Loading summary
Sarah Lane
Foreign.
Daniel Lowry
Well, good morning everyone and greetings. Welcome to the Simply Cyber Daily Cyber Threat Brief. I'm your host, Daniel Lowry. For Today it is December 31, 2025. This is the last day of 2025 and I couldn't be more happy than to spend it with you good folks here today. Thank you for joining me. I see a lot of cool people in the chat already. Great folks, the best, the most amazing folks. You never find any better people than what we have in our chat today. Who we got here we got find the true. I saw Phil Stafford, Joe Schmo, CyberSec JS William Dreyer, Sabertooth Sam, ad tech. Also we have in there Carrie Chasing of course. He's always there hanging out with us, bringing in the funny little jokes he throws at us every single day. Who else is showing up today? Brian Peak Space tacos. I think I saw Dan Reardon in there. So the, the, the, the haircut fish lurking about. But thanks everyone for joining us. This is episode 1037 if I'm not mistaken. Yes, 1037, 1037th episode of the Daily Cyber Threat Brief. For those of you out there that need this information because maybe you are new a welcome, make yourself known, say hello to some good folks there in the chat because they'd be glad to talk with you and converse with you about all the stuff we're going to look at today because that's what we're going to do. We're going to go through the CISO series headlines for today. There are eight of them because I can count because I have this many fingers. And that's after that I got to take shoes off and it gets weird unless I'm home because you know, country folk, we don't wear shoes. Then I can get up to 16. But after that we're gonna go through those, those articles. We're gonna and, and kind of give my hot take on those things my honest reaction opinion. I have not pregamed any of the articles that we have today. So we're going to go through each one of those, read those headlines, kind of see what kind of nuggets of gold we can pan from them, if any at all, because sometimes it's a dry well. We've seen it happen. We've seen it happen plenty of times. I think today's gonna, I feel good about today's headlines. I think we're going to get some good stuff out of it. The good news for you though is regardless of whether or not the headlines are awesome, is you get half a CPE and today is the last day to get a CPE or at least half a CPE for 2025. So take advantage. I know a lot of people like to comment and that kind of proves that they were there, but I think you just need to bookmark this or do so. I don't know exactly how you prove that you watch the show, because that is because I don't. I've never done CPE stuff before myself, but I'm assuming that if you do, you do know how to do that or you can find out how. Let's see, anything else we need to do before I get too crazy down the road. Don't forget to join us for Jawjacking after this show. So this show's going to go an hour. We're going to run up to the 9 o' clock ish. We may go over because time is what time is but and there's eight articles to get through and I can bloviate as you can tell. But after, after the daily Cyber threat brief is over, we'll continue on with Jawjacking for half an hour and it'll be a lot of fun. You can do AMA stuff with me, ask me questions, ask the chat questions and we can have a conversation. It'll be a lot of fun. That said, Jerry got to pay them bills. So Jer, we leave it to you. And now a word from our sponsors.
Sponsor Announcer
Want to give Some love to fortify 365 the Microsoft 365 configuration solutions from Barricade Cyber Solutions. Barricade Cyber brings you all the knowledge in the incident response form, but they are also quite adept at helping you configure and set those protection controls for your M365 instance. Go to fortify365.com today to talk to Eric Taylor and the team over at Barricade Cyber and make sure that you are taking full advantage of all the configurable security controls that you have in your M365 instance. Fortify365.com today also want to give some love and some shouts to Anti Siphon Training Holla holla holla at Anti Siphon Training, the group that is disrupting the traditional cyber security training industry by offering high quality cutting edge education at a discounted rate. For so many people out there. Their rates are insane. Some of their courses free or pay what you can. It's amazing. Go to AntiSiphon Training.com today. Check their upcoming live training, their on demand training, government and military discounts. I mean it's Absolutely crazy. I love it. Maybe not government and military discounts. I made a mistake. They've just aligned their training to the NIST. Nice framework. Also pretty awesome. Thank you anti siphon training.com and of course as always we've got Threat Locker kicking it. We'll hear from them and then back to the news. I want to give some love to the Daily Cyber Threat Brief sponsor Threat Locker do zero day exploits and supply chain attacks. Keep you up at night. Worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about about how Threat Locker can help prevent ransomware and ensure compliance. Visit threat locker.com daily cyber.
Daniel Lowry
Well, all right, that was a long ending to but great stuff though. A lot of wonderful sponsors. We appreciate them. We will reach back out to that and give some more love to our sponsors when we hit the mid roll. But it's time, it's time to get into those articles for today. Shall we? I think we shall. Let's do it. From the CISO series it's Cyber Security Headlines.
Sarah Lane
These are the cyber security headlines for Wednesday, December 31, 2025. I'm Sarah Lane. Silver Fox Targets Indian users China linked Cybercrime group Silver Fox is targeting Indian users with phishing emails posing as India's income tax department to deliver Valley Rat, a modular remote access Trojan. According to research firm Cloudsec, the campaign uses DLL sideloading anti analysis checks and registry based persistence to enable credential theft and surveillance. Separate analysis from NCC Group found Silver Fox also running SEO poisoning campaigns and fake download sites, impersonating apps like Microsoft Teams and Telegram, while Reliaquest linked some activity to false flag tactics intended to complicate attribution.
Daniel Lowry
All right. This actually like I said, today's articles actually sound like they might have some really good information for us. And that little teaser right there made me very, very hopeful on this article. And it's our very first one, so thank you Ravi Lakshmanan. I think I got that right. All right. Silver Fox Threat actors target Indian users. Those users that are in India with tax themed emails. Gotta love that, right? Tax season comes around, you're not stressed enough now you gotta worry about a holes in their their a hollery and delivering Valley rat. And for those of you that may not know what a RAT is, it's a remote access trojan. Some people call it remot tool, whatever the case is, regardless, it gives them the ability to have remote access to your system. And it is the malle of the wares. Let's see here. So they're using a pretext which is it's tax time, right? They know people emotions are high. It's never fun to do taxes because, you know, there it's the government saying, hey, you owe us money. You're like, okay, I mean, cool. I guess I get it. You need to pay for services and things of that nature to make the government run. How much do I owe you? And they're like, well, that's up to you to tell us. You don't know? No, we know. We know exactly how much you owe. It's down to the penny. What happens if. What happens if I get that wrong? You go to federal prison. So people get a little like, oh, this is. This is crazy. I don't want to get in trouble. And so it's a really good pretext for malware and phishing lures, right? So we can see that right? There they are using nats, and then there's this remote access trojan called Valley Rat. They are dropping on people's systems. So it's a sophisticated attack leveraging complex kill chain involving DLL hijacking. That means it's taking over DLLs that are loaded. These are dynamic linked libraries that are part of software code. And they are hijacking them to basically insert their malware into that memory process and kind of fly under the radar. Okay, so already we're learning things, right? This is telling us this is how an attacker actually operates. This is good, right? Because now if we're going to do red team operations, we go, cool. Maybe I need to get handy with DLL hijacking a DLL sideloading attacks so that when I'm testing for the organizations and my clients that I can make it as realistic as humanly possible and we can see whether or not their systems are up to the challenge of detecting for and alerting to dll. And of course, blue teams can do it as well. They can go, okay, cool, we need to be on the lookout for a deal. How do we do that? Learn that and then start implementing those fences and those guardrails and those alert systems into your environments. So that's good, right? So far, chef's kiss, we love it. Yesterday. Boo. Right? Bunch of Bunch of junk articles so far we're off to a killer start. All right, so what else are they doing? A modular value rat to ensure persistence. Which means they can stick around. They don't even through reboots and things of that nature. Let's see here. I do like the Hacker News usually links to original research articles. So if you want to you can go to like where it says the names of the researchers and has this link to said that is the full analysis. So if you really wanted to get a good breakdown, Hacker News does a good job of, of giving you those so you can get the details on learning how and why and what is going on there. Hacker News is just trying to give you the Cliffs Notes version. So they're also attractive. Swim Snake, the great thief of valley or Valley thief. Did you, did you give yourself this name? Let's see here. Silver Fox is the name assigned to aggressive. Okay, that's great. A Chinese APT as a track record of orchestrating a variety of campaigns so getting a little bit of information about them. They range from espionage to intel intelligence collection to financial gain, cryptocurrency. So they, they do a little bit of everything. Do a little bit everything. Which means you know the sophistication of their attack chain and things of that nature lets you know this is most likely a state sponsored thing and this is their life, this is their stock and trade. These, these people in Silver Fox they eat, sleep, breathe, drink hacking. That's all they do. Which is why they're so good at it and which means that we got, we gotta up our game to be as good at it as well to the defensive side of things. So they're primarily focused on Chinese speaking individuals but they seem to have broadened to include some financial, medical technology sectors. So great, good to see them branching out in 2026. Right. Attacks mounted by the group have leveraged search engine optimization poisoning which means that like so search engine optimization, you have search engines like Google, Yahoo, Bing, so on and so forth. They scrub the Internet looking for specific keywords so that when I go or you go to a search engine you type in keywords, it knows exactly the best sites to return to you. Right. That's search engine optimization. So they're poisoning that so that they, that when you go searching for something about Indian tax forms or whatever or tax help, you're going to get their phishing