Eric Taylor (13:12)

From the CISO series, it's cybersecurity headlines.

Sarah Lane (13:19)

These are the cybersecurity headlines for Tuesday, February 24, 2026. I'm Sarah Lane. 140,000 affected by U.S. healthcare breach. Nearly 140,000 people were affected by a data breach tied to 70 South Carolina based VCOR Scientific, now rebranded as Vanta Diagnostics. According to the U.S. department of Health and Human Services. The Everest Ransomware group claimed responsibility for the incident, but the breach appears to have originated at Catalyst rcm, a revenue cycle management provider that detected compromised credentials in its file management system. Exposed data included names, dates of birth, parents, payment card details, medical information and health insurance information data.

Dr. Gerald Oer (14:09)

Oh, wow. Okay, so this is wild man. So this is a third party risk. Well, there's a lot to it. Okay, so this is Everest Ransomware who is becoming. More and more. I'm hearing more and more about Everest Ransomware. So number one, they're beginning to elevate in my threat modeling as something to be mindful of. Number two, this is a healthcare ransomware attack. I told you guys yesterday, I'll tell you tomorrow. And I know bruise and hacks and Elliot Mati are tickling my chin here talking about. Oh, he hasn't talked about MFA or identity as the perimeter data is at the gold. But listen, you know what, if you repeat it enough times, it sinks in is like a fact. Healthcare and manufacturing are the top two industries that are going to get slapped in the face with when it comes to ransomware. So if you're a publishing company, you're not immune to ransomware. If you make, I don't know if you're a B2B, you know, fintech company, you're not immune to ransomware. But if you're in healthcare and manufacturing, you better believe that you are driving or you're walking down a dark alley in a rough city. You, you, like there's a higher, much higher elevated risk of getting slapped. Now this is definitely a third party risk. Just ignore the fact that it's called Vanta Diagnostics. I will do everything in my power not to go Red Hulk just by association, if you know, you know what I want to tell you guys is the following. Like, dude, ransomware happens every day. And I, I'm not downplaying it, but like, we, I could, I, I could, I could, I could bet you money, I'll put a hundred dollars down that there will be a ransomware attack tomorrow. You know what I mean? Like, and that's easy money. Like, nobody's gonna take that bet. Like, even FanDuel is not going to take that bet. Okay, maybe we do a four way parlay with ransomware and it's data exhale over under his 12 gigs of data. Freaking gambling. So anyways, the real story here is understanding. For those who work in healthcare, you already know this. But for those who don't, healthcare is incredibly entangled in the way that it delivers services. So they mentioned that this company is a molecular diagnostic company and you might be like, okay, molecular diagnostic, that sounds fine, right? That's not touching patients. Well, the thing is when healthcare companies call in for labs, the labs get routed to specialized companies that do the labs and the results come back and they have to communicate with each other and put it into the electronic medical record. And then there's billing and insurance and they mentioned rev cycle or revenue cycle. This is the entire thing around cash flow and running the hospital operations and making sure that all the things are built. If you've ever been part of a ba. Not a baby. If you've ever been part of a baby. No, like I don't have a lot of experience of going to the hospital. Like I've, I've been very fortunate never to been truly sick. But my wife and I have two children. So like we've gone through the delivery thing process twice, right. And you know, there's like the anesthesiologist, there's the main obgyn, there's like other nurses and staff running around. You might have a specialized neonatal practitioner if baby's having some issues and they know about it. So when baby comes out. So like all of those people get billed differently and, and there's like the different payments and different, all that stuff. Dude, it's wicked complicated. So if there's ever been a, you know, industry that really leans hard into, you know, third party and having multiple entities involved, it's healthcare. And I know it's like, I know it's like super cool nowadays to use SaaS products for third party everything, but like healthcare is the OG in that space. So when one of them gets hit, it can have a ripple effect against all of them. Which is why it makes it difficult to manage this risk. Because there's no way ever you're going to be able to go to the business at a hospital and be like, hey guys, Vicker Scientific, that molecular diagnostic company, I just don't feel that their security is up to snuff. We're going to have to move on. They're going to look at you and say move on? What from you? Yeah, we agree. See you or excuse me, they'll be like, right, so, you know, this is. This is, if anything, get some cyber insurance and get, you know, do tabletop exercises with assumed breach and then start from there. Because this is really difficult to. To reconcile. The one good thing is it was only. Which is sounds crazy, it was only 139,000 victims. Of course, they'll have to show up on HHS's OCR's Wall of Shame. That's Health and Human Services, Office of Civil Rights. Wall of Shame. I'll show that to you guys really quickly. It's called the breach portal, but it's lovingly referred to as the wall of shame. Where is the breach, Bruh? Come on. All right, so here's the breach portal. I'll drop a link in chat. This is fun. Like, quote, unquote fun to kind of look at HIPPA cases under investigation and then archive means that they've already been adjudicated. And, you know, it's. It's. You're. You're dealing with, like, messaging people. