Loading summary
A
Good morning, everybody. Welcome to the party. Hey, listen, if you want to get up to date on the top cybersecurity news stories of the day so you can be a more effective, more impactful and more desirable cyber security professional, whether you're SOC analyst, grc, something in between, you are in the right place. Welcome to Simply Cyber's Daily Cyber Threat Brief podcast. I AM your host, Dr. Gerald Ozer, coming to you live from the Buffer Osier Flow Studio. Welcome to the show. Get comfortable. We're going to be leveling you up over the next hour like a bunch of bosses. Let's get cooking. All right, good morning, everybody. I want to say what's up. Mara Levy, ZMEF, Roberto Zavala, Ernet, 100. Tammy. What's cooking everybody? It's great to see you. If today's your first episode of the Daily Cyber Threat Brief, welcome to the party, pal. It's great to have you here. All about good times. Today is episode 1067, I believe, on this beautiful February 12th, it's Thursday, which means we're going to be doing the top cyber news stories. We'll go through eight of them and at the mid roll, halfway through, we take a little bit of a break and Dan Reardon has made a custom piping hot meme. It just came out of the oven. This thing is spicy. And it's all about good times and laughs. So stay tuned for that. Now you might be like, listen, Jerry, I can read the news myself. I can do these things. I get an RSS feed, I have an AI bot that curates a news feed and sends me an email every morning. That's fantastic and I'm happy for you. But what you need to know is that in this show we like to go a little bit further, a little bit deeper, beyond the headlines, past all that noise and ultimately giving you level ups by dipping into the 20 plus years of experience I have, as well as, you know, the countless years of experience that the Simply Cyber community has right there above my head. So, first timers, welcome to the party. Drop a hashtag first timer if you are in chat with us right now. Hashtag first timer if it's your first episode and you're in chat with us and you're wanting to let us know so we can welcome you. We have a nice, we have a nice, very nice sound effect and emote that we bomb first timers with. It's kind of like a digital hug, you know what I'm saying? So drop it, hashtag first timer. Heck, even if you're not a first timer. Just drop a hashtag. First timer.
B
Let's.
A
Let's collectively welcome you. All right, Every single episode is about value. So of course, up there we go. Owen is the N. Owen is the name. First timer. Welcome to the party. Owen. Welcome to the party. And of course, Christopher Icia. Guys, we like to do value up in this piece. So every single episode is worth half a cpe, so half a continuing professional education credit. So all you got to do is say what's up in chat. Hello, Elliot, Good to see you. Say what's up in chat. Grab a screenshot. You are part of the show. Season beefs. Second timer. Love it. Just say what's up. You're on the show. You're part of the experience. You're. You're part of the live. Okay, so say what's up in chat and grab a screenshot, Include today's date. Include like the date is in the show title. February 12, episode 1067. Grab. When you take the screenshot, have that in the screenshot and file it away. Once a year, you count up those screenshots, divide by two, that's how many CPS you got. It's simple as that. A lot of long timers up in here. Simply cyber. So hot right now that Hansel so hot right now. All right, so we got the news, we got the cpes, we got our first timers. I don't research a prep for any of these stories that are coming up. I don't even know what they are. Ain't nobody got time for that. So be real with that. I got open Claw back here. I got open claw back here cooking for me. Make sure there's nothing too sensitive on the screen. Oh, that has been an experience back there. Back there. All right, guys, Every single episode of the Daily Cyber Threat Brief is sponsored. I'm very, very, you know, grateful and pumped for our sponsors because I. I believe in them. I like them. Many of you know, many of you know these, these sponsors, these partners of ours. So let's talk about them for a minute. Okay? We got a special one. This one's very timely. Hey, Flare. So Flare is a cyber threat intelligent platform, but they are got Flare Academy. Now listen to this. This is today at 10:00am to 10:45am so this is a very special window, a very special opportunity. So if you are free today at 10am so about two hours from now, anthropic AI cyber threats in security in the LLM era. Guys, this is going to be very special. Head of Cyber and national security partnerships at Anthropic. Anthropic. The. The people behind Claude, the people who are like basically driving this entire project back here. The brain behind many of our tools. That guy or that business, they are having this guy come on. Which is probably why it is such a. Unusual window. The guy probably only had this window to work with. So, guys, I gotta tell you, I'm gonna be teaching at this time. I hope this is available on replay. I want to hear what they're saying. AI. I was on a panel yesterday for a webinar. Guys, AI is moving at breakneck speed. In fact, I actually. I don't know if you saw this. Go to Simply Cyber IO Flare to sign up for that. Let me show you this. I actually posted this yesterday on LinkedIn. Cyber pros aren't struggling with AI governance because they don't understand risk. We're struggling because business is moving at innovation speed and governance is stuck at committee speed. Look, we got the old 67 Chevy with a jet engine strapped to the roof of it. This is what we're dealing with, guys. So get informed, get educated. I. I'm gonna watch this on replay. Go to simply cyber IO/flare to sign up. Now it's free to sign up. It's free to sign up. All right, so thank you, Flair. I do. I do appreciate them. Also want to tell you about material security. Yeah, boy. Listen, your cloud workspace is more than just email facts. No printer. So why does your security stop there? Well, material delivers complete protection for Google Workspace and Microsoft 365 going beyond perimeter defense to secure email and files and accounts across your entire environment. With advanced AI detections and automated threat responses, Material correlates signal across the workspace to identify risks others miss. It protects sensitive data in inboxes and shares files, monitors account, monitors account access and third party apps. And conveniently automates remediation from phishing responses to user report. Triaging the result, you mature your security posture and scale protection without. Without adding headcount. You want to be the listen. You want to stand out to your bosses. You want to get on management management's radar for a good reason. Add security, scale, security, reduce risk without adding headcount. Hello. And the best part is it's at the same cost as traditional email security. Ready to secure your workspace, y'. All. Learn more simply cyber IO material. Simply cyber IO material. Hey, Kelly Crosby. Kelly Crosby's in the house. Welcome to the party, pal. Welcome to the party, pal. I do want to say special shout out to one of our younger listeners. And I'm one that I'm a big fan of. Want to say what's up? To Aiden? I know Aiden's watching. It's part of his routine. Aiden, welcome to the party, pal. Welcome to the party. Also, Aiden's gonna get a double shot. Little Ric Flair. Woo. All right, Aiden, enjoy the show. All right, everybody, quick word from Threat Locker and then I'm gonna need you to sit back, relax, and then we'll finish that after we hear from Threat Locker. See you at Zero Trust. By the way, Zero Trust World. I confirmed arrangements. I'll be doing the daily Cyber Threat Brief live from the show floor for three days in Orlando in early March. So if you're interested in being part of the show, come on down. I want to give some love to the daily Cyber Threat Brief sponsor, Threat Locker. Do zero day exploits and supply chain attacks. Keep you up at night. Worry no more. You can harden your security with Threat Locker worldwide. Companies like JetBlue Trust threat locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how ThreatLocker can help prevent ransomware and ensure compliance. Visit threatlocker.com DailyCyber. All right, everybody, do me a favor. It's very simple. It's as. It's as easy as getting the CPEs for being here and part of the show.
B
Cyber security headlines.
A
Relax, I'm not done with my intro. Computer. That's the thing with these AIs. They just. They don't know. They're. They don't know their lane. Stay in your lane. Computer. Jeez. All right, everybody, here's what I need you to do. I need you to sit back wherever you are. Sit back even if you're in the car driving. You know, kind of move those shoulders a little bit, get comfortable, right? Relax. Because what we're about to do is have the cool sounds of the hot news wash over all of us in an awesome wave. See you guys at the mid roll. All right, now you can do it. Computer. My computer's like you're a meatbag. I do the news.
B
These are the cyber security headlines for Thursday, February 12, 2026. I'm Sarah Lane. Crazy gang abuses employee monitoring tool. Security researchers at Huntress say a member of the Crazy Ransomware gang is Abusing legitimate employee monitoring software and the Simple Help remote support tool to stay inside corporate networks, avoid detection, and prepare for ransomware attacks. In observed intrusions, the attackers installed Net Monitor for employees to watch screens, transfer files, and run commands, while also deploying Simple Help under disguised file names for backup, access and and disabling Windows Defender. The attackers monitored systems for cryptocurrency, wallets and remote access tools. And Huntress says both incidents likely came from the same operator using stolen SSL VPN credentials.
A
All right. Stolen SSL VPN credentials without multifactor authentication, I might add. Obviously. You are so dumb. You are really dumb. For real. I, I don't get it, man. Just put MFA on, on your vpn, broseph. What are you up to? It's like smoking the, the sticky icky, rolling out VPN concentrators without mfa. Bruh, this shirt's choking me out here. Listen, this is pretty good. This, this makes me think of the, the, the call scam, like the Indian call center scammer. YouTube. People who like hack in and then one of the first things they do is get onto the closed circuit tv. These guys did it. So listen, any tool like, like, like a handgun, right? Like any tool that can be used for, for good intent, good purposes, business operations sometimes can be weaponized for crime, right? Just like a gun can protect your home or it can be used to commit armed robbery, these tools are used to essentially spy on your own employees, which I, here's my thing. Like if I'm being really objective here, if I'm being truly objective, is there a problem? You know, and I guess chat, you know, like, let me know what you're, what you're thinking. Like, is there if I give you a company issued asset like a laptop and you're, I'm paying you to work like 9 to 5 or whatever, do I ethically and legitimately have rights or you know, warrant to install monitoring software on your computer? This was really huge during early Covid when remote workforce was going everywhere and people were like over employing like five jobs. People were not, you know, you like mouse clickers were being, or mouse jigglers were being quite a popular download. You know, like, just so you know where I stand on it, like I, I, I think it's, I think it's okay if you tell the employees it's there. I, I personally wouldn't do it. But, but having said that, I, I don't think it's a breach of privacy or something. It's turning on the camera and like I don't know. Like, it's. It's really sticky topic, but. But I could see the. The case for it. Okay, but when you do that and a threat actor finds it, well, guess what? They can weaponize it themselves and spy on employees. Now, of course, they weren't just turning on webcams and being creeps and lurking about. They were monitoring for crypto wallets. So now it turns into. Now it turns into a, you know, like, not whack a mole, but like these threat actors are. Are basically spraying and praying, right? Like, they. They don't know when they take over these accounts whether or not the victim's going to have a crypto wallet. I. I don't have a crypto wallet. My Aunt Dorothea doesn't have a crypto wallet. J. Crypto has a crypto