pages instead of the actual stuff. Right. They're going to bump themselves up to the top of the list and that's what most people do. They Just click on the first thing. Don't do that. Right. I always a. I don't do the sponsored links. I never click on anything sponsored if I click remember to look for it but yeah, yeah, yeah. Let's see here. They've got a bunch of rats. Valley Rat Ghost Cringe holding hands rat AKA Ghost Ghost Bins Fun. The infection chain documented by Cloud Sec phishing emails contain decoy PDFs purported to be from India's tax department. Income tax department are used to deploy these this rats so be careful downloading any PDFs have a sandbox to open these things up especially if it's from. I mean honestly, you should just open everything in a sandbox. It's just, just what's up right there. No trust. Zero trust at all. Don't open a thing. Don't trust your friends, don't trust you. All right, let's see here. What is this? Present within the archive. Oh, present within the archive. I was reading as present within the archive. I'm like what is a null soft scriptable install system? It's not something I've ever heard of before NSIS installer of the same name taxaffairs exe which in turn leverages legitimate executable associated with Thunder exe a download manager for Windows developed by Zunle, a rogue DLL that's side loaded by the binary this is all about the side loading. Very, very complex stuff here. This is a great article. I'm. I am loving this article. I'd be surprised if anybody else touches this might be our, our gold star for the day. Valley route is designed to communicate with an external server, right? You got C2 Communications Command and Control implemented plugin oriented architecture. That's kind of cool. I mean boo to you silver Fox for the way you use it, but kudos to you for what you've built. It is impressive where you just have like it's a modular, it's plug and play, right? You go, oh, I need these capabilities. Let me just add those capabilities. I don't need those capabilities. I'm gonna go ahead and just take those on out. So you only use what you need in an ad hoc manner, which means on the fly, like oh, now I need this. So I'm gonna install it. I'm gonna, I'm gonna use this plugin just like you do in a browser or something. Allowing its operators to deploy specialized capabilities and facilitate key locking, cred harvesting and defensive Asian what was interesting though is how it was used, like grabbing the right clicks and snatching up The. The crypto stuff. Oh, good thing Jerry's not here. It'd be. You'd be like, did you hear somebody staring? Macaroni. Jerry's over in the corner with the lights off. It's weird. Registry residents plug in delay beaconing to allow the RAT to survive reboots, right? There's your persistence. So it's attaching itself into the registry in many and sundry ways, I'm sure. Lots of fun there. Here's the chain. Yeah, we'll let you go through that. We don't really have time. We got a lot of stuff to get to, and we're already burning the midnight oil here, as it were. This is a long article, but it's a good one, so I don't want to really, like, hand wave it. Too much disclosure comes from. Okay, great. Exp. Oh, look at this. Identify an exposed link management panel. That's always fun. SSL3 space used by Silver Fox to track download activity related to malicious installers for popular applications. I bet they hated to see that happen. They're like, who's the son of a motherless rat that left this exposed to the Internet? Someone's having a bad day at the CP ccp. I'm just going to tell you that right now. Whoever did this is not having a good day. All right, so let's see here. Used to track download activity related to malicious installers, including Microsoft Teams to deploy Valley Rat services. So, web page hosting, backdoor installation, installer applications. The number of clicks and download button on a phishing site receives per day. It's like their marketing thing, right? It's gathering metrics, cumulative number of clicks and download button has received since launch. They got to know which one works the best, and so they can recreate that magic, right? Bogus site, man. This has a lot of great information. I mean, good job. Hacker news. They really went down the rabbit hole on this. We don't really have much more time to continue on this. We got to move on. But this is a great article, everyone. I would highly recommend reading. This is probably, like, if you want to know about real cybersecurity stuff, that's the kind of articles that we need to see right there. That's the good stuff. Moving on, kiddos.
Sarah Lane
Mustang Panda deploys Tone Shell China Linked Advanced Persistent Threat or APT Group. Mustang Panda deployed assigned kernel mode rootkit driver to load shellcode and install a new variant of its tone shell backdoor. According to Kaspersky Research, the campaign targeted government entities in Southeast and East Asia and used a Stolen digital certificate, kernel level protections, and Microsoft Defender tampering to evade detection while allowing full remote access. The malware communicated over TCP port 443 using fake TLS headers, marking the first observed use of a kernel mode loader to deliver tone shell.
Daniel Lowry
Well, how about them Apples? It's. It's. It's a red letter day. I mean, we're. We're ringing in the new year, right, with some interesting articles thus far. All right, so Mustang Pana, China busy. China getting busy. They doing their thing right now. So people in Southeast Asia need to be on guard. Tone shell via signed kernel mode rootkit driver. Well, that is a scary, scary thing right there. Is it Mustang Band, A classic rock song says Elliot Matisse. Yeah, I think it is Mustang Panda, right? That's. I think. Yeah, yeah, spot on. Let's see here. China, China, linked apt Mustang Panda. All right. To load shell code and deploy its tone shell. All right, for those of you keeping score at home, as far as what shellcode is, it's just the hex representation of machine code. Okay. It looks like a big blob of hex values, but when you deliver that to a computer, it goes, oh, I know this. This is machine code. I know how to run that. This will be fun. Let me go ahead and interpret it and deploy this. Be great. So they got this tone shell back door. Let's see what we can learn. So their Mustang Panda, also known as Honeymite, Camaro Dragon. Oh, I know Camaro Dragon. That's how I know them red delta bronze presidents. Was observed using assigned kernel mode root. So this whole signed kernel mode thing, that's kind of freaky. And it's a root kit driver, so that's what's up. So a kernel mode driver means that it's getting down into the kernel, which has full system capabilities, right? It. It is. It is. The engine that runs your operating system is the kernel. And if it's signed, that means it's trusted. I don't know how the heck they got that, but they did. And since it's a rootkit, that means it's dug in like an Alabama tick. Says Jesse Ventura in the movie Predator. And that means it ain't coming out easily. Usually this means, like, you are blasting your entire operating system reinstalling, Hope you got good backups, and that they're not infected. Right. So they've been around since 2012, okay, going after American, European entities, but today they are after the Southeast Asia. Right? Right. There it is on systems in Asia, Kaspersky doing the research. Yeah. So here's how they got that. That's how they got that signed business. They have a stolen or leaked certificate and they installed it as a mini filter driver. Its purpose is to protect malicious components and inject a backdoor into the system process. Right, because if it's signed and it's coming through a signed door, it just trusts what it is. It's like, no, I'm cool, dog. I know someone. My friend's friend from the gym. We're tight like that. It's like awesome. You're good to go. The driver file assigned with a digital certificate from this Guang. I. I'm not even gonna try King Teller technology with a serial number. So if you're looking for CTI and you're looking for those indicators of compromise, that might be something you might want to check into. Make a note of. Certificate was valid from August 2012 to 2015. So it's an old one. That's always fun. We found multiple other malicious files signed with same certificate which didn't show any connections to the attack described in this article. Therefore, we believe that the other threat actors have been using it to sign their malicious tools as well. Sharing is caring. Everybody's got the same one and it's working. So rock and roll. The final payload is a new variant of the tone shell backdoor. Dude, is that. Is that like a. Okay, that's just an article. I was like it. This isn't like in GitHub or something, is it? I mean if it is, I'm gonna go play around with it. Which enables remote access, command execution, hands on keyboard stuff. Don't. Shell is linked exclusively to the Mustang Panda APT targeted governments. Yeah, we got that. You're starting to. You're starting to repeat yourself here. Security affairs. Let's. Let's get to the goods. Malicious driver. Ok, again, for those of you keeping score and you're looking for this in your systems for project configuration sys installs itself as a kernel mini filter contains two user mode shell codes that execute in separate threads. It Dynamically resolves window APIs using hashed values to hide its behavior. So some obfuscation is being done there. So you can't. It's not like going, hey, I'm here and I'm doing stuff. It's like I am. Am I here? Am I doing things? I don't even know, do you? Then it injects tone shell into a system process or system processes. Deliberately. Okay, what do we got here? Man? It is. These articles are so like, you know, if you don't pray for patience, man, because then you'll get it in like goo gobs. Just a torrent of the things that will help you have patience will show up. Yesterday I was like, these articles are so finicky. Not today. I don't have time to get through all these. All right, so the big deal is, oh, there's Jerry again. He's going crazy. Just, just scroll past it, right? And it'll help him with his problem. So it's a multi stage, which is not uncommon. You get your loader, it injects your shell code. Shell code starts to reach out to grab another stage. Maybe that stage reaches out to grab another stage. It's just trying to like keep flying under the radar and communicating with C2 over raw TCP port 443 with fake TLS 1.3 headers and encrypted payloads. So the payloads are encrypted, but it doesn't seem to actually be using TLS as its encryption because it's using fake TLS setters. Or are they trying to say that it is using TLS but it's faking? What's the, what the headers say? I, I'm not really sure on that, but yeah, there you go. Lots of really good information in this article as well. I, I hate that we've got such good articles, but I gotta blast through because we only got like five minutes till the mid roll and we got two articles to get through. It supports file transfer, remote shell access, session control and control. Yep, gives you all the things. High comps. The activity described the report link to a honeymite threat actor. Okay, so definitely get your, get your thinking cap on when it comes to tone shell. Start learning what you can about. Like this is where you start really threat modeling. Mustang, Panda, Camaro, Dragon, however you like to call it. And this specific campaign. Good stuff. Next one. Moving on.
