A (3:36)

Let's see. First timers definitely called you all out.

A (3:41)

Long timers. Austin, Texas, every single day of the week has a special segment. Yesterday we recognized Eric Capuano for being the simply cyber community member of the week. Today is Tuesday, which means only one thing. It's tidbits Tuesday. I share a little bit about myself and we see if we vibe on it, everyone's got an opinion on something. I throw it out there. Roswell, uk. Why am I not surprised, brother? All right, hey, listen, did some some fun stuff last night here in Austin, Texas that will be related to my tidbits Tuesday. Definitely going to be a conversational topic of great dis discourse, believe me. All right, guys, we're off and running here. Let me give a shout out and love to the stream sponsors, starting with Flare. I do want to say I actually met with.

A (4:33)

Faustine from Flare yesterday. Super excited about where they're going in 2026. If you guys don't know about Flare, I've used their product and I've been working with them for the last year. Phenomenal people. I really like the humans behind the company. There's on December 11th. So two days from today and I will be back in Charleston two days from today from 11am Eastern to noon Eastern. They are running a panel on the state of the Dark Web 2025. Now what's wild is Eric Clay is one of the panelists. He is the chief marketing officer but he's also hands on keyboard, deep, deep into the research. So this is what I mean when I say I like this company. It's not just like here's a bunch of like executives and then they throw money at people and and solve things. It's like they're fully bought in to the mission from the top all the way down to the, you know, the newest analyst on the team. This four banger podcast panel right here is sick. I'm going to tune into this. Believe that if you're looking to just get insights on kind of what the state of the dark web is, which phenomenal. Hello, GRC Mafia people, SOC Analyst people. Understanding how the threat actors are operating and what they're up to is step one of threat modeling and understanding the threat landscape, which is always dynamic. This is, this is, this is free to go to. But I'm telling you this is definitely going to be worth your while. So go check that out. If you go to Simply Cyber IO Flare, Simply Cyber IO Flare, you can get redirected directly to this and sign up and hang on. All right. Space Taco says all right. My audit is heating up to Lurker mode activated. All right, watch out. Space Tacos is on the hunt. I love it. Space Tacos want to say shout out to Black Hills. Black Hills Information Security and Anti Siphon training. Anti Siphon Training disrupting the traditional cyber security training industry. High quality, cutting edge education. Very affordable prices. Right now they're running a Black Friday deal where it's fifteen hundred dollars which is a huge one time fee. But if you understand it's for an entire year's subscription of access to 50 plus on demand courses. It's basically like an ultra library card. In addition you get access to Wild west hack Infest in February, the Denver Mile High version of the conference virtual tickets. So lot of value in here. If you want to be a red team or blue teamer, learn cloud, AI, osint, grc, threat hunting fundamentals, whatever it is, they've got a course for it. Go to AntiSiphon Training.com Black Friday 2025 and get up on that action. Quick word from Threat Locker. I'm going to slug this coffee just, just for everybody's awareness. Number one, I've, I've gotten in front of the, the cloud, the, the sun issue also got this spotlight on me right here. So I'm definitely like in the, in the thing. Additionally, I'm going to start doing this Phil Stafford, you might enjoy this one. I'm gonna do this. So you guys know, not that I'm John Cena, not that I'm John Cena, but apparently this is the easiest way to tell if something's deep fake. So I will not be deep fake Jerry anytime soon. So there we go. No, no distortion lines. Hear from Threat Locker really quick and then I need you to sit back, relax and let the cool sounds wash over you. Okay, Quick word from Threat Locker. I want to give some love to the daily Cyber Threat brief sponsor Threat Locker do zero day exploits and Supply chain attacks keep you up at night. Don't worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how ThreatLocker can help prevent ransomware and ensure compliance, visit threatlocker.com DailyCyber.

A (9:01)

All right, there you go. Thank you very much. You guys are hilarious in chat, by the way. You can't see me, sunshine. You can't. You don't know me. You can't see me. It's so good. I'll probably get a copyright strike for that from the WWE too.

A (9:17)

Okay. Obviously got the flag out so you know, it's official. Now do me a favor. Bruise and hacks. I need you to sit back. Chad Hall 93, I need you to relax. Phil Stafford, sit back. Relax. Yeah, pull the lever on the recliner, sunshine.

A (9:38)

Let's let the cool sounds of the hot news.

A (9:44)

Hold on. We got, we got that spicy mixed up there. There we go. Wash over us all in an awesome wave, guys. I see you at the mid roll. Let's cook.

B (9:52)

Foreign.

C (10:00)

From the CISO series, it's cybersecurity headlines.

C (10:07)

These are the cybersecurity headlines for Tuesday, December 9, 2025. I'm Lauren Verno.

C (10:16)

Ransomware payments past 4.5 billion.

C (10:23)

Ransomware payments reported to the U.S. treasury's Financial Crimes Enforcement Network, or FinCEN, have now topped $4.5 billion, with 2023 standing out as the most expensive year on record. More than 2.1 billion was paid between 2022 and 2024, including 1 billion in 2023 alone. Akira accounted for the most reported incidents, but Black Cat took in the biggest haul with nearly $400 million in payments. Financial services, manufacturing and health care remained the hardest hit sectors. And most ransom demands they did stay under $250,000.

A (11:14)

Okay, so this is good information. This is government reporting information. So you know, typically when you see an industry report like, you know, the state of email security in 2025, IT. It's usually sponsored by an email security gateway vendor. And while the information is typically good, you do have to give consideration to some bias, right, with this being government, you know, information. And please, let's not get into like government, like political conversations, but it's just it's, it's more objective information than it is.

A (11:52)

Prone to bias. So $4.5 billion by the end of 2024. I would have, I, I don't know the opening time mark for this. Again, I'm a big old dork when it comes to academic research. So when you start getting very granular with academic research, which this is not, you have to be very clear about boundaries and limitations and biases and things like that. So I don't know if this is $4.5 billion by the end of 2024 for all time cybercrime ransomware payments. I would assume that. But you know what happens when you make an assumption, you know what I mean? So.

A (12:28)

4.5 billion, as Phil Stafford says in chat. Yeah, it's amazing. This guys, this is why you can expect ransomware to continue. There's, there's, it makes a ton of money and the chances of you getting caught or arrested are not that high. If you are not stupid or you, you don't get ultra greedy or you're, or your ransomware gang is composed of half Ukrainians and half Russians and Russia invades Ukraine. That's like, you know, kind of an anomaly situation that destroyed Conti ransomware. Now for me, as a, you know, you know, ciso, grc, professional, whatever you want to call it, like, here's what I take out of this story immediately. Yes, $4.5 billion, like, okay, but that's fine. The number is definitely higher because this is just information that has been submitted to FinCEN. There are tons of businesses that have been taken, compromised by ransomware that just dealt with it and moved on. Like they didn't report it. They just either, you know, recovered, you know, ate the crap sandwich or paid the ransom and then tried to like, you know, basically hide.

A (13:41)

The thing that's most important for all of you in chat, in here is this.