wallet, though, right? So, like, you know, you may or may not get a hit. You could see here they tried to use the classic. NET User administrator active. Yes. To add a local. Or like, either add a local administrator or activate the local administrator account. Powershell commands for persistence mechanisms using Living off the land binary. So that's another technique to help kind of stay under the radar while also maintaining persistence. Yeah, I mean, I guess here's what I would say. Oh, my God. Disabling Windows Defender. This is another, like, hallmark of threat actors, man. Basically, when a threat actor, you know, the, the commercials, and this might just be a United States thing, but there's a company called Mucinex that sells medicine that, like, breaks down mucus buildup and nasal congestion and, you know, whatever, right? Congestion in your chest. And it breaks it down. And they have this commercial campaign where the. The mucus is, like, personified or, you know, anthromorphic mucus, and it's like, breaks into the house and, like, sets up shop. That's what these threat actors are doing. More sophisticated threat actors will break in effectively, and then they'll start setting up shop by disabling your defenses, establishing multiple levels of persistence mechanisms. Thank you, Dan. Multiple persistence mechanisms and basically execute their actions on objectives. I will say, when you do something like this, they're looking to stay around for a little while, like smash and grab ransomware. Threat actors like, you know, lapsus and scattered spider and stuff like that, they don't care. They're not. They're not trying to build the dynasty. They're just looking to get paid today. You know what I'm saying? All right, so here's the deal. Learn from this situation. Number one. Let me. Let me tell you what you need to do with this one. Okay, Regardless, if you're running simply Help Simple Help or whatever it is or you know, whatever remote management. Whether you're running Microsoft Defender or Crowdstrike, it doesn't matter what I'm about to tell you. The lesson learned here is product and vendor agnostic. Number one, anything in your environment that allows users from the Internet to authenticate and get access to resources internally should have multi factor authentication. Period. Full stop. Number two, if you are going to be putting in these tools that allow, you know, gross remote, you know, visibility, like basically spyware, then you should include reviewing that spyware with some increased frequency and regularity. Like I'm not looking at Microsoft Word in my environment to see what's going on. But like this is a tool that is embedded everywhere on every endpoint and has super user privileges effectively to do it. Whatever you want on all those boxes. That's powerful. So obviously you don't want a threat actor to get that. So you should increase the either like detections around the use of IT or re, you know, increase reviews. If you're, if your program isn't mature enough for automation and soar type things, then manually review these things. And if you want, I mean, I don't know, man, you might want to put some detections in place that like if someone runs the command net user administrator active. Yes, maybe, maybe the security team gets a slack message immediately notifying you that this just ran on an endpoint. I don't know. Maybe it's a good opportunity. This is a great story for basically as a case study of what to look out for and how to learn from it. Because this threat actor basically did multiple parts of the kill chain. This is very nice. Also did not require phishing. They got creds and logged in through the SSL VPN as a, as a legitimate user. So you know, you could put conditional access also. So then when the threat actor logs in from like, you know, Cambodia, Belarus, Romania, whatever, and they're not logging in from South Carolina, you can immediately flag it and break it down like that.
B
Unveils new data classification. Nevada's IT agency introduced a statewide data classification policy months after a major cyber attack disrupted state systems. Under the new framework, agencies have to label data as public, sensitive, confidential or restricted, with stricter safeguards applied when classification is unclear. Officials say the policy establishes a shared baseline for protecting information and will underpin future cybersecurity measures, including multi factor authentication as lawmakers continue broader reforms such as creating a state security operations center.
A
Okay, George. All right, Grc Mafia, if you're a squad member here, you've got access to the Grc Mafia. There we go. Oh, I have a membership milestone. 36 months. Hey, all right, Team SC, let's go. There we go. I've got 36 months. I'm celebrating. All right. Okay, so Grc Mafia, let me, let me break this down for you. So first of all, way to go, Nevada. You know, continuing to push forward with privacy related, I guess, regulation, I mean, it's not really regulation, but in the United States we have a patchwork privacy regulation situation going on. It's not very good. And in this instance, Nevada is saying, listen, we're going to start using official categories for, for data sensitivity levels. That way if we say, oh, the data in this database is restricted, then maybe certain level controls have to be put in place or you're only allowed to store public information in these systems or whatever that is the benefit of having data classifications. Eric Taylor with 34 months. Thank you, Eric Taylor. So listen, I'm gonna, I appreciate this. This is great. Now what I'm about to tell you is why people tune into the Simply Cyber Daily Cyber threat brief, because you might read this and have formed your own opinion right now and said, oh, this is great. Data classification. Cool. All right. By the way, quick, quick, quick one here. I think it's MP. MP6. MP6. Data labeling. Oh, come on. Ah, media sanitization. Damn it. MP5. No. Oh, my God. Gross, Jerry. Nope. All right, I guess I'm, I guess my NIST853 is weak. There's definitely one around media. It's in the MP family for sure. We're going to look at this really quickly because I just, I want to point it out to you. Media marking, MP3. Dang. All right. Oh, Dream Logic. Become best friends.
B
Yep.