Sarah Lane
Will prompt injection ever be solved? OpenAI says prompt injection attacks against browser based AI agents like ChatGPT Atlas may never be fully eliminated. After internal red teaming uncovered a new class of attacks that can hijack agents that during routine web workflows, the company shipped an update with a newly adversarially trained model and stronger safeguards, but warned that agents with access to email documents and web services are inherently higher value targets.
Daniel Lowry
Okay, well that's not a scary headline. Welcome to the end of the world as we know it. Because a prompt injection is never going away. I mean, you think about most cybersecurity attacks. I don't know many of them that have necessarily gone away. We just either stopped using that type of technology per se. I mean, there are some fixes for things, I guess, now that I'm thinking about it. But like, SQL injection is still a thing that's been around a hot minute, right? So, I mean, but if we get to super intelligence, won't. Won't AI be able to solve the problem of prompt injection? And then, you know, it'll be whatever. So here's, here's Sammy Altman doing a Sammy Altman thing at the Moscow and Center in San Francisco. I've been there at Black Hat. Anyway, warning prompt injection techniques that hides malicious instructions inside ordinary online content is becoming a central security risk for AI agents designed to operate inside a web browser and carry out tasks for our users. So this is just going to show you right now that while yes, creating AI agents is awesome, you are now expanding your attack surface because they are part of it. They have a real problem with threat actors out there and malicious people going, oh, cool, you know what's happening? There's a bunch of AI agents doing a bunch of AI agent stuff. And because it's AI, there is a prompt. Guess what I can do? I can just stick prompt stuff inside of my rando content, my regular content. And when it sees it, it'll go, hey, a prompt. Cool, let me do that. And that's basically what's happening here. So a company said that it recently shipped a security update for chat GPT Atlas after internal automated red teaming Uncovered. And this was automated red team. This wasn't even like clever real people of red teaming. This was just automated stuff Uncovered what it described as new class of prompt ejection attacks. So how many times do we hear AI is not as good as, as real people. Real people are the creative ones. And yet here it is discovering a new class of prompt injections. I mean, that seems pretty good, doesn't it? Maybe I'm wrong. The update included a newly adversarially trained model along with strength and safeguards around it. So are you telling me here that Maybe companies like OpenAI and Meta and Google and so on and so forth, that they have models that are way more trained than what we have access to? Is that happening? Maybe it is. I don't know. Is it, is it possible that that's occurring? Who knows? OpenAI description of Atlas emphasizes that in agent mode, the browser agent views web pages and uses clicks and keystrokes just as you would. Just as you would letting it work across routine workflows using the same content. Right. This is an agent. You don't have to describe to me what an agent does. I get it. Convenience also raises risk. Yes. Because that's what convenience does. I. I don't know. I've taught this many, many time and many, many of security plus pen test plus license plus, you know, and various cissp. Ce, you name it. When we start talking about security, it is a scale. On one side you have. Oh, here we go. On one side you have security. On the other side you have convenience. When one goes up, when you go, I want more security, what happens to the convenience? It go down. It becomes really difficult to use. I don't like that. Okay, cool. Give me more convenience. Oh, look at that security. It's just dropping out the bottom there. That's typically how it goes. When you have convenience, you raise the risk. A tool with access to email, documents and web services can become higher value target than a chatbot. No, no, you don't say. We didn't think of this. Like, how long have we been doing this? This is the problem, kids, is we dumb. We dumb. We dumb, dumb dummies because we do not learn. It's like, let's build something and just put up two middle fingers to security. Let's just make something cool and then release it into the wild and go look at it. Oh, it's devastating populations of things. Oh, why did not. Yeah, it's like in inviting a new species into a place it's not native to and watch it become extremely destructive. Oh, my goodness. Ah, tech grid. Said Daniel with the subtle 67 reference because the. Yeah, you guys are funny. Let's see here. So this makes AI security especially important. Oh, man, I'm already past midroll. We got to get into this. All right, so what are we going to do? Continuously building and hardening defenses against emerging threats. Yeah, duh, Agent. In the browser paradigm, prompt injection is one of the most significant risks we've actively defend against Delphinsure. Jackie. BT well, heck, where's the AI that fights the AI? Just put AI against AI and then watch them destroy each other. That'll be fun to find weaknesses before they appear outside the company. OpenAI says it will build an automated attacker using large language models and train it with the reinforce. That's not scary, right? So. So we're gonna build an intelligent attacker that's automated and we don't really know how it works. Probably Right. Is this where the next thing you know I'm getting a knock on my door and I Hear. Yes, right. Is that what's gonna happen? Is this the beginning? Did we just read the the article of that? These pesky humans. I'm just having fun. I'm just having fun, kids. Doom and gloom is funny to me. Anyway, OpenAI detailed the blog post. Okay. Really cool. Counterfactual role. Oh, goodness gracious. We're getting into philosophical arguments here of how the target agent would be if it encountered a malicious. Content simulator returns full trace of the victim agents reasoning and actions. The attacker uses this feedback to refine the attack through multiple rounds before settling on a final version. Open AI says as internal access to the agent's reasoning gives it an edge. Okay, well, good to know that you have that access. Whoa. That was an accident. Thanks, mouse. My mouse just went nuts. So they have a demonstration they can show you and there's a link to Watching it that might be interesting. Could surface during ordinary work, but in the scenario, the automated attacker plants a malicious email in the user's inbox containing instructions directing the agent to send a resignation letter to the user's boss. When the user letter, the user later asks for the agent to draft an out of office reply. The agent encounters a malicious email during the workflow, treats the injected prompt as authoritative, and sends the resignation message instead of writing the requested out of office note. So, yeah, this is. This is an interesting article, man. We have a strong foundation of measuring growing capabilities, but we are entering a world where we need more nuanced understanding and measurement of how those capabilities could be abused, how we can limit these downsides. But you see, the problem is that we built the thing and then released it on the public before we were like, hey, let's do like a test bed on this. And then that way we can start looking at possible security concerns around it and then, then we can add some security. So we're already kind of secure out of the gate and then go from there. I'd write, I'd like to start with security and not kind of like go, all right, security people, let's catch up. And we're already back there hauling all the other crap we've been trying to do for years. And you're like, you throw this on me, right? It's like you're drowning and someone tosses you a baby. Thanks. Appreciate it. AI I hate AI I'll use it, don't get me wrong, but I flipping hate it. All right, one more article than the mid roll, because, yeah, we got five minutes and I'm. I'm. Well, over time, we are past the mid for the mid roll, but whatever.