A (13:47)

This paragraph right here. The median amount of a single ransomware transaction was 155,000 in 2024. And you could see it was 124 and 22, 175 and 23. And then 150 it went up and now it's declining. So technically, I would imagine following the trend, that 2025, median amount of single ransomware transaction would be around, you know, 140ish. If I had to guess right, like put it in there. It does say that the most common payment range was below 250 grand. So as a practitioner, this is what I think.

A (14:25)

Number one, like, if you're going to Some businesses do this. Okay, which is fine. Some businesses will take like $250,000 and put it in like a reasonable yield money market account and just put it there. And it's like their insurance plan, right? That's certainly something you could do. It's an option. If you're going to get a cyber insurance policy, make sure that the amount that the provider will cover, as far as know, payment to the threat actor, if that's something you're going to choose to do, is 250 grand, right? So like, that's why this report is so useful, is because it's giving you objective, concrete values that you can then use when you're having your discussions with leadership or with your, your insurance providers, et cetera. They do say in here that Akira was the most common reported incident at 376 incidents, and Alfie Black Cat the highest at 395 million, which is insane, if I had to guess. I, I suspect that's the Change Healthcare attack, which was Black Cat's final coup de gr. They, they basically dissolved the gang after that particular attack. It was, it was.

A (15:43)

After the Change Healthcare attack. It was very much like Beverly Hills Cop 2, where the heat was like, the heat is on to two. The heat is on. So like, like the cops were gonna go get them, right? And they, dude, when you take $400 million, you better believe somebody's gonna. Somebody wants some retribution for that. So TLDR 250 grand is the amount you should think of when you're saying like, oh, if we get hit with a ransomware attack, what's it going to cost us? By the way, this is just the payment. Another thing people don't think of unless you've like, lived it. That's just the payment guy. Like, that's one line item on dealing with a cyber incident of ransomware. You still have downtime, you have recovery, you have external incident responders, you have external counsel. You may have to pay to have identity theft protection for your victims if your data gets exiled. So don't think that you're just cutting a check for 250 grand, wiping your hands and calling it a day. Now you basically have jumped in pluff mud and you get to throw 250 grand so you can like get out of the pluff mud, but you're still covered in a bunch of crap and you have to clean that all off. And that isn't free. All right, let's keep going. And if you don't know what pluff mud is Google it.

C (16:55)

Cybercrime networks orchestrate real world violence. This is one of those stories where I triple checked my sources. Europol's Operation Grim has arrested nearly 200 people, including minors, over the past six months for involvement in contract gifts killings and other violent crimes orchestrated online. The operation targets, quote, violence as a service networks that grooms teens to commit attacks. Cases include two attempted murder plots and a triple shooting that killed three people in the Netherlands earlier this year. Investigators say the activity is tied to cybercrime groups like the Combination, who are more commonly known for their sim swapping and extortion scams.

A (17:45)

Wow. Okay, this, this took a Grim turn. If I may try to make light of this horrible, horrible story. So.

A (17:57)

I mean, this is, listen, this program, we try to cover the top cyber news stories of the day. I don't pick these stories. I literally, I forgot to tell you guys at the beginning. I don't know what stories are coming up. I literally finding out as you're finding out. My ability to like react and go deeper is just based on my passion for cyber security. And occasionally the stories are like cyber adjacent or not even cyber. This one is cyber adjacent because the comm, which is if you don't know the comm c is a collection of cyber threat actors specific become best friends.

B (18:36)

Yep.

A (18:37)

Super chat coming in. Specifically the Shiny Hunters lapsis.

A (18:44)

Thank you, Flanders. Flanders with a super chat says say breach and you drink.

A (18:49)

I heart nest. I'm pretty sure it's shiny Hunter scattered spider lapsis. These threat actors are kind of identifiable because they're composed of younger individuals, I would assume male. You know, there could be females in there, but I, I don't think so.

A (19:09)

And they're, you know, 18, 19, 20 years old. They've been around for a few years, so they are aging up. But that, that demographic is.

A (19:19)

You know.

A (19:22)

Reactive. They're, they're known for being very braggadocious and very aggressive. So pivoting into violence as a service, I mean, I guess I would imagine that this is going to escalate lawn. Well, I guess law enforcement is taking action on this. Where's my law enforcement regulators?

A (19:42)

It was a clear black night, a.

B (19:44)

Clear white moon warmer. G was on the streets trying to console.

A (19:48)

Yep, yep. Okay. So, you know, basically.

A (19:53)

Since they're already offering illegal services, they've just thrown murder, torture and other things on there. What's to me, what's insidious about this? What's insidious about this is I have children. Right. It's insidious to think that children are Being groomed, like this is some type of like.

A (20:17)

Like dystopian society where like that's, that is like a normal, accept, socially acceptable thing. Obviously it's horrible. And you almost.

A (20:29)

I mean this isn't a cyber story. So I can't give you like expertise and guidance from a cyber practitioner perspective, but just.

A (20:36)

I appreciate law enforcement doing what they're doing. You know, if you have kids, yeah, I'm not a perfect parent. I would just say be involved in your kids lives. Don't, don't just you know, let them get groomed by friggin criminals to do horrible, horrible things. Because again, by the way, like criminals know that children's brains aren't fully developed yet. So they're emotional, they're reactive. A lot of times they don't have money. So like enticing them with money is something that's very motivating.

A (21:09)

This is a terrible story. I don't even know what to say about this one man.

A (21:14)

It's insane. That's what it is.

C (21:16)

Three arrested over possessing hacking tools Polish police arrested three Ukrainian nationals after finding them with hacking and surveillance equipment like Flipper Zero devices, laptops, portable hard drives, SIM cards and signal detectors. Now authorities say the men could not explain why they were carrying the tools and allege the equipment could have been used to target critical IT systems in Poland. Now police also emphasize that the charges stem from the potential for misuse of the tools, not confirmed damage or breaches. The individuals now face charges of fraud, computer fraud and possession of devices intended for criminal activity.

A (22:03)

All right.

A (22:05)

You can see the screenshot here. The Flipper Zero is right in the middle. The guy's got a clear case on it. He's got this thing on the far left. Looks like, like a, like inline data info, you know, copier data duplicator, rfid. Guys, this is pretty slippery slope, okay? What is this? Minority Report with Tom Cruise? Listen, just because you're visibly nervous and you have hacking equipment. I like, I don't even know what they arrested him on. Like what crime did you commit? Now listen, were they probably going to commit crime? I don't know, I don't know. Possibly all, all the, all the markers are there that they're going to, that they would be committing crime. But these tools are not. Like if I have a handgun on me, right? Legally have a handgun, I own it, I have a permit or whatever you a license. I'm in a, you know, right to carry state or whatever. Does that mean I'm about to rob a bank? No, you know what I'm saying? So this, honestly, this, this actually.

A (23:14)

This is a polarizing topic. And what, you know, let me know if you. How you feel about this. But the second we start arresting citizens, and again, this is in Ukraine, so this isn't in the United States, but just in a general population societal approach, the second you start arresting citizens for the potential of what they might be doing, that, that's. That's pretty authoritarian, frankly.