A
Thank you very much. Dream Logic. Dream Logic for the super chat. Definitely appreciate that. So media marking has been around, this concept has existed for decades. In fact, a lot of people, if you want to think about it, when you say that's top secret, that information's classified, right? You've, you've heard that since the 50s, right? That is the same thing. Now here's, here's why you listen to this show, okay? I have worked in this space for decades, okay? The only time I have ever seen, seen media categorization work is in the US Federal government with seek like classified and unclassified information, okay? That's the only time I've ever seen it work because they have separate facilities Separate skiffs. They use, you know, separate computers. They have separate real labeling. You're not allowed to take things in and out of those skiffs. That's the only time I've ever seen it work. This right here is great. Implementing a media classification like capability or function at your business is incredibly difficult. And here's why. First of all, the, the first problem, okay, like, let's just pretend these aren't in these orders. If I said, listen, here's some data. Who's here? Marcus Kyler. Marcus Kyler. Here's some information. Marcus, Marcus, here. Here's this piece of paper. It's, it's a categorized confidential. Okay? And here's another piece of paper. It's, it's restricted. Which one is more. Which one's got more like requirements around it. These terms are like, they're not subjective because they have definitions. But if you're just talking about, you're like, oh, that's confidential. Oh, that's restricted. Oh, that's sensitive. Like these terms. It's not.
B
It.
A
I wish it was like public. One, sensitive, two confidential. Three, like, people are going to get confused over what means what and what requires what next. People in your environment are constantly generating content. You've got analysts writing reports. You've got executives writing writing strategies. You've got data scientists doing exports of data. They're all doing their job and generating new information. So I generate, listen, I, I take a bunch of data out of a database that's marked confidential, but then I develop insights based on that data and then I, I write a report. Is, is, is the insights also confidential? I don't know. Maybe not. Because the raw data is not there. Is the, is the, is the action plan based on those insights considered restricted because it's a competitive advantage in, like, here's the reality. I don't know why I'm getting so frothed up around media marking, but it's, it's always been a pain point of mine. The reality is this is fine on paper and we can all wrap our head around slapping a sticker on a document and saying, oh, this is confidential. Don't share it. Everybody can wrap their head around that. It's in practice when you try to ask 3,000 employees to all adhere to this in their daily routines, where it breaks down and it will break down almost immediately. And you're going to get situ. I, I'm going to call it right now the year is 2028 because it's going to take a, a year to 18 months probably for this thing to start showing its cracks. There's going to be some, some story comes out about some, you know, end user or engineer who put something that is confidential out there that was not marked correctly in the state of Nevada and it's resulted in a data breach because they thought it was public or sensitive and they put it in an AI tool or an AI tool crawled over it and absorbed it and they're going to be like, well I didn't know, I didn't know. Like, like I love it. Don't not do it. I'm just telling you, I have seen this in multiple environments fail. I've only seen it work once it's in the federal government with classified and unclassified and even that doesn't work all the time.
B
Health care breach impacts more than 620,000. A 2025 cyber attack on Georgia based physician group Apollo MD exposed the sens of 626,540 people. According to a new filing with the US Department of Health and Human Services, hackers were inside the company's systems for two days in May, accessing names, birth dates, addresses, diagnosis, treatment details, insurance data and Social Security numbers. The Chilean ransomware gang claimed responsibility. Cisco Talos says the group published data from about 40 victims per month last year micro.
A
All right, so the Killing Chilling Quillin ransomware gang, what however you want to call them, they have been on the rise. I mean they are like legit coming after you. Look at killing ransomware. I mean, I don't know. As far as I'm concerned, like this is pretty. Like oh, they even have a cool logo. Damn. Oh man, they made like a magic the gathering like profile card for these guys. I wish they didn't do this. Like this is like this looks cool. Like if I was a ransomware threat actor. Oh, I guess I am. Mike, where's my card? We're flaming donkey. We need a cool look too, right? Like, like to me this, like this encourages like we as secure. I mean obviously this is made for marketing and for security practitioners to get all frothed up and juiced up on. But like I don't know, if I was in this ransomware gang I'd be like oh check it out, look at cool. Look how cool we are. But anyways, be aware of Chilling Killing makes me think like immediately at this point. Miter attack framework. They do have the CTI for group Cyber Threat intelligence for different groups. I'm just going to do a quick contrl f for chilling. There's only two instances of it and it's the Water Galora group, also known as Gold Feather. See the like. I've never heard of Walter Galore Water Galora. But yeah, here you go. So anyways, since the killing ransomware gang is so increasingly predominant, what I would do at this point, depending on your information security program, I would start looking at their ttps at Miter Attack. So I'm going to drop a link to this in chat and this, this is like how practitioners work. This is how frankly GRC professionals work in, in concert with their sock analyst counterparts at the security operations center. If your information security program is mature, then you can begin to look for specific TTPs of specific threat actors. Okay, so killing chilling ransomware, they attack. It's a. Ransomware is a service which means they don't necessarily have a target industry that they go after. But healthcare and manufacturing are typically 1A and 1B as far as like heavily attacked industries in the last year or two. So what I would do is if you work in healthcare or you work in manufacturing and your information security program is, you know, you've got a lot of the fundamentals in place, you might want to start looking at the chilling ransomware gang and start looking at their ttps, maybe run some atomic red teams on some of your endpoints just to see if your current security configuration detects the type of ttps that they're executing. If it doesn't, you can do detection engineering and update your sim, update your edr, like put in some controls in place. So if it does happen, you will know sooner than later. These guys were in there for two days, which isn't a very long time if you think about it, but two days, you know, everybody who works there went to work, went home, went to work, went home, like just going about their day with no idea. So you don't obviously want that. So what I would say is that's how I would handle. Now listen, if you, if you work at a company and you're a loan operator, right, ad tech's in here, you're a loan operator or something like that, or you just have a immature information security program. Maybe you work at a, you know, a small dermatology clinic that doesn't have any cybersecurity professionals, it's you, you're the IT person and you're responsible for that. Or, or you are like a small town Ms. MSP and you're responsible for like several clinics. Cybersecurity, you know, just do the best you can. At that point I wouldn't even be Looking at ttps, I would just be like, you know, MFA on the things, EDR on the things. Obviously this practice is going to get a HIPAA wall of shame treatment, but, you know, it's whatever you can see here. The killing ransomware gang has targeted healthcare industry repeatedly since emerging several years ago. So yeah, if you're in healthcare, you have an increased likelihood of unfortunately being a victim of this group.