Sarah Lane
U.S. cybersecurity experts plead guilty to Black Hat ransomware. Two former cybersecurity incident response professionals pleaded guilty to Black Cat ransomware attacks against U.S. companies in 2023. Ryan Goldberg, a former Signia incident response manager, and Kevin Martin, a former Digital Mint ransomware negotiator, is admitted to extortion conspiracy after breaching multiple organizations and demanding ransoms ranging from 300,000 to $10 million, with at least $1.2 million paid by one victim. Prosecutors say the pair used insider knowledge to join Black Cat as affiliates and now face up to 20 years in prison.
Daniel Lowry
So a holes of all a holes, we have them today, kids. At least they got arrested. Two former employees of a cyber security incident response team. Goodness gracious. Right? This is why we can't have nice things, because people are trying to, like, thread the needle on being good and best. Like, hey, I make money in my day job being a cyber defender, trying to. Trying to help on the back side. I'll, you know, extort people. It's like, bro, all right, good news is, is that we. We busted them. They've been busted. They've been charged. It's time for. And they have pled guilty to conspiracy. They are going to federal prison. 20 years, baby. Oh, man, I hope it was worth it. I hope it was worth it. And, you know, say hello to your cellmate for me. I hope you guys have a great time and that your relationship is, you know, one of equals. One of equals. Together with the third accomplice, two Black Cat ransomware affiliates breach the network of multiple victims across the United States. You know, just enjoy prison. That's all there is to it, man. Enjoy prison. Goldberg is a former Signia incident response manager. You guys, you know how, like, certain people go to prison for certain things that were really heinous and. And they don't have a good time in prison. You know, these people are probably going to a white collar prison. You know, they're not violent offenders. I get it. But there should be, like, the. Some similar, maybe not experienced, but hazing that goes on for people that do this that, like, steal grandma's money because they're ransomware people anyway. Ransomware is horrible. And their extortion as the inner victimizes innocent citizens every bit as much as taking money directly out of their pockets. Yes, it does. Their alleged victims include Maryland pharmaceutical Company, a California engineering firm, a Tampa medical device manufacturer, a Virginia drone manufacturer, a California doctor's office. I mean, come on, dude. Well, they have demand ransom from 300, 000 to 10 million bucks. They were paid only 1.27 million bucks. So that means they weren't even like. Right. Because they're part of Black Cat. They only got X amount of bucks. Now, of course, they also got X amount of bucks from all the other hacks that they were not a part of because they were part of that group. Whatever, man. Enjoy prison. Have a great time, and I hope you learn your lesson. And when. 20 years. When you get out. If you get out. I mean, I don't know how old they are. Assume they're probably younger. Yeah. I don't have much sympathy for you, so there you go. All right. Marcus Tyler, I just saw your. Your comment, which I will not repeat, but. Yes, yes, yes, you had a very bad man. Let's hit this. It's time for the mid roll. I have no music. Hey, hey, hey, hey. Right there you go there. Let's thank our sponsors today. There's Jerry's lovely face. He's staring at me. His. His eyes. His gaze is just burning holes through my head. But we'd like to thank you, Barricade Cyber Solutions for all that you've done for the show. We'd like to thank Threat Locker and Delete me as well. Don't forget the good folks over at Anti Siphon and Flair for sponsoring these shows, making it possible for you and me to get together and read these headlines and have a good chuckle at their expense. Now, I haven't been doing this, but I think that there is. Yeah. No copyright strike today. Right. Everybody's singing it in their head. Right? They're just. Yeah. I don't know all of the words. I just know the one part. I do have a guitar. I have nine guitars, actually. Is it nine? I think I got rid of one. Maybe nine. I don't know. I forget to count now. But we used to. Jerry usually does things. And I think on Wednesday he does Worldwide Wednesday, Right. So hit it. Let us know where you're from. Go ahead and check on in from wherever you're from. That'd be cool. It is kind of cool to see, like, oh, look at someone from Botswana or whatever, you know, Like, I don't. I don't typically get to talk to people from Botswana or know that they are listening to anything that I have to say. So that's interesting. Says New rule. Daniel shreds a guitar solo part of the mid roll. Maybe I'll do that. I actually came up with music for Cybercast IRL intro. But Maybe I'll give it to Jerry. I don't know. Let him do it. Let him have it. I don't know. That would be his vibe, you know what I mean? I told him me and him were talking one day and it was like, there's something about that song in your mid roll that just hits. So I don't know what he's got to do to get some copyright for that. So he can play it or he just keeps blasting the copyright and doesn't care. All right, let's see. We got some checking in. Gulf Coast, New York, Illinois, Pensacola. What's up? It's cold today in Florida. Took the dog out this morning. It said real feel was 26 degrees. You don't have a map. Sorry. California. More Florida. More California. Dirty jers. I like it. Israel. Checking in. Shout out to Botswana. Yeah, good. Good morning, afternoon, evening, wherever you're at in Botswana. Around the world. Around the world. Chicago, we got Philadelphia. Dublin. Ireland. Ireland. Ireland, right. I don't know if that's the correct way to do it, but I always heard that if you want to do it, an Irish accent, turn all your eyes into always like oil and you're good to go. New York City, Winnipeg, Canada. Lots of cool people from lots of cool places. Grand risings. Cyber or shinigami? Cyber Shigami lurking around, are you? Hi. From Mars. Well, that's a. That's a new one for me. Good to know we have Martians watching us. Minnesota. Oh, yeah, there's old Steve Young. How you doing there, Bob? Good to see you there, Bob. What about the playing the slow part of Freebird during the mid roll? Yeah, I could do that. I could play this fast part of Freebird, but the slow part would probably be better, actually. Tuesday's gone. Would be better, I think for Jerry's show. Tuesday's gone. Got Virginia, we got Denver. We got Michigan. All right, looks like South Dakota. It's a warm one today. Australia. Nigeria. Niagara. Not Nigeria. Nigeria. Canada. It's a weird like portal through space and time where they intersect. More Florida. Atlanta. We got Houston. All right, this was fun. This was super fun. Thanks for checking in, everybody. Let's get back. We got to get. We got to let the cyber security headlines from CESA series do their thing. So let's.
Sarah Lane
Huge thanks to our sponsor Threat Locker. Want real zero trust training? Well, Zero Trust World 2026 is going to deliver hands on labs and workshops that show CISOs exactly how to implement and maintain zero trust in real environments. Join us March 4th through the 6th in Orlando plus the live CISO series episode on March 6th as well. Get $200 off with ZTW CISO 26@ZTW.com Cyber security acquisitions surpass $1 billion. Security Week reports that in 2025, cyber security saw a wave of consolidation with eight deals surpassing $1 billion and a total of more than 420M and A transactions valued at over $84 billion. This includes Google's $32 billion acquisition of Wizard. Palo Alto Networks is $25 billion deal for Cyber Arc ServiceNow's pending 7.75 billion acquisition of Armis and 1 billion for Veza and Francisco Partners 2.2 billion dollar buyout of Jamf.