A (23:40)

You know, there are like, you can go on Hak5 and buy an OMG cable. You can buy a wireless pineapple. Like, I have a WI FI pineapple at my house. I have a bad usb. I have an OM B or OMG cable. Right? Like, I doesn't. I'm. I'm interested in having. I have a Flipper zero, too. I'm interested in having those tools because it's interesting to see what the tech is and understand how it works and, oh, I don't know, actually understand the reality of how a threat actor might operationalize that. Dude, if your strategy, it's. It's the same with that flare Dark Web panel on Thursday. If your strategy for, like, protecting your organization or your business or your home or your family or your network or whatever is to just hope you understand how a threat actor operates, that's like, I, I don't want to say that's stupid, but.

A (24:38)

It'S, it's less informed. I'm just getting a fact check here. This is in Poland, not Ukraine. Thank you, bsec. But it's still, to me, the thing's still the same. Like, this is how we learn. This is how we get more practical with how, like, by doing all these things, right, we can actually understand what controls should we implement that would be actually effective at slowing down these type of attacks. So, you know, I don't, I don't. I don't know what, like, law. These guys are going to be charged with breaking, since they didn't break anything. And again, they're faced with charges of fraud, computer fraud, possession of devices intended for criminal activity.

A (25:24)

I don't know, ma'.

B (25:24)

Am.

A (25:26)

I would just say this seems awfully.

A (25:29)

Dubious.

A (25:32)

Okay. I don't know. What do you guys think in chat here? Minority report? Exactly.

A (25:39)

Oh, my God. BW says tomorrow's story. Polish cyber authorities raid Jerry's hotel room. Yeah.

A (25:48)

All right.

A (25:53)

All right. People talking about it. This would be good, right? Yeah, it would be scary.

A (25:59)

I don't know, dude. I mean. Yeah.

A (26:04)

I don't know.

C (26:06)

Russian crackdown on malware scam.

C (26:10)

Russian police say they've taken down a crew that stole more than 200 million rubles. That's about $2.6 million. Using malware built on NFC gate, an open source tool now popular among financial cybercriminals. According to the Interior Ministry, the group tricked victims into installing fake banking apps, then harvested card data by having them tap their cards to their phones, letting attackers drain ATMs nationwide without the cardholder present. Russian security firm F6 estimates at least 1.6 billion rubles, about $18 million has been stolen using this specific scheme.

A (26:57)

All right, so this has been happening a bit more lately.

A (27:03)

And the idea is.

A (27:06)

It'S called NFC Gate, right? And it uses that NFC near field communication protocol, but.

A (27:13)

That'S literally just to get the card data off the card. Victims are tricked into installing a malicious fake banking app. There's step one.

A (27:24)

Whenever we're thinking about protecting our end users or our organization, think through the whole cyber kill chain and try to break the links all along the way. If you get one of the links broken, you stop the attack. Okay, so for this one, where are they getting these fake bank apps and why are they installing them? Okay, again, social engineering, phishing, email, you know, compelling looking, like, oh, hey, like this is from your bank. We've got a new feature, come check it out, et cetera, et cetera. Once they install the malicious app, which is awful, they are told to enroll their card. And once they use the nfc, the NFC just pulls the data off that. That's the extent of that. Then through some type of like C2 traffic, it, it sends the data to the attacker who then either. I, I don't know, they don't get into the details here about it, but like they either have a, another card that they're cloning the data to, or they somehow use that data to log in and pull money out. If I had to guess, they're cloning it to another card and then going to an ATM and pulling money out.

A (28:40)

Yeah, here's the trick. They're entering their PIN when they.

A (28:46)

When they, when they NFC their phone, which is the PIN is the, the password, essentially. Like that's the problem that they're giving that up.

A (28:57)

Pretty gnarly stuff. We've actually seen several. There is an uptick in activity of this type of, you know, essentially NFC related hack. Just know that the NFC protocol is not hacked. And really, if, if the threat actors could get the, the PIN in the phone, in the card number, different way, they would. The NFC is not innovative or necessarily required for this attack to work it's just one way to get that data from the victim in what would seem like a safe way. Right? Like personally, I do tap to pay all the time. So like enrolling in an app and doing tap to pay to my phone wouldn't seem like that outrageous. And ask. It wouldn't be. It wouldn't be like breaking any type of norms.

A (29:40)

But yeah, you know, it sucks too because.

A (29:46)

This is attacking like my aunt Dorothea, you know, I mean this is attacking like regular end users, not really.

A (29:52)

Organizations or like, you know, targets like that. I. I will say way to go Russian police. Keeping it real. Where are they? There it is. Extended cut from DJ B sec.

A (30:05)

It was a clear black night, a clear white moon.

B (30:08)

Warmer G was on the streets.

A (30:10)

One bonus thing on this story is it it said that the malware is built on NFC Gate, which is a legitimate open source tool. Which means you Amish brain, Flanders, Ken, dj, bsec, like you can download this tool and look at it and see what's going on. It is not malware. NFC Gate's not malware. Stealing your the. The malicious app that looks like a banking app that is malware. The NFC gate's just a function that is being utilized by the threat actors. So just know that not all pieces of this are malware by. By virtue. All right, let's keep cooking.

C (30:52)

Huge thanks to today's episode sponsor, Adaptive Security. This episode is brought to you by Adaptive Security, the first cybersecurity company backed by OpenAI. Attackers don't need malware anymore. They need trust. TIP. Set a simple passphrase for high risk actions like wire requests or urgent account recovery, especially within finance teams and families. If the caller can't answer it, pause and verify. Adaptive runs deepfake in vishing simulations so employees practice this before it's real. To learn more, head to adaptivesecurity.com that's A-A P T I V E security dot com.

A (31:42)

All right, let's do this. We did blow out the copyright yesterday. Today we're going to just keep it chill.

A (31:52)

All right, guys. Hey, shout out to all y', all, thank you for being here. We are at the bottom of the hour coming to you live from Austin, Texas.

A (32:01)

Do want to say again, thank you to the stream sponsors, Threat Locker, flare, Anti siphon. Also want to say holla to Barricade Cyber Solutions. Guys, if you didn't know, Barricade Cyber Solutions doing incident response and forensics work, but also the Fortify365 webinar series every other week, Eric Taylor and the team at Barricade Delivering Value on helping you understand how to properly secure your Microsoft 365 instance and December 10th is the next one. Session 9 the compliance setting one so GRC mafia is going to love this one. Basically you come in one hour, you're going to learn how to enable and customize DLP in your M365 incidents, discuss and define retention requirements, you know, based on your organization understand.