B
Computer Store Outlook add in hijacked to steal accounts Researchers at Koi Security say a legitimate Outlook scheduling add in called Agree to was hijacked after its developer abandoned the project, letting a threat actor take control of its hosted content and turn it into a phishing kit. The malicious version showed a fake Microsoft login page inside Outlook and stole more than 4,000 account credentials along with credit card details and security answers, sending the data to attackers via telegram. Microsoft has since removed the add in from its marketplace and researchers say it may be the first malicious Outlook add in discovered there.
A
All right, so this isn't good. How did it get compromised though? Let me look here. Oh, okay, so this is interesting. This is a dimension of cyber attack that you should be aware of. We see this on GitHub a little bit more often. But basically, check this out. Microsoft Outlook, you. There's an add in, right? All these things have like little extensions. It's like a Chrome browser extension equivalent, right? Oh, I can add this little feature in my Outlook and then I can make getting meetings with people super easy. No problem. It works great. I've used it for years. Very legitimate. The problem is the developers of that tool abandoned the project. Just like GitHub, just like open source software, nobody is compelled to maintain it. It's a voluntary basis. It's a, it's a, it's a passion project. Well, the developers, maybe they got a job, maybe they got bored, maybe they got angry at people having unrealistic demands of them for features and they abandoned it. Now some clever threat actor picked up the project and then weaponized it. Brilliant. Now I will tell you, while this is a brilliant attack, couple things. One, it's. The likelihood of this is not that high in general. Let me explain. Number one, a threat actor would have to find a project that's been abandoned. That project would have had to have been successful enough to have been deployed in some capacity. And whoever installed it would have to be of some value to the threat actor, right? So like there's a lot of like if then if else then kind of conditions that all have to be true for this to line up to be bad. Whether it's this agree to app or it's, you know, any app. Again, like, sure, if you have users running this agree to extension thing, it's a problem. We got to get it sorted out. And we'll look at how to get it sorted out in a second here. But the bigger, more like conceptual threat, because it's agreed to today, but it can be diphthong tomorrow. And who's he? What's it the next day? Right. I want you to think about this kind of attack vector so as you're doing your job, you can think about it and see these things. So abandoned projects picked up by criminals and the user base has no idea because they're not getting notified. Like, the, the developers don't send an email out to all the people who subscribed and said, like, hey, I'm abandoning this project. You're on your own. We got a first Timer in chat. T12YK3N T12. I don't even know how to read that, but, well, it makes me think it says Tekken, even though I know it's not Tekken. So at T12. Welcome to the party, pal. Welcome to the party, pal. All right, Martini Kelly, first timer, three exclamation points. Martini Kelly, you go on with your bad self. All right, so here we go. This is the Microsoft Marketplace again. Completely legitimate right off, absolutely free. A lot of authority. Probably had a lot of, like, reviews. All right, see, this is the problem. Once, once a piece of software is in the Microsoft Store, there's no further review. That's why an abandoned project is dangerous, because the threat actors are riding on the coattails. Yeah. Eric Taylor saying in chat that the threat actor registered the domain name or bought the domain name that had been previously supported. This is, this is a not an uncommon thing, right? When there's abandoned projects, abandoned tech, abandoned businesses, and someone scoops in and picks up all of the trust and authority that that business had developed. Way to go, Koi Security. They're always doing nice. So 4000 Microsoft account creds with credit cards and banking security answers. Again, I would strongly encourage you to put multi factor authentication on all your things. Okay, let's see. I'm just looking now for any type of, like, call to action as far as getting this sorted out. Yeah. If you have it installed, it's recommended to uninstall it immediately. Recommended? Recommended just doesn't seem strong enough a word here. I will tell you. I don't know if there's an easy way to scan your environment and see if any of your users are running this Outlook add on. So there's got to be a way. Hold on. Is there a way to scan my, you know, environment to see if end users have Microsoft add ins, you know, installed? Let's go Gemini. All right. Yes you can. Yes sir. Yes sir. All right. You can use Intune to monitor discovered apps or query registry keys. That's what it says. I, I probably wouldn't use intune. Microsoft 365 apps admin center. Go to the inventory page and see add ins. All right, so here is the deal. Like look, I'm gonna drop this like query in chat. If you have access. This will take you all of two minutes. Go look in your environment and see if anyone has this agree to installed. And if they do, if you're an admin, uninstall it. And if you can't uninstall it, go to them and tell them they must uninstall it. And, and before you go to their desk and tell them, disable their password or force a password reset.
B
Huge thanks to our sponsor Threadlocker. Want real zero trust training? Zero Trust World 2026 delivers hands on labs and workshops that show CISOs exactly how to implement and maintain zero trust in real environments. Join us March 4th through the 6th in Orlando, plus a live CESO series episode on March 6th. Get 200 off with ztw ciso26@ztw.com all.