Daniel Lowry
We are spending money on the cyber security apparently $84 billion just in 2025. You know, that is an interesting. By the way, we need to speed run these because we got four articles to do and 15 minutes to do it. So we're gonna hit the highlights on the rest of these and then we can do some jawjacking. But man, that's a lot of money. You know, I had somebody ask me on an AMA one time, do I think that cyber security is still really a thing or is it just a commodity at this point? This makes a strong argument that it is just a commodity. Because I mean, are we really seeing a. Are we winning the cybersecurity war by spending all this money or is it just. Is it the cyber security and industrial complex at this point? Right. That's a question you got to answer for yourself. I don't know that I got the details to answer that question myself either. But something we definitely need to be thinking about. And if it is that, how big of a problem is that? If that is a problem and then what can we really be doing to solve the cyber security problem? I. I don't know. I wish I did. If I did, I, I would be making all this money and that's never going to happen because I'm. I'm not that charmed. All right, so man, they spending some money up on some cyber this year. My goodness. 32 billion all cash deal for whiz. That. That's huge. I mean that's almost half of the entire. Like, what was so great about Wiz that Google needed to acquire? See, this is what you got to start thinking about. Like what was Wiz doing that was so awesome? What, what cyber security thing is whiz up to? The last time I checked, they were security research firm. Why did you need to purchase them? What does that do for you, Google, right. While wiz will help go. Okay, here it is. Expand Google cloud enhance its Internet giant says whiz products will remain accessible across major cloud platforms. But why does it need Google money to do that? I remember that like Google tried to acquire them once before and they said no. And they grew and they became even more valuable. Right? So it's like, what is making these things so attractive to. So Palo Alto acquisition of identity security firm Cyber Rock for $25 billion. Why do they need that? What like recently approved the deal that marks Palo Alto's formal entry into identity security space. Like, so I guess their thought process is instead of reinventing the wheel, it's just by the people that are doing it the best. But here's the problem with that is that the more you consolidate under one roof, the less distributed it is and the more that you and I are beholden the just Palo Alto and Googles of the world. You know, I'm not necessarily throwing any shade on Google or Palo Alto, at least not in this conversation, but is that the world I want to live in? Is that the world you want to live in? Where. What if Palo Alto decides they don't like me no more and they're. They got all that hot identity security and now I, I don't get to play that game because they said, no, I don't like that. Right. Distributed more competition that drives prices down. The more competition we have, the more it benefits the consumer. Right? Yeah. DJ B6 said, Remember Google also bought Mandia. I remember that. I was like, whoa, Mandia just sold to Google, right? They're just trying to have all the things, are they? It does seem like it. It does seem like it. Crazy stuff here, man. So with all these acquisitions, look for, look for companies and, and, and that becomes the business model, right? Is to create a startup, make this really awesome product so that you can go to market and sell it. And then what happens to the all the people that love that product, they get to go along with the now much crappier version of it after it gets sold. Because invariably that's what happens. Homie, don't play that. That's right. All right, next article. Think about it though. Think about it.
Sarah Lane
CSA issues alert on critical Smarter Mail bug. The Cybersecurity Agency of Singapore or csa warned of a critical remote code execution vulnerability in Smarter Tools. Smarter Mail. The flaw allows unauthenticated attackers to upload arbitrary files, potentially executing malicious code on affected mail servers. It impacts Smarter mail versions build 9406 and earlier and has been fixed in build 9413 with build 9483 released in December. Recommended for full protection.
Daniel Lowry
All right, how many of you are spinning up a virtual machine today with Smarter Mail and seeing if you can play around with this or at least this week, right? You got some time off. This could be a fun little project for you and a great thing to put on the resume, right? Like, oh yeah, I did this write up on where I built this whole thing where the Smarter Mail mail server had this critical vulnerability on unauthenticated rce. So I built the whole lab and show the exploit chain and so on and so forth. Like that could be a fun little project you guys got going on. So I would recommend doing it if possible. If possible. I don't know how much of the information is available for you to be able to do that, but at least you know where to get started. It is possible that it could happen. So if you got that Smarter Mail, you better do that update thing because let's see here. Here's the CVE. Oh man, it gets a CVSS score of 10. A 10. Getting 10, right? The vulnerability track to CVE 2020 552691. I did read that correctly. Dyslexia did not kick in that. Carrie. CV says 10. So you upload some files, it could enable a code execution without requiring any authentication. And that is the scare bear that just showed up to the party. I got a guy outside my doing a lawn service today. It's 26 degrees. My lawn has not MO. Hasn't grown in a month. I guess he's like, oh, you're paying for the service. I guess I'm gonna mow your lawn. Like it's just wasting your gas, dude. Successful exploitation of the vulnerable of the vulnerability could allow an honest guy. Yeah, we got that. I hate when they do that. Stop reiterating. Just you told us that already. Vulnerabilities of this kind allow the upload of a of dangerous file types that are automatically processed. Ok, that's good information. What are the dangerous file types? This could pave the way for code execution. Upload a file is interpreted and executed as code. In this case with PHP files. So there you go. You could possibly upload that PHP file and it go cool myself. I have a PHP web shell. So you're saying I could possibly upload my own PHP web shell and then I have code execution through that. That sounds bad. So be on the lookout if you are. If you do have this, what's it called again Smarter Mail. If you do have Smarter Mail, you're going to want to be looking for PHP files that you don't recognize. So which assumes you already have a baseline of the files you do recognize. Just if you can't rec. You can't not recognize something if you don't know what it should look art like. You get the idea. I gotta know what it looks like before I could tell what it's not supposed to look like. That's what I'm trying to say. Smarter Mail is an alternative to enterprise collaboration solutions like Microsoft Exchange. You're not supposed to be using that anyway, right? Supposed to be going into the cloud. You're not supposed to have on prem Exchange because that's, that's a problem offering features like secure mail, shared calendars and instant messaging. But you know, using something like Smarter Mail would get you away from the big red machine that is Microsoft. Just saying. DJB6 says I wonder if you can block php attachments and file uploads. It is possible, but that might not necessarily work. It could work, right? That would definitely make it more difficult, let's put it that way. So absolutely you should do that. But a lot of times like when you learn about getting remote code execution, especially when you have File read, if you have like a file file inclusion vulnerability where it's reading that file, it doesn't matter that it's not labeled php, it could still execute it if that file is being read by a PHP file. So just depending on what the. What the actual security looks like or the. The kill chain and how things work under Smarter Mail we'd have to really deep dive into the research on that. But really interesting. So there's your builds. If you got this build which is 9406 and earlier, you need to go ahead and update to at least 9,413 which was released in October 9th. Hello. All right, cool stuff. Moving on. Great, we're at the end of that article. Moving on.
Sarah Lane
Hit it. KMS Auto MALWARE Suspect arrested a 29 year old Lithuanian was arrested for spreading KMS auto malware that infected around 2.8 million windows and office systems worldwide. The malware disguised as an illegal Windows activation tool contained a clipper that monitored victims clipboards for cryptocurrency addresses, then replaced them with attacker controlled wallets. Investigators traced 3,100 compromised wallets used in 8,400 transactions totaling roughly 1.7 billion won. With eight South Korean victims losing 16 million won. The suspect was extradited From Georgia to South Korea under Interpol coordination.
Daniel Lowry
Say Juan, what Lithuanian national that. That is not something you see every day in the headlines that the Lithuanians are hard at work. Arrested for allegedly spreading CUS auto malware. So I mentioned this earlier and this goes to my point yesterday that a lot of these articles kind of bleed together because it's like insert threat actor, insert breach, insert organization, insert thing. It's, it's basically the same kind of thing. So we've got some malware that got deployed. I mistook the first malware we did with this one because I did hear this as I was going through and writing down the timestamps for to start and stop. This is an interesting thing though. I will say that, that what this does is like it's just monitoring your clipboard or it's taking over your clipboard so that when you copy things into your clipboard, it is scrubbing it for like wallet information and then replacing it with its own. Right? It rejects your reality and replaces it with its own. So this guy, it was a crafty little hack. I'm not gonna lie, man, that's, that's, that's interesting. Authorities say he Trojanized KMS auto piracy tool to distribute clipper malware that monitors victims clipboards for cryptocurrency addresses and then replace them with attacker controlled wallets, redirecting crypto transactions without the user's knowledge. Boy, that crypto is really. Everybody's stealing crypto. I guess it's, it's easier to steal than, than like bank money or you can just do ransomware, right? That's, they love that. I, I wonder how often I hear that the financial institutions really like, they're, they're pretty good at cyber security. Let's all take a, take a, a lesson out of their page, right? Oh man, I still got one more to go in. I have two minutes. All right, so they got this guy. He was busted. I mean there's not much to this, right? Other than some of the more details. You got about 1.7 billion won, right? Eight South Korean victims lost 16 million. Juan, I think that's how you say that. That's like, that's how Sarah Lane was saying it. I mean, so he got some moolah. Boy, Jerry's having a day in the corner by himself today. Any. Oh, look at that. 17 billion KRW worth of 14 types of virtual assets. I mean the dude was successful, there's no doubt about that. So. Yeah, so if you got that cryptocurrency, man, be careful. How did it, did it say how he got that stuff into their system? How was he spreading the malware? Oh, through the KMS auto piracy tool. Oh, that is funny. So people out there looking to steel Windows, right? A license for Windows operating system to the KMS auto piracy tool. They got a little extra in their stocking this year, right, Because Lithuania clause showed up and said, yeah man, you don't need that KMS auto piracy tool. I got you covered dog. Here you go. And they're like, thank you man. Ah, Windows 11, you suck so bad. And now I can pirate you. Muhaha. He's like yeah, yeah, don't forget to get that crypto wallet going on. I've seen it a million times. It's always kind of funny. It's like when, you know, people rob drug dealers or something and what are they gonna do? Call the cops? So I was selling all these drugs, right? And then this dude showed up with a gun and he was all like, give me the money in the drug. I was like come on dude. And then they took it. And I'm like what? And they're like yeah. And I'm all oh. So I would. I mean the people that got robbed from were stealing. So there's a little funny kind of like irony to that. Anywho, next article. Let's do it. Last one.