A (32:52)

Audit logs and how like basically when they fill up, what happens? Like how do you, how do you like handle audit logs and that endpoint protection with DLP specifically, there will be a demo of Activity Explorer and Content Explorer. So lot of value, a lot of opportunities. Go to webinars.barricadecyber.com to sign up for this free webinar series. It's good times and it's definitely practical knowledge that you can utilize. Every single day of the week has a special segment and Tuesdays is Tidbits Tuesday, guys. Tidbits. Tuesday is where I share a little bit about me and we vibe on it for a second. I am in Austin, Texas right now and last night, last night guys, I ordered an Uber to go to the dinner and Uber app popped up and was like hey bruh, hey bruh, would you like to get into a Waymo? And I was like all right, sure, why not? Like let's, let's go. All right. And those who don't know Waymo is a driverless car. So I got in the backseat with Mike Miller, right? So I had a, I had a partner in crime. So Mike Miller and I get in the backseat. I certainly wasn't going to sit in the front seat and we get in this Waymo car and the frickin thing drives away. And I got to tell you I was uncomfortable. It's kind of like the colonoscopy, right? Like I'm uncomfortable about the idea of it and hopefully my colonoscopy is like riding in a Waymo car because I felt surprisingly safe. It felt good. Good decisions made by the Waymo car. Now granted, I'm just buzzing around inner city so like I didn't get on the highway.

A (34:33)

But if you have ridden in a Waymo, let me know what your thoughts are. I know they're all over San Francisco and.

A (34:40)

In Austin, Texas. But seriously guys, it was so good that when I got out of the car the Uber app was like, hey, would you like to do more Waymos in the future? I was like yeah, let's go. And on the way home I took a Waymo, right? So.

A (34:55)

It'S pretty good. It's pretty good. It's like smooth like the app you like. When you walk up, the car unlocks. So it's not like someone can get in the car in front of you and then wait and like mug you.

A (35:08)

The car doesn't drive away until you're buckled up and you push a start button. So I don't know. It was pretty cool. I like it. So if you got, if you got yourself some Waymo action.

A (35:22)

Yeah, let it go. All right.

A (35:26)

Let'S continue on. Everybody.

C (35:33)

Calm.

C (35:36)

Marquee Software breach hits 780,000 customers.

C (35:42)

Texas based fintech provider Marquee Software Solutions, which works with over 700 banks and credit unions across the US said they were hacked due to an exploited sonic firewall vulnerability. Now at least 74 banks and credit unions were impacted with typical PII being stolen. Though there were some comments about how this attack could have been avoided in the first place, as the list of remediation efforts from the company included patching firewall devices, changing passwords, and adding VPN lockout rules.

A (36:19)

All right, hold on though. There's a lot of, a lot of Waymo conversation here. Phoenix. So Rob Cooper saying that Phoenix has got Waymos. I didn't know that. I guess a Waymo drove through, drove through a police standoff. That is interesting. Somebody in mod chat. Who is it? Is it bsek? Oh, Kimberly can fix it. Actually shared this. We actually had a conversation in the car. Someone in the car with me because on the way home there was four of us in the car, said that they, they wanted like a driving like a mannequin in the driver's seat. And immediately I thought of this, which shout out to Kimberly can fix it. This is from the original Total Recall with Arnold Schwarzenegger. So drink. But yeah, this basically was Waymo before Waymo.

A (37:07)

So yeah, yeah, yeah, Very cool.

A (37:11)

All right, let's talk about this marquee attack. Where is it? All right. Data breach affecting almost a million people. I never heard of Marquee Software, but it's a Texas based fintech company. It's probably here in Austin. If I had to guess that fintech in Texas definitely sounds Austin esque.

A (37:29)

All right. Threat actors blew through a sonic wall firewall vulnerability. I bet you if you go back to the early August episodes of Simply Cyber's Daily Cyber threat brief, there's probably an episode of us talking about patcher Sonic wall. Spicy. Okay, okay.

A (37:47)

All right. So the threat actors got in and did Data XF.

A (37:53)

And it looks like it was third party risk. Right. A single mid tier vendor was sitting in the data flow of numerous banks.

A (38:04)

Yeah, no kidding.

A (38:08)

All right, so the data that got out was name, address, date of birth, social, taxpayer id, bank or card details. You get your free credit monitoring. So, Phil Stafford, anybody looking for a last minute Christmas gift, you can have their personal information compromised and get them a nice two years of identity theft protection. Always, always a great last minute gift. I'm joking.

A (38:33)

And.

A (38:36)

After the attack, the company introduced the following security improvements. Oh my God. Dude, listen. For my aunt Dorothea, for, you know, your, your, your cousin Fred. Like maybe this sounds like outrageous, but guys, as practitioners, this is dumb. Okay, this is what the improvements they introduced in 2025. Now all firewall devices are fully patched. Oh, all right, that's good. Ah, you got a patch it. Not, not. Not making sure that firewalls are kept up to date with their patches based on threat intelligence suggesting that there is zero days being exploited. Nope, nope. Secondly, we're going to rotate local account passwords. Now I will give them credit. That is not the easiest thing to do. They're going to delete unused accounts. Oh, whoa, whoa, hey, wait a minute, wait a minute. Deleting unused accounts now. Now you're. We should get these people like a Sans DMA award for like innovative approach to cybersecurity. Stop. Wait a minute. This, this, this puts it. This is a stone cold lock of the week. Pick it and stick it on. Who's winning? Innovative company for cyber practices. They're enabling MFA on their VPN accounts. Oh, be still my heart. Be still. These people. Wow, guys. What? We're looking at a case study and best practices right here. I'm being facetious in overly hyperbolic because this is fundamental cyber security, not like what are you doing? You're a fintech company. You handle money and write software, and now you're talking about enabling MFA for your employees accounts into the vpn? Son, like what are we doing? You can brute force the crap out of that. It doesn't even say how.

A (40:49)

Oh, here we go. VPN lockout rules. Listen, I'm sorry, really quickly, let me just give you some insights, okay? Check this out. The fact that they introduced these two specific new controls into their environment tells me volumes. They introduced MFA on their VPN accounts and also lockout rules for repeated fail logins on their vpn, which means one thing only. A threat actor could easily write a script that could just pound on that VPN forever on an account. And, and I mean, granted, if the account Has a really complicated password, good to go. Chances are it doesn't. You could just hammer this thing like, this is, like, 2010 called. They want their, like, novel approach to cyber security back. This is ridiculous, dude. All right. They also introduced GoIP filtering for approved countries. Yes, that's conditional access, another thing that's, like, not that uncommon in 2025.

A (41:56)

And blocking known botnet command servers, not as easy. You do have to introduce threat intelligence because, you know, botnet command servers, IP addresses do change, etc.

A (42:10)

Dude, I. I'm kind of curious. I, like, give me a moment while I. I just kind of cur.

A (42:32)

I'm just, like, curious if Marquee Software Solutions even has a ciso.

A (42:38)

All right, here we are. We're at their main website. There we go. Glenn Fishback, President and cto. Larry Powell, CEO. What's up, Larry? Todd Johnson, cio.

A (42:52)

All right. And there you go. I do not see.

A (43:02)

Yeah, they don't have a.

A (43:06)

This is ridiculous, dude. It's a fintech company without a CISO or, it appears, any information security staff.

A (43:16)

So the CIO is probably as close as you're going to get. What do we get? This guy Todd's responsible for management and protection of the company's information systems. Todd's role is overseeing cybersecurity. I don't know, Todd. Sorry, guys, I'm just. Give me a moment here. Just going a little bit down the rabbit hole on. On this one, because to me, it's like, what are we doing here? How did this. How did this come to be? All right, on, let's look up Todd Johnson here on.