A
Right, hold on, hold on, hold on, hold on. I'm kind of feeling. I don't know man. Hold on, give me one second. I'm trying to do something here. I don't know that song. I trying to find a song. That we can play. Blow out the copyright. Ah, I'll do it another day. All right everybody, thank you so much for being here. I appreciate all of you. It's been very nice. We're at the mid roll. Holy crap, it's 8:45. I'm gonna have to. I'm gonna have to boogie really quickly. Thanks to the show sponsors, Threadlocker, anti siphon flare and material. Just a quick word about anti siphon training. They're disrupting the traditional cyber security training industry by offering high quality, cutting edge education to everyone regardless of financial position. If you are in Denver right now, shout out to you. Let me know, let me know if you're in Denver, like drop what's up in chat. Might be able to connect with other Simply Cyber Community members. You can see all the training going on in Denver right now. Quick shout out to Eric Kum. Guys, as I've mentioned before, if you're interested in learning about Active Directory's new security enhancements and how to adapt to them, secure ideas own principal security consultant Eric Kuhn's going to be doing a free one hour training next week, Wednesday, February 18th at noon. Still time to register. It's free. Here's my thing. Get it on your calendar, simple as that. Get it on your calendar and then move on. All right, Every day of the week has a special segment and Thursdays is Dan Reardon. What's your meme? Dan makes a special meme for us and it is the Olympics. I do love myself some curling. So, ladies and gentlemen, I give you your meme of the week. There we go. So we got it. Looks like Dan has gone ahead and invited John Hammond to the US Curling team. Of course, there I am throwing the stone in all of my mullet glory and Dan is a sweeper, getting after it. So Steve Young, here you go, Team USA's alternate team. This is me, John and Dan are the, the alternates in case they need us, okay? Like team, Team B. So thank you very much, Dan. Love it. All right, let's Finish strong, everybody.
B
0Apt ransomware group rises. Researchers at Halcyon and GuidePoint Security say the new 0APT ransomware group likely inflated claims of about 200 victims in its first week, with no evidence confirming most of the breaches. Halcyon says the group's victim list appears to be a publicity stunt to attract affiliates, but warns its ransomware code and infrastructure are real and could pose a genuine threat. GuidePoint says the encryptor itself isn't especially advanced and notes the group still needs proven access and lateral movement capabilities to carry out attacks.
A
All right, so threat actor group called 0APT, they do have infrastructure. They do have a encryptor, I guess it's not super complex, which is fine. Very weird. This, to me, this reeks of young. This reeks of like, you know, 18 to 22 year olds who, who don't necessarily know how to execute this business well, but they are flexing so they. See it says most signs suggest the group is running a massive hoax, but at least some of the threat poses is grounded in truth. They inflated pretense, maybe a ruse to create a sense of momentum, gain recognition and attract affiliates. So guys, I'm telling you, these ransomware gangs nowadays, they're like a business, like legit, like a business. And they make a lot of money from affiliate having affiliates go out and Infect people. But if I'm, if I'm gonna like dabble in being a criminal, am I gonna go with a group I've never heard of or am I gonna go with like Lockbit, you know what I mean? Like, or, or scattered Spider, like some type of like wellestablished known threat actor group, right? So these guys have to market themselves and look like the hot new, you know, the girlfriend meme where the, the guy's looking back at the girl walking down the street even though he's got a female next to him, right? Presumably his girlfriend. That's all these guys are doing. They're trying to get you to turn your head around and look back. This is the first time I've heard of that. We, we have seen threat actors that are liars or will take credit for somebody else's attack or compromise, but it doesn't happen that often. And a lot of times they don't want to do it because the threat actor groups, they're like, they're not a gang, but like there is a criminal, you know, underground. And if you're like, if you're like, if you're like crapping on people in there, it's not going to be good for you long term. Like, imagine if you will, like I, I downloaded like a John Hammond YouTube video and like deep faked my face over John's face and then published it on Simply Cyber. And I'm like, look, look, I've got, you know, a log 4J demo right now, right? Like everyone's gonna know it's, it's what I did and it's gonna tarnish my reputation. So that's similar. Like you don't see this very often. Just to me, like, there's no action here. All this is, is worth noting. And keeping in mind on also really quickly update on the thumbnail. I've moved from, you know, ridiculous over the top gauze now to like one of the special thumb bandages. So if you've been on thumb watch 2026, there's your update.
B
Devilish Devs Spawn Chrome extensions Security researcher Q Continuum identified 287 Chrome extensions with about 37.4 million total installs that allegedly exfiltrate users browsing histories to to more than 30 companies, including similar web SEMrush, Alibaba and ByteDance. The study used automated testing to link browsing history with outbound data, finding many extensions requested unnecessary history access while disclosing the collection only vaguely in privacy policies. About 20 million installs were tied to unknown collectors. Windows 11 Notepad FoA lets files executer.