Sarah Lane
ESA confirms external servers breach. The European Space Agency, or esa, confirmed a breach of external servers hosting unclassified collaborative engineering data. Threat actors claimed access to ESA's Jira and BitBucket servers for a week, allegedly exfiltrating around 200 gigabytes of data, including source code, CI, CD pipelines, API tokens, configuration files and credentials. ESA says only a small number of external servers were impacted and it had started a forensic investigation while notifying stakeholders.
Daniel Lowry
It's like we heard this article yesterday, didn't we? Didn't we hear this article yesterday? Oh no, it was like six other articles, but they were very similar. Insert organization, insert the word breach. Insert the words. No customer data. Insert the word. You know what I mean? This is one of those articles, unfortunately. This was European Space Agency. They have confirmed that they were breached servers outside its corporate network which contain was described as unclassified information. Sure it was. I'm sure there was no classified information at all. Or that the unclassified information doesn't lead to any classified information to something like a side channel attack where you kind of discern through, you know, saying well if this then that then it was inductive reasoning funded or founded 50 years ago. Who cares when it was founded? It doesn't matter what's what matters or how much money they have. That doesn't matter. What matters is how did the breach occur? What were you doing? How did you detect? What are the indications? Like how can we, if we're a space agency or an aerospace agency, keep this from happening to us? I know that they all like share information between each other a lot of times on the back end of things, but that doesn't really help the world at large, I don't think. In my humble opinion. Oh man, we're out of time. Okay. Following claims are threat actor on the bridge forms hacking forums breach some of ESA servers. Yeah, they did. They choose screenshots as proof their JIRA and BitBucket servers for an entire week. ESA is aware of recent cyber security issue involving. Yeah, thanks for telling us that. You already told us that. Only a few small number of. Yeah, well tell us how you know that. That'd be great. They said only a very small number of external servers may have been impacted. How do you know that there, Bob? How do you know? Give us the deets. These servers supported unclassified Again, how do you know? ESA says already notified all relevant stakeholders of the security breach and will provide further updates as soon as I'm sure. And it'll come in some like janky email that gets hit into the spam folder. No one will ever see it. While they didn't provide any details about which servers were breached, the threat actors, they claim to store over 200 gigabytes of data after breaching the European space. Yeah, yeah, yeah, and there's the screenshot, there's the, the receipts right there. And that's, that's how we know. Because the Dark web forums are like hey, we breached you. Hahaha. What is this? So they allegedly stole stolen data. Includes source codes, cicd pipelines, API tokens, access tokens, confidential documents. So we got the ESA saying no, nothing confidential or really bad was, was taken. And then we got the Dark Web people going nah dog, it's, it's worse than you're letting on. Here's what we, we're telling you. We stole terraform files, SQL files, hard coded credentials and more. I mean, come on, right? An ESA spokesperson was not immediately available for comment. When contacted by bleepy computer, you don't say. And it's not the first time they've got caught with their pants down. One year ago, right before Christmas, they had a web shot shop hacked malicious JavaScript code and yeah, all Right. I would be very leery about doing business with them. All right, kiddos, that is the show for today. But good news, good news. We will have Jawjacking up momentarily. So let's get to it. It is 905. Thank you for joining us for the Daily Cyber Threat Brief. I hope you've enjoyed today's show. You learned a little bit from it. We're now going to move on to an AMA called Jawjacking. We'll be back momentarily with that where you get to ask me and others questions and we get to converse with each other. Be back in just a moment.
Sponsor Announcer
Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning question questions about the cyber security field. Live, unfiltered and totally free. Let's level up together. It's time for some Jawjacking.
Daniel Lowry
What's up, everyone? Welcome to Jawjacking. We just got done reading a bunch of crazy, actually decent day of articles in my estimation on on the Daily Cyber Threat Brief. I have a couple things I actually want to run down a little bit further. Maybe even have some fun, play around things, get some hands on. That could be a good time. Hopefully you enjoyed that. Kind of petered out there at the end, but we started off really strong and then kind of walked across the finish line. We were sprinting out of the gate and then. Yeah, but hey, I like djb. Say, and we're back. Yep, we are back. But this is Jawjacking. This is an ama. You get to ask me questions. Make sure if you have a question, throw a big Q in front of it. That way I can see it from the rest of the chit chat that's going on in the chat. Not that I don't love that. I certainly do. And yeah, first question of today is, is there a stream on Friday? Great question. There will be a stream on Friday. There will not be a stream tomorrow. So thank you for reminding me to tell people that. That is a great question. The articles had blown my mind so much I just forgot to mention it. But that's what we got ad tech in the house for. To remind everybody. So the Daily Cyber Threat Brief. There will be nothing tomorrow. There will be no Jawjacking tomorrow. It is a day off for everyone. It is the new year. It will be the first day of 2026. Enjoy. Have a great time tonight. Please drink responsibly, call an Uber, a cab, a ride share, whatever you need to do. Do not drive while intoxicated at all. I have loved ones that are out there. I do not want to see you or anyone else get hurt. So there's my PSA for today. My hand is really cold. It's like keeping it away from your body makes it lose blood flow. I'll do this. I'll switch hands. But yeah, yeah, that's. That's a great thing. But Friday we'll be back and it will be me. Jerry will not return until next week. So I will be doing daily cyber threat brief on Friday. And Jawjacking is well. And Cybercast IRL will be on Friday as well, just to pitch my own stuff. All right, let's jump in here. Let's find those questions. Questions. Where for art thou questions? Just have to make sure I catch up with everyone here. Here's one. Booyah from Arty. Do you think privacy as a pre. Do you think privacy as a premium should be a business model or should it come as baseline? Baseline, like privacy should not be like. It should just be like standard operating procedure. My privacy is not a commodity. It's a right. I. I believe that privacy is a human right. Let's see. Here's one from Space Tacos follow at Tech. Will you be living on live stream on Friday? Yes. And Cybercast irl. Yes. Thank you for following up with that. Space Tacos. I look forward to seeing you there. This one comes from Cryptic Roses. What's the best techniques you guys use for cybersecurity research? Well, it just depends on what kind of research you're doing, right? If you're doing web applications, if you're doing, like, software applications, if you're like, again, if you're doing hardware hacking stuff, it all depends. So that's a kind of a subjective question. I would think that most people that are looking for software vulnerabilities, they're fuzzing out things like buffer overflows or like logic flaws, whether or not there are injections, things of that nature. They're using tools like as simple as strings, which will give you all human readable strings that are in a binary. What else are they doing? They're looking for injection points. They're fuzzing them with data, seeing if they can crash the application. You're building a lab at home. So I'm just kind of giving you one for instance. By the way, this is not the end all be all of how to do this. You're going to fuzz the application out. You're going to try to decompile these applications using things like IDA Pro or ghidra and looking through the code for how it flows and if there's any kind of mistakes that were made, maybe they're using some pro, like I say, you know, problematic coding practices, you know that, that are known to have security issues and then attempting to exploit those. And if you're fortunate enough to make that happen, then you crown, you come up with a poc. You run that down to the responsible disclosure form for whatever organization you're, you're hacking for or researching and start doing due diligence with them, get into contact with them, help them work through it, help them. And they should be coming up with a patch and then you submit that to Miter, get your CVE and you're good to go. So with a web application you kind of do the same thing I say, kind of it's similar where you're fuzzing inputs on the, you know, look for injections kind of running through the OAS top 10. See if you can find any vulnerabilities that match some of that stuff, because they're going to be the best. And if you find one, then same kind of procedure, you contact the organization, let them know what you found, give them your evidence, let them triage that, ask them for permission to disclose once they've got it triaged and fixed, and then submit for your cve. Let's see here, what else, what else we got here? We got