A (43:47)

Let's see.

A (43:51)

Little O sent on old Todd. No, that's a different Todd Johnson.

A (43:56)

Damn it. I wish his name was, like, you know, Dickie Ascot or something. Something a little bit more like not as.

A (44:05)

All right. Todd Johnson escapes my scathing analysis until.

A (44:12)

Until I can find his LinkedIn profile. I just wanted to see what his background was, because the dude's responsible for cybersecurity at this company, and until they suffered a massive breach, they weren't even implementing basic controls. So I'm sure they saw cyber security as a cost center, too. All right, let's keep going.

C (44:31)

UK warned AI models may never be secure. Well, duh.

C (44:37)

The UK's National Cybersecurity center warned that large language models like ChatGPT have a fundamental flaw that could let attackers hijack them, known as prompt injection. You all know that the issue arises because LLMs treat all input as instructions, making it impossible to fully separate safe data from Commands. Researchers have shown this can be exploited in development tools, browser agents and other AI integrations. While companies like OpenAI and Anthropic are trying fixes, the NCSC says these vulnerabilities may never be completely solved.

A (45:19)

All right. I mean, dude, okay, so the underlying statement here is that AI isn't able to discern between a prompt and, and like data.

A (45:32)

I mean, this isn't really that different than like the way software works where there's data and then there's like machine code, right? Like what, you know, like what we're, what the system is supposed to be doing.

A (45:46)

Guys. AI, while it's, you know, advancing incredibly quickly, it is a reasonably new technology and there's going to be all sorts of hurdles and bumps along the way. I don't think validating prompts before they get accepted as prompts is necessarily an impossible task to solve. But.

A (46:10)

I, I also don't think that this is like, I don't know, mind blowing. The story.

A (46:19)

Like the story that they link in the show notes here doesn't really talk about it. The story that links in the show notes is actually talking about a defense bill. So, you know, this doesn't map up with what Lauren Verno is talking about.

A (46:37)

Just the TLDR guys is AI is moving quickly. Prompt injection is a major attack vector. We've seen it in multiple ways. People passing URLs as prompts.

A (46:52)

Just hiding it as payloads, etc, hiding. We've even seen prompts embedded in like emails where the font is the same color as the background of the email. So a human, a human wouldn't visibly see the prompt, but a machine that's ingesting the email for analysis would see the prompt. So there's all sorts of tricky ways to get these things into the AI models and have them execute.

A (47:18)

AI is not going anywhere, guys. So this is a problem that people are working on. All I would say is, as far as I know, like the OWASP top 10 AI like attack techniques is a great place to start and look at if you're developing AI tools. Definitely give consideration for that. If you're using AI tools, maybe you could use that as part of your analysis, like, you know, some basic attacks to see if the software falls for it. If you're a pen tester or I don't know if there's bug bounty, like for bug bounty people in chat.

A (47:53)

Is there bug bounties that focus on AI LLM models, like attacking them? I would imagine there is. I haven't really seen it formally, but I would imagine there is. So just. We're going to keep grinding on it and just go from there.

C (48:08)

Clayrat spyware evolves.

C (48:12)

A new version of the Clay Rat Android spyware is out. And it's a big leap from the strain first spotted in October. According to Zimperium, the malware now abuses accessibility services to log pins and passwords, record the entire screen, spoof app overlays, and even block users from deleting it, giving attackers near total control of infected devices. Researchers have already found more than 700 malicious APKs tied to the campaign spread through phishing sites and lookalike apps, impersonating services like YouTube and regional taxi tools.

C (48:52)

Meta lets.

A (48:54)

All right, so clay Rat malware, you know, it's just. Here's the thing. I've never heard of Clay Rat malware until just now. It doesn't matter. The malware names change, the attack techniques stay the same. Which is why you should study ttps, right? So what we're looking at here is a Android based malware device that has all the things that you would want in your malware. Key logging to capture pins, passwords and patterns, data exfil to send stuff.

A (49:26)

You know, it says near total control of the infected device. Just like earlier guys, educate your end users. You shouldn't be installing random APKs on your Android device. Now. Threat actors can simulate the Google Play Store, send convincing emails, get you to install things. Just you have to educate your end users on these attack techniques, especially if they're choosing to use Android based devices. One interesting development of this particular variant is the abuse of accessibility services. So accessibility services are features that, you know, for colorblindness or for, you know, just blindness in general, reading the screen, tactile responses and stuff like that. Those, those services which are always, you know, included in a lot of these, you know, human interface systems are typically not often used by the general population, right? Like 80% of people aren't using the accessibility services, but they do offer an amazing amount of functionality. And honestly, in my, in my opinion, a lot of times the, the exploitable things, the things that are abused are usually the services or functions that are kind of fringe cases because they don't get utilized often enough. So they don't get as heavily scrutinized in like, you know, edge cases around the use of them don't crop up as often when the story came up. This is actually going to be a throwback to yesteryear. If you're an old person, gray beard or gray hair like me, when I, when I heard this story. It made me think. So back in the day one of the ways that like was kind of popular to get onto a Windows box was walking up, right? It would be locked, it could be like a printer or a kiosk or whatever. And you could just hit like the control button a bunch of times and you would like trigger the sticky keys. Accessibility service because it thought you like basically had like.

A (51:37)

What'S the disease that Parkinson's? Like it probably wasn't exclusively for Parkinson's but like basically that you couldn't, you couldn't manipulate the keyboard. Like your hand dexterity wasn't good enough to manipulate a keyboard. And like you're just banging on a key. So it would like pop up and ask you if you wanted to, you know, use like sticky keys or something like that. But you could basically utilize that to pop a shell. And then once you pop a shell, obviously you can execute whatever commands you want and then take over the box. And that was like kind of a popular technique for a minute there. Eric Taylor is going to be joining us on Jawjacking for the second half. He's also.

A (52:16)

He'S also of the same generation and he may remember that particular tech technique too. You can comment on it. Unfortunately you can't really disable accessibility services. It's a built in function. Just be aware if like from a CISO perspective, here's what I would tell you. If you allow your staff to bring their own device into the work environment, you have to have some type of like mobile device management possibly. If you're like advanced, possibly have some type of like.

A (52:51)

Like oh my God, what's the word? Operation check. But you can basically like check the profile of a device before granting it an IP address on the network. Again in a, in a modern zero trust architecture environment like that they don't need the phone on the corporate network in order to access corporate resources. You can access your email and your OneDrive and all that other crap. So that's not necessarily.

A (53:16)

Exclusively a good control. A posture checking is what I'm thinking of, posture checking. So just I guess the TLDR here is like if you're going to allow folks to control their own devices, you're, you're, you're taking on additional risk because you can't, you can't control the device fully, which means they can install malware and stuff. This is why you have to educate them. Do posture checking. Look for devices that are, you know, basically behaving badly and then hope you know, because unfortunately, you know, this Malware is quite effective. And you know they're going to get your creds, get your money, get your. All these things, steal your SMS text messages. Heaven forbid you have a compromising photo of yourself or a loved one on your device. And they get that because then they're going to extort you. So gross.

