yeah, I'm gonna go with that. Chuck was pretty fun. Obviously science fiction. Heavy on the fiction, little on the science. Yeah, There you go, Nova. There you go. That's as good as science as it gets, right?
Let's see here.
Few more minutes left. Looking for questions. Looking for questions.
Pay YouTube. Can you strum the devil's chord on. On guitars for us in A minor? Yeah, I guess so.
A minor looks like this.
A minor chord. It's so sad.
That was fun. Thanks for asking that.
Let's see here. Terrence, Terence Tech. Is there still a ton of value in building out labs using Raspberry PIs? Of course. Just depends on what you're trying to do.
You know, I have a Raspberry PI right here. PI zero. You knew a lot of fun stuff with these things because they have the gpio pins and everything, Especially if you want to get into hardware. It's a great little tool to build little things. Build your own labs to do X, Y, or Z. Yeah, it still has value. I don't know about a ton of value. They are going to get much more expensive here very, very quickly. So if you're thinking about it, do it now.
All right, we got about.
Someone said sneakers. Nova was great. Is it still around? I have no idea, but I love that show.
Which cyber it. Which it or cyber TV show Movie was the most accurate? That's a tough one to ask. I think there was a movie called Black Hat, which was fairly accurate with Chris Hemsworth.
D minor is the saddest chord. Is it? It could be. I think it is.
All right there, kids. I think we did enough. Thank you so much for joining us today. We're gonna call it a lot of fun talking with you. I appreciate all your. Your input and just having a great time with you today. I will. I'll be back later this week, though. Got more of me because I got, by the way, if you want to check me out more, we got Cybercast after Dark is tonight. It is Wednesday. Ronnie Wong will be on my buddy, my friend, my pal, my co worker, my colleague. We're gonna chew the fat and have a good time. Hopefully I'll see you guys folks there. And I will have some more news for the next guest for Cybercast After Dark. It's a big one. It's gonna be a good deal. All right, everyone, thanks for watching.
And until next time, stay secure.
Sa.
Date: December 10, 2025
Host: Daniel Lowry (filling in for Gerald "Jerry" Auger, Ph.D.)
Podcast: Simply Cyber Media Group
Episode 1023 of the Daily Cyber Threat Brief delivers an energetic run-through of the day’s most crucial cybersecurity news, with host Daniel Lowry stepping in for Jerry Auger. The show balances expert analysis and accessible, engaging commentary, targeting professionals and newcomers alike. Daniel breaks down major security headlines—ranging from significant law enforcement actions and vulnerabilities to the rise of AI-driven attacks and ominous warnings about humanoid robots—injecting some humor and straight talk along the way.
[05:23–09:53]
[13:19–19:49]
[22:54–33:35]
[35:26–47:02]
[48:26–55:09]
[55:25–59:58]
[60:26–63:43]
[64:27–70:11]
| Segment | Timestamp | |-------------------------------------------|----------------| | Teen arrested for 64M records theft | 05:23–09:53 | | Telegram driving away cybercrime | 13:19–19:49 | | LLM poisoning via AI search | 22:54–33:35 | | React2Shell tied to North Korea | 35:26–47:02 | | Humanoid robot cyber risks | 48:26–55:09 | | Fortinet auth bypass patched | 55:25–59:58 | | Pegasus spyware complaint | 60:26–63:43 | | Castle Loader (malware as service) | 64:27–70:11 | | Q&A (Jawjacking) | 71:09–end |
Daily Cyber Threat Brief—the intersection of security expertise, real talk, and laughs.