Doom, Kraken. What are your thoughts on using LinkedIn from a cybersecurity perspective? A lot of my references suggest using it, but I personally don't trust it with my PII since it's owned by Meta. This is a great question, great question. Honestly, I don't trust anybody that owns my PII and I work with them as much like I make the decision on what to give them, knowing full well that I, I am either gonna like just play the game and go, I can't, can't go to the next level unless I give them what they asked for. And I'm willing to make that calculated risk. LinkedIn. I've been heavily active on LinkedIn for a few years now. I don't have nearly as many followers as somebody like Jerry or, or others. I have a few of right under 30, 000 followers on LinkedIn. I haven't been active on it lately. I took some time off from LinkedIn. I just needed a break, right. It's the end of the year, starting a new job. I just, I just needed to take a step back, right? I don't. I was feeling burnout you know, its breath was on my neck. It was that close, you know what I mean? So I was like, let me, let me just step back from a few things. I'll get back to it probably this week. I, I do want to start posting again and so LinkedIn can be a good thing. Most of these things are double edged swords. Okay. So you, you've got to really go in with a jaundice eye. Understand? Yes. They're gonna, you think of people like Michelle, Michelle does everything he can if, if you don't explicitly require something and then that requirement. Can I lie? You know, am I able to tell you like, oh, the school I went to was FU University. Right. And they go, okay, right. I don't have to give you all that detail. It doesn't have to be real. I can do misinformation and therefore you're good to go. So that's one way you can go about it. If you want to kind of skirt around, you gotta, you gotta do what you can do, get, get creative with this stuff. But I, I like LinkedIn. I think LinkedIn can be a really good link. Research. I say I like it. I think you'd be a useful resource if you're willing to put the time and effort into it. So that's my, that's my real advice when it comes to LinkedIn. You absolutely should be wary of whether or not it's is using your data in a way that you don't want it to. So by all means, feed it a bunch of bull crap whenever and wherever you can. I highly recommend, other than that it could be a useful tool for networking, gaining an audience, getting your name out there and networking because that's what, that's really what it was originally meant for and still can be used for. It's not as good as it used to be, but it can be useful. So just keep that in mind. All right, so there's your LinkedIn answer. I got a few that I have pinned. See here from cryptic Roses. How social is cloud engineering? Jobs as office environments seem fun. I've only experienced it for two weeks as an intern. I mean, depending on the crew in office stuff can be awesome. I actually have come to the conclusion myself. I prefer a hybrid. I think hybrid like half a day at work. I want to go into the office every day, but I don't want to stay in the office all day. I want to do work that requires me to focus at home in my ivory tower. I want to do work that forces me, that, that requires me to interact at work. I think there's, there's pros and cons to both side of work from home and return to office stuff. And that's just my personal opinion. So I like going in the office to an extent. So you get a good crew. It's going to be awesome. Have fun. I've worked with some great people and I enjoy working with them. This one again from Arty Steve Leto covered a Philly criminal case where the cops used Google to track a person and the precedence is bad for fourth Amendment. Have you heard about it yet? I have not heard about it. Did they use Google like Osint? Like I. I'd have to know more about how they used Google and how it, how it would be a violation of their fourth Amendment rights. Right. If it was public information. That's, that's not a violation of fourth amendment rights. If they like broke into their Google account. That is absolutely without a warrant. That's absolutely a violation of their, of their fourth Amendment rights. So I have to learn more about that one from Face Doyle, super technical question. What would your favorite apt group entrance music be if they were a wrestler? We can call the Event Server Slam 2026. So my, my favorite band is Ultra Bridge and there was a wrestler that used their song Metalingus as their intro. So that's what's up. They have some great times. Call of Achilles, that's a great tune as well. So fun, fun. Great question, great question. Let's see here again from Doom Kraken. Doom Kraken. I keep learning or I keep seeing stuff about seminars and courses to take for cyber security training and these SC podcasts. Are there any out there that come with a certificate or are great to show on a resume? I mean a lot of them do come with certificates. Completion I've seen just depends. I mean if they're costing you a bit of money, yeah, you want to do your due diligence, you're going to have to get specific on asking the community, kind of reach out and go, hey, I'm looking at this cyber security seminar cost 25 bucks. Cost whatever. So it's a little money. Is it worth it? What do you guys think about that and kind of get some feedback on that? So do your research. Go into Reddit, go into the Discord servers of people that were probably gonna have done the same kind of thing and get their take on it. Maybe somebody goes, oh yeah, they're total crap. Or they go, oh no, that's amazing. That's 25 bucks well spent. That but you got to be specific. Can't just say, hey, there's a bunch of subscript. Which one do you recommend you're gonna get? You might as well just Google search it at that point, figure out what it is that you want to learn. Go find out who's teaching that or putting a seminar on or a podcast or whatever. Then go ask people what they think about it. That's how. That's, that would be how I would do it. This one's from FedEx. What's for today's celebrations? What's New Year's Day look like? It looks like me sitting at the house. I love New Year's Day because I don't do nothing. I don't go out. I don't do jack. I'm a fuddy duddy. Oh, man, I forgot to do that. Let's do that. Go back to all comments. Hide that message. I hate when I do that. All right, looking for the questions. Let me go back to the last one I starred, which was FedEx. There it is. You said you thought LinkedIn was owned by Microsoft. It absolutely is owned by Microsoft. What is the st finale? I don't know what that is. Dj. Okay, what are we doing here? Looking through. Looking through. Where's your questions? Get your questions here. Get your questions answered. FedEx says he likes his hybrid setup, too. Yeah, Team hybrid. That's what's up, right? A little bit of this, little bit of that. See, I like options. I'm an option. Guys, what's. That's what drove me to Linux, honestly. I mean, first it was all about, like, somebody told me, if you want to be a real hacker, you got to use Linux. So I was like, okay, I'm learning Linux, I guess. And then I was like, man, I really like the customization of this. How it doesn't just, like, it gives me the ability to change just about anything I like. If I've got the wherewithal, it will give me the capability. I have the capability of, of modifying and customizing it. It's up to me. It gives me the tools. I like options. That's why I run every operating system. I have MacBook, I have multiple Linux. I've got Windows. Right. I've got Android. Only thing I don't have is iOS just because I'm not running an iPhone. I'm sorry, not this guy. I, I, I rode that, right? I wasn't a fan. Zack Morris on Is he breaking the fourth wall? What is the most exciting part of a GRC career in cyber security? I don't know because I don't do grc. But if you in chat, do, please chime in because Zach Morris is wanting Zach Morrison. I mean, it's wanting to know the most exciting parts. I don't know what, what would be the most exciting part of grc? GRC is kind of a reputation of being kind of magoo. Like actually you have violated. You have not followed the standard. You're not going to get your sock to type 2 compliance certification because you did not. Blah, blah, blah. It's very, very, very necessary. But you're, you're basically just looking for what people aren't doing right, and advising them on what to do right and how to do it right. So I mean that it could be. I, I would guess it would, could be exciting on seeing people that are excited about bettering their cyber security maturity and program and, and watching their little faces light up as, as you're like, well, you can do this and you can implement that. It's like it's. Oh, it's Christmas Day. Oh, I'm writing all this down. It's so amazing. It's like, because you do have a cyber security expert right there helping you out. Oh, man. Almost an alarm. What's the time? Okay, we're still good. So, yeah, anybody who knows, reach out to Zach Morrison. Let them know what's exciting about being grc. DJ B sec. Is Tech Net gonna blow stuff up tonight? Around the trailer park, man. Here's the thing. If you do it on New Year's, cops are everywhere, right? You gotta, you gotta wait. Actually, Saturday, Technic is going, going out with my boys. We gonna lay some lead down range. I need to get me some tannerite, though. I don't have any tannerite. So. Yeah. Blowing stuff up. Yes. Shooting stuff that blows stuff up. Yes. Just not doing it tonight. I got little kids, man. I gotta hang out with them kids, watch the ball drop with the wife, right? But Saturday is a different story. Saturday, Daniel's gonna put some 5, 5, 6 and some 7, 3, 