A
Jesus, man, I'm telling you, like mark tape. February 12, the start of the revolution for the AIs. Not pausing when I'm asking them to pause. All right, so hey, devilish devs, but this is probably a feature, not a bug. Sounds like they are harvesting your. By the way, welcome to modern age where data is the new gold and data is worth a lot of money. Your browsing history is worth a lot of money. Now you might be like, who cares? Like I go to scry like for me, right? I go to scryfall, I go to Chase Bank, I go to Simply Cyber. Ooh. Like who cares? And that's always been the argument of like, at least in my experience it's been the argument of people who aren't really like into privacy. They're like, who cares that I'm going to these websites? All right, so two things here. One, they are doing this 37 million installs. They're taking the data and they're selling it. I guarantee you they're selling it to these 30 plus recipients. There has been multiple pieces of research done that show it is not that difficult to piece together pseudo anonymized information bits and identify you you personally. All right, now it could be, it doesn't need to. I don't need to know this is Sierra Montgomery's computer. All I need to know. Well actually let me change that because I don't want to make any assumptions out Sierra here. But like the, the, the, the, the people they're selling this to might not need to know it's Jerry Oer's computer. But they could say, all right, this guy is like on scryfall, like which is a magic the Gathering like database. He's doing these other things. He, he regularly goes to cyber security related websites. He regularly goes to Amazon. Okay, so he probably is an engineer or a technical person based on like what he's looking at on Amazon. He's probably older, he's probably a dad. He, he's pro. You know what I mean? Like they could start piecing together this profile of who you are. And by the way, just spoiler alert, I know this is going to be really know that we all think that we're special and that like, you know, there's only one of me. I'm unique. If you've done anything with AI, you might realize that it doesn't take much for it to like kind of guess like what you're into and what you might like and all these other things because we we can all be kind of put into buckets or categories, right? Like I'm a, I'm a middle age, well, middle aged, right? Mid, mid-40s. But like I'm a middle aged American family man living in suburbia who, who likes pro sports and you know, magic the G. Like, like I'm not. There's a bunch of people just like me, right? So that's what they're selling there. So if you're into privacy, this is concerning, but they're just selling your data. This is not cyber criminal activity. This is not any of that. Now I do want to say really quickly, this information could be weaponized though, right? So say you're going to, you know, prawn hub or you're going to, you know, like how to, how to, you know, your Google history is saying all sorts of things like how long does a body take to, you know, expire in the cold, right? There was a really famous case not too long ago where that was like a Google query, right? So like your, his, your, your browser history might reveal things about you that you actually don't want to go out publicly. Maybe you're into some kind of like unusual socially unacceptable fetish and like you're going to websites for that, but you don't want like your church to know about it, right? That information could be taken and then used to extort, blackmail, etc, you as an individual. So just be mindful of that silently.
B
Microsoft fixed a high severity Windows 11 Notepad vulnerability that let attackers execute or remote programs through malicious markdown links. The flaw let specially crafted links launch files without any Windows security warning, giving attackers the same permissions as the user who clicked them. The February patch Tuesday update now adds warnings for non standard links and Notepad will update automatically through the Microsoft store. Joker, opt, seller, arrest.
A
All right. Windows 11 Notepad flaw executes markdown links okay, dude, I love Markdown. I've tried to use Obsidian. Markdown is, it's kind of like a formatting language for basic, you know, text files. I always end up like using Markdown and then when I copy and paste it into something else, it like has all the hashtags and all that crap and it's like, oh my God. So There was an RCE VUL in Windows 11 notepad. Don't sleep on Notepad. It comes pre installed with every single Windows operating system. Attackers could execute local or remote programs by tricking users into clicking specially crafted markdown links. Yikes, that's gross. So here's the deal man. Someone sends you something and says, check this out. Just that. Here's an email. Attached is a markdown file. Check this out. Here's an email with a link to a markdown file. Check this out. You know, I mean you could, you could easily. Dude, social engineering people's wicked easy. Like here's, here's two tickets to the Masters in Augusta. Here is nudes of somebody. Like here is password spreadsheet. Hey, you know, here, here's like 25 off coupon. Click here. Right. All right, let's see. I'm trying to see. I didn't even know notepad supported markdown, honestly. Yeah, you can see what markdown looks like. Okay. Discord supports markdown. February 2026 Patch Tuesday. So just recently CVE 2026, 2820841 Listen, I want to call your attention to this one because unfortunately for us, every single one of our users in our environment is potentially vulnerable to this. You have 1/10 of 1% of seeing exploitation in the next 30 days. So that's, that's good to know. All I would say here is, Hold on, I'm trying to figure this out really quickly. All someone has to do is create a markdown file and create file, colon, slash, slash to point to an executable. So this is actually quite trivial to execute. You'd have to have a piece of malware or some type of executable to pull down. But this is trivial is. So did they fix it? Yeah. Ah, you gotta patch it. That's it. Go patch it. Make sure that this gets sorted out because you have a massive attack surface here. Also, I don't think you want to like block markdown files at the, at the email gateway just because a lot of people use Markdown, but Jesus, I'm stunned that it took this long to figure out.
B
Dutch Police arrested a 21 year old man suspected of selling access to the Joker Opt phishing tool, part of a three year investigation that dismantled the service last April. Authorities say the phishing as a service platform caused at least $10 million in losses across more than 28,000 attacks in 13 countries. By automating calls to victims to capture one time passcodes. The suspect allegedly sold licenses via telegram, and police say dozens of buyers have already been identified and will face charges. Something's wrong.