C (54:10)

EU users share less data. The European Commission approved Meta's plan to give Instagram and Facebook users in the EU the choice to share less personal data and see fewer personalized ads starting in January. The move follows a 200 million euro fine earlier this year for violating the Digital Markets Act. Meta says the changes make the privacy option more transparent through updated wording and design. This is the first time the company has offered users a choice over how much data they share.

A (54:48)

Yeah.

C (54:49)

Are you subscribed?

A (54:50)

I'm pretty sure that this is like Meta's.

A (54:54)

Like essentially compromise or bending the knee to the eu dude, at the end, listen, so this is a privacy thing. The EU has gdpr. The EU is very forward on civil liberties around individuals privacy rights. And Meta is, you know, like Meta is one of these companies that wants all your data because they sell the crap out of it. And that's why Mark Zuckerberg is one of the wealthiest people in the world. It's. It's because they harvest data all the time and do things with it. The EU is punching them in the mouth. They have multiple times been fined at this point, billions of dollars. Okay. And I don't know about you, but if I was fined $1 billion, I would probably treat it like I grabbed a hot pan. I would immediately pull my hand back and not go touch that again. Yet Meta continues to. To operate, which means one thing and one thing only. They are making more than that amount of money operating in those spaces. So this right here is, to me, this is a. They're just making this decision because it's the best option to allow them to continue to operate and get that data while also complying with whatever regulations are being punched down onto them so they don't get fined. That's it. That's it. Full stop. Way to go, EU citizens. You can opt out again. I'm sure Meta is banking on the fact that a lot of people are not going to opt out of it. I would even imagine, hey, have a good one. Live. I have to imagine that Meta would almost implement some type of, like, diminishing functionality to the device or the app if you choose not to share your data. Right? Nothing super overt, but.

A (56:50)

Just. Just something that's a little burdensome, something a little frictionful. So you would want to opt. Opt in. You know what, here's my thing. I like. Charles Fin Frock proposed this about two years ago and I'm still all in on this one. Charles Fin Frock, who's a friend of the show, he said, why don't they just offer to give me a piece of the money? I'll sell Meta. Like I'll opt into every program Meta has for. For harvesting my data. Just give me a little taste, you know, give me 50 bucks a month. You're probably making way more than that. Just give me a little taste. You can you hook me up to everything. Take my data, I'll sell it. So, you know, there is that.

B (57:34)

All right, guys.

A (57:44)

All right, guys. We did the thing. This has been Simply Cyber's daily cyber threat brief podcast coming to you live from the remote studio here in glorious Austin, Texas, where the cars are driverless and the barbecue is tasty. I was your host, Dr. Gerald Ozer. I hope you got value from the show. If you did, hit the like button and tell a friend. More importantly.

A (58:09)

If you didn't like it, let me know in chat. I'm definitely open to constructive feedback if it comes from a place of actually interest in trying to help the show. If you just want to tell me I suck, you can put that in the comments, but it's probably not going to lead to any process improvements. You know what I mean? All right, don't go anywhere because we are going to be pivoting like Ross from friends to Jawjacking. Jawjacking is a 30 minute ask me anything program. Your host will be Eric Taylor. Eric Taylor has extensive amounts of experience in cyber security digital forensics. Incident responder definitely got his finger on the pulse. I will be. I'll be back.

A (58:54)

In the in the buffer oer flow studio tomorrow, so don't sweat that. I'm Jerry from Simply Cyber. Be well. Take care everyone. Thanks so much for everything. And until next time, stay secure. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered and totally free. Let's level up together. It's time for some jawjacking.

B (59:28)

Good morning, good afternoon, good evening, wherever the world you are. Welcome to Jawjacking. Great to see you all. It is Tuesday after all. You know, we got past the. The dynamics of yesterday with all the train wrecks and the. The proverbial train, not literal train wreck but you know, the train wreck that is it on Monday, you know, if you know, you know, you've been in the industry for a while. But yeah, we've, we're here, we're here to talk, talk shop, talk some stuff.

B (60:01)

I do have discord up mod chat mods I haven't pulled up. I think Jerry may still be in the background, I'm not sure. Jerry, if you're still there or mods, let me know if we have a 9:30, so that way I can quickly link that. I didn't hear Jerry talk about it, so I'm not sure. But anyway, if you're new here, this is kind of the way this thing works out.

B (60:27)

You know, I want to talk about a couple things or whatever. In the meantime, if you have a question about cyber security about it or whatever non political, I should state that. Man, my hair is uber messy today. Anyway, put a Q and a colon mark into the chat and let me know what your question is. So when I do my fine, you know, control F and search for that, I could be able to find it. Right, so, and then we'll bring it up and we'll talk about it. You know, something I've been doing the past couple of weeks and I, I think the feedback has been really, really good to help Jerry, myself and other people on this channel know what kind of audience that we have. But we do appreciate it when you do this. If you haven't done it before or if you feel like you wish to do it again, let me know in chat. And everybody, you know where you are in the country. I know you may have done that already in the beginning, but let us know also how many years of experience you have in what industry you're serving. You know, where are you at, how many years of experience you've got and what industry are you serving? We're not asking you to o set yourself, you know, we're not asking for your company and your boss and all that. But we're trying to make sure that we, especially going into next year.

B (61:51)

You know, we are making sure that we are catering, especially me, the jawjacking to the audience. So I don't want to feel like I'm talking down or talking over, vice versa, you know, things of that nature.

A (62:02)

Right.

B (62:03)

We do have one question. What is a good office desk chair? So mine that I've had is called an X chair.

B (62:13)

I like it. It's pretty freaking expensive though. But I've had this one, geez, four, maybe five years now, and it's held up pretty good. It's about time for me to get another one, but it's. It's held up pretty, pretty well there.

B (62:31)

I forget the brand, but I know a lot of the YouTubers use like a. I forget the brand name, but a lot of them have the same brand.

B (62:41)

It's like a gaming chair.

B (62:44)

But mine's extra. Like I said, it's. It's worked really, really well for me.

B (62:53)

So no questions. Let me pull up my internal cti. What do we. What do we got going on that I have not looked at yet this morning?

B (63:13)

Is this behind a paywall? Let's see.

B (63:25)

Okay, let's talk about this for a second. I'll put it in chat.

B (63:30)

This just got released by Microsoft. I almost said micro crop.

B (63:35)

That's the entire screen. Screen two. And we will not share audio because I don't have a chance to shut everything down.

B (63:45)

Oh, Secret lab. That's it. Thank you so much. I. I was racking my brain about that other chair that we see a lot of YouTubers using.

B (63:57)

Let me reposition myself. There we go. So SMB Server really affects the SMB2, which is a connection protocol that you'll use for network telephony and shared folders. So apparently there is a possible fix for a memory link, a memory leak. Say that correctly, that would be coming out. So definitely keep that link in your back pocket. Definitely keep an eye on that. Because that could be something that could break your network shares, especially on your file servers on your dc. You know, we don't see any releases yet, so it is coming soon to an update near you.