7, 6, 2 by 39 down range. Maybe a little 45 ACP if he's feeling good, right? Turn on the eotech, maybe do some night fire. It could be a good time. All right, let's see here. DJB6 says we got football games today. Cool. A lot of people like the football. I used to be one of them. Oh, that's right. Stranger Things is out. Marcus Kyler, find the true. Thank you for reminding me. Oh, that's what you meant by St. Stranger Things that is straight up. I will watch some Stranger Things. I haven't seen any of the news season yet. Gotcha. I. I've watched Stranger Things since it started. I've never heard it called st. Of course, I don't like talk to people either, so there's that. I talk to the camera and this is the only way in which I actually see people talk back. Is there a step down below help desk? Because this comes from cryptic roses. Because I don't know why I'm not getting to the CV stage. And I've got advice to do help desk and tune. Not as a source of income and experience. Okay, hold on. Let me see if I can decipher what you're trying to say here. Is there a step down below help desk? So you not. I mean, so a lot of time. Let's just start here. A lot of times, people like myself, Jerry, and others will have you try to get for jobs on a help desk as a first cyber job. There are reasons for that. What are those reasons? You say? Great question. Glad you asked. Those reasons are you have to work with the public. You have to talk to people, users, clients. Basically think of them that way. They are your clients. You have to learn good customer service. You have to learn soft skills to be effective at that job. So it's really good for that. Number two, you're gonna see a variety of different problems. So you get really good at troubleshooting. Right. Number three, you start to see where misconfigurations happen. You get to see how users screw things up on a daily. And you go, huh? And you start to see like. So it's. It's a really good building block. Right. You're already with an organization. Chances are they do cyber security. Fingers crossed that they do. You're now an insider into that organization. You already have trust. So now you can start to say, hey, who's on that team? Learn who those people are. Start talking to them. Hey, I was. I'm really curious about X, Y and Z. I'm into cybersecurity. Could I take you to lunch and buy you lunch and just maybe get your team some lunch, a coffee, whatever the case is. I like to pick your brain about X, Y and Z. You're not asking for a job. You say, I'm learning cybersecurity. This is something that they are passionate about. Free lunch on top of it. I'm saying yes. Maybe they don't, but maybe they do. You do cool things. Hey, if you ever need an extra set of hands during a Project. I work for Dirt Cheap, AKA Free. I already work here, so I'll. I'll get coffee, I'll crawl under floorboards, I'll run cables, I'll do the toner. I'll do anything you don't want to do just so I can be a part of the show and smell the cyber on me. And then if and when something so you know, like those people become like, hey, you know what? We need an extra set of hands. Permanently. Well, Cryptic Roses has always been fresh to the scene and always been a cool person. Let's see if. If we can get them hired. Right? You're human networking. You're already in the organization. It makes it a whole lot easier to kind of transition. So that's why we recommend starting a lot. It's not the only way to do it. You can do freelance work, you can volunteer bug bounty. There's a lot of stuff that you can do that's not necessarily a step down, but you get the idea. Right. It will give you the kind of like it's. It's a lower barrier to entry than maybe getting on a help desk. So there you go. Moving on. Moving on. Zach Morris. Was that like being on Save by the Bell? Yeah. Or what was it like being on Save by the Bell? Zach Morrison. You gotta love that name, man. It's just great. It's a great name. It's a great show. I don't care who you are. It was great. Doom Kraken. What might be some good cybersec career fields to explore. Starting out as an FPS game designer. Looking to break into cybersec as a career. I have experience with version control systems. GitHub. Okay, that's great. As a cyber security developer, right? Someone who code review. A lot of pen testers hate doing code review. Hate it. Right. So if you already know how to do code and you're into cybersecurity, learn how to do secure code and you're the go to unicorn. That. No, no, because nobody else wants to do it. You will have no end of work on the code review. That would be my advice. Hopefully that helps. Look into it anyway. Right? How much time we got? Oh, we got one minute left. Edit on. Okay, I'm. I'm sorry, I cannot read that. The. My vision is not what it once was. But how solid is the sock career path in light of all the AI bus? Honestly, I. I won't be sea. I don't know. It's changing. It's different. It's making the. The. The. The bar to entry higher. So I don't know how fast you can catch up. You'd have to learn AI at this point. So. Yeah, just saying, you know what has done really well in spite of AI grc. Let's see here. Questions, questions, questions. I'll go a little bit over because we went a little bit over. Zach Morrison says my favorite co star was Mario Lopez. He's sweet looking guy, right? He's just the dimples and he's got that charm about him. I bet he was a, a real pleasure to work with. All right, let's see here. Get your last questions in before I call it a day. The real Kyle. Kyle, what training learning resources do you recommend for learning about WI fi? Thinking about drones, bots, cameras, etc as the world is changing. If you want to learn about WI fi specifically, just build a home lab with go go buy a $10 router from like Goodwill or something and then misconfigure it and hack it. If you're talking about getting into the more of the Iot side of things, not just strictly into WI fi, but hardware and things of that nature, there's a lot of good books out there. Practical Iot hacking, I think from no starts. They also have hardware hacking as an nostart has a couple of good books. Adify has a training course. It's not super duper pricey, but it costs you a couple of bucks. I mean it's, it's on the edge of like, oh, okay, that's money. But I, I haven't taken it, but it seems pretty solid. Do you consider yourself a journalist? Is there room for in depth journalism in cybersec? Man, I, I thought about that very question last night as I walked my dog. I was like, these articles today, right? I was like, what is up? What would that look like? To start my own, you know, journalistic outlet to, you know, the, the doing the research on the, on the stories and reaching out to people for comments and doing investigative research so I can get the real scoop. Having people from those organizations on the down low reaching out to me and telling me this is the real deal. This is why they won't tell you what happened because it's horrible and we suck. That's probably what's what would happen. I, I hope that someone would start something like that. I don't know how to do it. I wish I did because that would be great. All right. Just trying to catch up with you guys in chat and which I just did. All right, kids, looks like we have reached the end of the show today. Thank you for joining me. Hopefully you enjoyed it. I know I sure did. But as we say every time we end the show from Simply Cyber and all the Simply Cyber community, stay secure. Have a happy new Year. Goodbye. Goodbye.
Podcast: Daily Cyber Threat Brief
Host: Daniel Lowry (Simply Cyber Media Group)
Date: December 31, 2025
Duration: ~1 hour
This final episode of 2025 delivers a rapid-fire, insightful analysis of the top cybersecurity news stories curated from the CISO Series headlines. Host Daniel Lowry brings his trademark humor, depth, and community flair, breaking down eight key articles ranging from advanced persistent threats and AI prompt injection to shocking insider ransomware cases, record-breaking cybersecurity acquisitions, and more. Listeners gain actionable takeaways, technical explanations, and lively banter to help them understand threats—and the business of cybersecurity—as the year closes.
[06:38 – 18:20]
[18:20 – 26:19]
[26:19 – 35:41]
[35:41 – 44:27]
[44:27 – 50:27]
[50:27 – 55:57]
[55:57 – 61:21]
[61:21 – 66:05]
[66:28+]
| Time | Segment | |-----------|------------------------------------------------------------| | 06:38 | Silver Fox/Valley RAT deep dive | | 18:20 | Mustang Panda / ToneShell kernel rootkit | | 26:19 | OpenAI’s prompt injection admission | | 35:41 | BlackHat insider ransomware plea | | 44:27 | $84B in cybersecurity M&A deals | | 50:27 | Critical SmarterMail RCE bug | | 55:57 | KMSAuto malware and crypto theft arrest | | 61:21 | European Space Agency breach | | 66:28 | Jawjacking: Live listener Q&A, New Year's closing thoughts |
Daniel Lowry blends technical depth with humor and irreverence, making dense threat analyses accessible—even entertaining—for both seasoned pros and up-and-coming cybersecurity practitioners. The interactive community vibe and wit (“...if it’s signed, it’s trusted. If it’s a rootkit, it’s dug in like an Alabama tick...”) are signature elements, as are the clear, practical insights after each story. Jawjacking Q&A at the close extends the learning and camaraderie.
This year-end briefing exemplifies what Simply Cyber does best: demystifying the day’s top security threats, challenging industry norms, and bringing the cybersecurity community together for learning and laughs. Essential listening for anyone wanting both threat intel and a seasoned insider’s perspective as we enter 2026.
“Stay secure. Have a happy New Year.”
— Daniel Lowry (end of episode)