A
Yeah. All right. Hey, Joker, you're going to jail. This was definitely a feature rich fishing platform. $10 million in losses, 28,000 successful attacks. I don't know how much this dude was selling it for, but this, I mean this thing was like, you Know a robust business. Let's see how much they were selling it for. Like I'm sure it was like a monthly subscription. It doesn't say how much this thing was. If I had to guess, you know, a couple hundred bucks a month you could get access to was. Even if you had Multi factor Authentication, it could attack it. You would have to, you would have to trick your, the victim. Right? Because it would call them and I guess get them to put in a PIN number that they're getting. Right. So this OTP is the, is the Multi Factor Authentication. It's a one time password, that's what that acronym stands for. And can be sent via sms, which is basically a text message or an email. The codes typically only last like a minute or two. Right. And this is what they do. They would log into the user account, get challenged for the one time password. It would send it to the victim. The victim then would automatically call the victim or the attacker would call the victim automatically and pretend to be a legitimate representative and get them to give the password, the one time password. Ultimately allowing it. So basically this is a platform that allows bypassing of MFA and compromising user accounts. And they were getting PayPal, Venmo, Coinbase, Amazon Banking credit card. Right. It's a thing. It sucks. It took three years to get this guy. But you know, it's a good one W. For the, for all of us good guys. All right, Check it, check it out now. All right everybody. Holla, holla, holla, holla, holla. Let me check something really quickly. All right. Looks like no jawjacking today. Our Thursday host, Zach Hill is Wild West Mile high festing out there. But that's okay guys. I hope you got value from the show. I want to remind everybody later today. Well, two things. One, I got your whole day planned for you, okay? Check this out. Today at 10am so in 57 minutes, don't sleep on this. Go to Simply Cyber IO Flare. Simply Cyber IO Flare register. This is literally the head of security at Anthropic, a multi billion biz dollar business that didn't exist like two years ago. Three, four years ago. Right. I mean this thing is, it's anthropic, okay? This isn't people talking about Anthropic. This is the dude in charge of cyber at Anthropic. This is going to be an absolute watch on replay for me. I hope you can make it. If not, that's cool. But what I do want to say is come on down today at 4:30 for Simply Cyber Firesides 1. I'm asking you to come down because I'd love to. I'd love to have a great. A great show today. Great engagement, great opportunity. And the topic is AI governance. Guys, Shadow AI is all over the place. This is like, literally. I posted this on LinkedIn yesterday. We're struggling with AI governance. It's a real thing, guys. It's a real thing. And unfortunately, the speed of innovation is much, much, much faster than the speed that we can govern. So how do we solve those problems? Critique Doshi's coming on. We're going to be talking about it. So this is going to be a solid GRC Mafia experience, guys. Thank you all so very much for being here. Robert Hendrickson, let's get together, man. I want to give you your Simply Cyber Community member of the Week award. I just don't know how to get a hold of you. All right, everybody, I'm gonna go teach the Citadel cadets. What are we doing today? I'm gonna. Actually, you know what we're doing today? We got labs on Thursday. I'm going to teach them. I'm going to have them install a root kit and pretend to be a threat actor with the torn root kit. Kind of an older one, but it's a great one for teaching and educating, overriding binaries and doing all sorts of nonsense. So that's what's up, guys. Be well. Have a wonderful Thursday, and I hope to see you at Simply Cyber firesides at 4:30pm Remember, you can always go to Simply Cyber Simply. Oh, my Jesus. Simply Cyber IO schedule. Simply Cyber schedule to see all the upcoming streams and shows and register for them to get a calendar invite so you won't miss them. You can see right here. Critique Doshi Shadow AI. You just click on it and boom, you can get a calendar invite. It's as simple as that. Simply Cyber IO schedule for all that. All right, guys. Surreal. Now, I'm Jerry from Simply Cyber. You guys were Wonderful. Today was February 12th. Episode 1067 until Thursday until 4:30pm Stay secure.
Host: Dr. Gerald Auger (Simply Cyber Media Group)
Theme: A practical and insightful breakdown of the day’s top cybersecurity news, focusing on actionable takeaways for SOC analysts, GRC professionals, and business leaders.
Gerald Auger welcomes listeners to a packed, high-energy episode focusing on the cybersecurity stories shaping the industry—eight key threats and trends, each examined not just for what happened, but for what listeners should do differently or watchful for as a result. Mixing education, real-world advice, and community engagement, this edition covers everything from ransomware attack vectors and privacy policy pitfalls to Chrome extension abuse and evolving challenges in AI governance.
[11:40]
Auger’s Take:
"Any tool that can be used for legitimate business can be weaponized for crime... Like a gun can protect your home or be used for robbery." (13:07)
[20:54]
“Implementing a media classification program is incredibly difficult... It will break down almost immediately.” (24:10)
[28:43]
"These guys were in there for two days... everybody went to work, went home, no idea." (33:42)
[34:29]
"This is a dimension of attack you should be aware of—abandoned projects picked up by criminals." (35:13)
[46:05]
"They're trying to look like the hot new [thing]... This reeks of young, inexperienced operators." (46:46)
[49:46]
"Your browsing history is worth a lot... It’s not hard to build a profile about you from this." (50:34)
[54:37]
"I’m stunned it took this long to figure out… Patch it now, because every user is potentially vulnerable." (55:12)
[58:22]
"Good win for us, took three years to get this guy, but this was a robust business." (59:04)
Bottom Line:
This episode arms listeners with fresh threat intelligence, practical action steps, and a reality check on the current landscape—where trust, hygiene, and quick response still beat panic or silver-bullet solutions.
For More:
Catch live episodes daily at 8AM ET at https://simplycyber.io/streams.
Full schedule and replays: https://simplycyber.io/schedule