B (64:48)

A lot of CVEs getting posted right now.

B (65:01)

Trying to scroll past the cves.

B (65:08)

Oh, this may be relevant. Let's see.

A (65:10)

Sorry.

B (65:11)

There was literally almost like 65 CVEs that were just posted this morning.

B (65:18)

So let me make sure this is not behind some sort of goofy paywall. No, it's not. Cool. So let me drop it in here and we'll talk about this for a second.

B (65:28)

Where's my. There it is. Jerry's. Jerry's One is a lot different setup for Restream is a little different than mine for some reason. Whatever. My digress. So Great Bravos. Castle Loader actively clusters multiple target industries. Okay, what is Great Bravo? I know. Castle Loader is either go or lay. Go, Laying or rust application. Instant Group continues to monitor Great Bravo, formerly tracked as tag 150. A technically sophisticated and rapidly evolving. Everybody's technically sophisticated.

B (66:10)

Identified in September 2025. Great Bravo demonstrating strong capability Blah, blah, blah. Great. Bravo operates as a malware as a service. Okay, what industries are they targeting? For example, one customer.

B (66:31)

Key findings uncover.

B (66:36)

Hopefully this is not just a BS story.

B (66:46)

Oh, somebody called Jerry. It's not really a good infograph, but it's definitely a file tree.

B (66:54)

Company organization chart of sorts.

B (67:00)

Oh, here we go. Look at that sexiness. All right, so victim in on unsecure HTTP BPS likely talks.

B (67:16)

Interesting.

A (67:17)

Okay.

B (67:21)

Castle Rat Remote access Trojan built in C and Python. Oh, I was wrong. I thought it was like golang. So it is C and Python. Okay, see this is one lesson everybody needs to take away. As soon as you think you know it all, man. No, and I never claim to ever know it all. These things are always advancing. Okay, so we do have some C2 servers. So if you are running an EDR, immediately hang up the phone, go check these IP addresses to make sure over the past 30 days or 90 days, however long your, your data set is and make sure that your devices are not communicating with these. You know, this is a trust but verify situation.

B (68:12)

Where. Sorry, I'm getting a call.

B (68:16)

You think your EDR would detect these things. But make sure do your due diligence. Don't just be like, Ah, my EDRs, they're great. They're great. They'll, they'll, they'll never drop the ball. Always, always, always, always check. Because most ers. Let me, let me tell you something.

B (68:35)

Look, let me pull the fast food secret club person, you know who I'm talking about. Come closer.

A (68:43)

Right.

B (68:44)

Losing over. No, the.

B (68:48)

You know your E. A lot of your EDRs will. Only when they do, when they add new IOCs into the behavior analysis for the EDR platform, it's only going to take from that date and time forward. But they give you threat hunting capabilities. So that way you can go back in the past and look. So don't ever assume your EDR is going to take whatever new IOC they've had and do a backward search capability to see, you know, has anybody ever done that or whatever communicated on that one. Right. So always do your due diligence, ladies and gentlemen.

B (69:27)

And that's literally what I'll be doing. Right? So typically our workflow is we'll see something like this, we'll do a thread hunt, we'll do an assessment of this type of thing and then we send off an email or we send out, you know, communications in out of bands platform, depending on what the preferred method of communication is as a spot rep report. So it's like, hey, this is what we're seeing right now, this is the Iocs that we're seeing. And, you know, we want to make sure that we did our due diligence. You're not currently impacted by this. Rest easy.

B (70:10)

Ah, he knows. He knows. He does.

B (70:20)

All right, let's see if we have any questions I need to get caught up on.

B (70:37)

This is not starting off as a good question. Good morning. Question, friend. Kid is a diabetic and was told that the app out there was hackable. I did not find anything. But is there real risk of hackers hacking the app and messing with the insulin pump?

B (71:00)

Okay.

B (71:05)

We're gonna get a little biblical.

B (71:08)

I mean this from the bottom of my heart. We're not about to go to church, but I have a long standing rule.

B (71:16)

The only thing perfect is from heaven above.

B (71:21)

If man made it, man can break it.

B (71:28)

Everything is hackable. Oh, there's even a book. There's even a book. Hold on. I forget who made this.

A (71:34)

Hold on.

B (71:34)

I just got a new.

B (71:38)

Bookcase over here, so all of my books have moved over.

B (71:44)

And I think.

B (71:47)

I can't remember if it's an ebook that I got or if it's an actual book book, but hold on a second.

B (72:03)

Oh, this is close. This is close. Yeah, but this is what I was thinking of. Okay.

B (72:08)

If it's smart, it's hackable.

B (72:12)

Y. I think Jerry's even talked about this book a little bit. Very, very good book. Those who know me know that, you know, if I want a good nap, I'll actually sit down and read a book. Otherwise, I'm listening to the audio book.

A (72:28)

Yeah.

B (72:30)

If man made it, man can break it the way it is. That's why cyber security is never going away, ladies and gentlemen.

B (72:39)

But, yeah, again, not time trying to get overly biblical, but if man commit. If man made it, manual can break it, and most of the time, they will.

B (72:52)

Yeah, I did say micro. I said that a lot off air and in person.

B (72:58)

Oh, did y' all see Those who are IT admins, CISOs, things of that nature. Microsoft, earlier this year, they increased the rates for the home user. But this year, or going into next year, all business is licenses are going up. So, you know, not trying to flex, but Our organization uses E5.

B (73:24)

Just because I need to make sure that everything we do is as secure as humanly possible. And we're going down CMMC level two, and I want to go play in traffic.

B (73:36)

But the. So we pay 57 bucks per user per month for an E5 license.

B (73:45)

And it's going from 57 to 60. So another 3 bucks per user. It's going on to your bottom line for your fully burdened cost of your team members. So good luck with that one, ladies and gentlemen.

B (74:07)

Let's see. No more questions. Do I have anything? You guys are very, very quiet today. Why is that?

B (74:17)

More CVEs. More CVEs. More CVEs. More C. You know, let me just get into one of my other. Let me get into my C, my actual CPI instead of my, my RSS feed.

B (74:31)

And I actually got asked one time on LinkedIn by a user that actually watches the show. So if you're there, I'm not going to mention you. One, because I can't remember. But two, if you remember this conversation but shout out to you the somebody was fussing at me because I won't share my CTI platform horn on stream. I'm like, what? I've been open. I use a platform called Open cti.

B (75:01)

But it does pull in a lot of, you know, data, but a lot of data that we. That is pulling in is from trusted sources that are still considered TLTP Red.

B (75:20)

So making that stuff public on air.

B (75:24)

Is not allowed. And while I would love to just show it, but I never know until I start scrolling through it. What's tltp? Red versus green. So. Oh, looks like Deadlock has got some updates.

B (75:42)

Deadlock ransomware. Oh, see.

B (75:54)

Village of Gray Manor considered playing ransom, paying ransomware.

B (76:01)

I might have even missed that these guys were impacted.

B (76:13)

Question from the real Kaka, while I'm getting this thing spun up, what do you recommend for running self hosted malware? Sandbox for an organization.

B (76:32)

Oh, you know what, hold on. Hold my beer, ladies and gentlemen. Hold it, hold it for me. Can you do that for me?

B (76:42)

Let me see if I can find it relatively quickly. Bear with me one second.

B (76:54)

Is this it? I don't remember if this is it. It is.

A (76:58)

Okay.

B (77:02)

Let me pivot this over to a different browser.

B (77:08)

Bear with me a moment, ladies and gentlemen.

B (77:16)

I was looking at Cape. I've heard things about Cape, both good and bad.

B (77:26)

However.

B (77:31)

And we'll bring this up. So.

B (77:38)

All right, so what the real Kaka is referring to is key, which is the sandbox book where it goes through and you know, was a sandbox. I mean for your first deployment, sure, go through it. But if I'm not mistaken, the actual installation of Cape I thought was deprecated.

B (78:05)

I thought, I thought.

B (78:09)

Let'S double check.

B (78:16)

Like a lot of the repositories would not load.

B (78:22)

Oh, so there's A version two.

B (78:26)

Oh.

B (78:28)

So they've resurrected this. So if you don't know up here, there's a V2 there.

B (78:39)

And this was recently updated.

B (78:43)

Okay. So I will. The real cow. Cow. Let me go through this.

B (78:50)

Yeah, because Cuckoo Sandbox was started back in 2010 but this thing looks like it's been.

B (78:58)

Brought back to life.

B (79:01)

And if this is true.

B (79:05)

This is very, very cool. And then I would change my answer to highly recommend this.

B (79:14)

Again. I'll go through it and I'll try to. I'll report back next week. So I'll. I'll spin up a vm, I'll go through this and do this. However, if it's not true, I'll post these guys.

B (79:30)

This is a repo to use non in production. This is for testing purposes only.

B (79:39)

However, if you're doing a sandbox with a Windows or Linux vm because if you didn't know you can run Sysmon in Linux, right? So I would put in this Sysmon config trace XML file into there and it does a lot of logging, a lot, a lot of logging. The Sysmon config is very, very beneficial to it. So definitely take a look at it and even says right here a config by Cyberwart Dog that logs just everything with a few examples for debugging or threat hunting purposes. And I've used this a lot in a Windows OS and a Linux OS and I highly, highly recommend using that trace XML because it's going to give you a lot of the same information that you'll see from a cloud repo and things of that nature. And I went with that because again CAPE was deprecated and let's see if it actually shows release. Okay.

B (80:52)

And I just couldn't get it to freaking install.

B (80:57)

So I ended up going and doing the, the Windows and the Linux sandboxing and did the trace with Sysmon on there with some other custom configurations and that's worked out well for me for the past, I don't know, four or five years.

B (81:15)

So.

B (81:24)

Playing in sticks this morning, it's addicting. Yeah, literally get, get a platform to ingest all of your sticks data. Seriously. Open CTI will do that very, very easily.

B (81:57)

Enter. I want to star that because that is entered.

B (82:03)

That one was entered.

B (82:08)

And that one was answered.

B (82:15)

Foreign.

B (82:21)

As far as payload extra execution sandbox. What do you think about Chasm where I've never messed with it. And again the what I just mentioned before now you're literally launching a payload and doing analysis on it. So I mean, that's just another platform.

B (82:44)

But if you only need it for a temporary couple minutes, I would just say just use app.any.run to be honest with you. I mean, it's a great resource. You can use it for free. It's got a limited time. If you do a paid subscription, I think you have up to five minutes in the sandbox. I believe memory serves me correctly.

B (83:14)

Let's see what everybody's talking about in chat.

B (83:33)

Why y' all talking about Proxmox?

B (83:48)

Oh, virtual machines inside of Proxmox is doable, to be honest with you. So.

B (83:56)

I use VMware Workstation Pro. It's free.

B (84:01)

For personal use and I'm personally using it.

B (84:08)

To be honest though, I've tried to pay for a license and they refunded me my freaking money.

B (84:15)

So, you know, I tried to do the honest thing and they just refunded. So whatever, just freaking use the Pro version. I shut off the network work thing on it and I just launched a VM on my local workstation. If I really think it's nuclear, I'll move it over to my DFIR workstation and use a VM in there.

B (84:35)

But, you know, if you don't have.

B (84:39)

You know, sharing turned on, if you, if you just have drag and drop and the network is off. I've honestly messed with some really, really nuclear things and it's never impacted my workstation.

B (84:55)

I've accidentally isolated myself a lot of times doing that though, so there's that.

B (85:17)

I would love if anyone could invent or create a tool where you can trade back trace all the spam calls. Yeah, good luck with that. So the problem with that theoretically is the PBX system that the scammers are using. Because.

B (85:36)

If you've never set one up, especially the new PBX system systems that are void.

B (85:43)

A lot of them are going to use SIP trunks and they're just authenticating as with an IP address. And it's up to the provider to configure the cid, the phone number that it's being called from. Right. So I literally can call you and state that I'm 911. It'll show up as 911 on your phone. It's very, very easy to do that. That's why a lot of you'll get a call randomly. Like I just missed a call from this number. I never called anybody. It's because there's just randomizing numbers. So.

B (86:36)

Is there anything else to talk about this morning?

B (86:48)

I'm not seeing anything on my feeds.

B (87:00)

All right, let me just check Moddy Chat.

B (87:07)

I don't see anything over there. All right, ladies and gentlemen. Well, I guess it's a slow conversation day.

B (87:14)

Like I said, not really much going on in terms of news this week for the most part.

B (87:21)

Last week was pretty busy, but.

B (87:26)

Yeah, I will try to be on the panel for this Friday. But until then, thanks for hanging out and joining me. I greatly appreciate it and I will see y' all next time. Until then, stay curious and go out and try to touch some grass if you still have some available. It's not covered up by that mysterious white stuff called snow. Throw my sunglasses or my glasses. We'll see y' all next week. Take care.

B (87:54)

There once was a kid whose passwords laid across all sites.

A (87:59)

They were the same.

B (88:00)

A criminal then found their fame by taking that data to go.

A (88:07)

Soon may a criminal come to steal.

B (88:10)

Your pictures and data and run.

A (88:13)

One day when the crime is done.

B (88:15)

They'Ll steal your account and go.

A (88:23)

Hey everybody, I hope you enjoyed that content. Keep the cyber security train going by connecting with the other Simply Cyber community resources. We have the Discord server that's lively and always keeps the conversation going. You can connect with me directly on LinkedIn and also every single weekday morning on the Simply Cyber channel. We're doing live daily cyber threat briefings, 8:00am Eastern Time, as well as Thursday at 4:30pm we're doing live stream interviews with industry experts and we produce videos that we push out every Wednesday morning. I'm Jerry from Simply Cyber. I hope you enjoyed the content and we'll see you in the next one.

B (88:59)

I'm gonna go out and touch some snow. I love it. All right, later, guys.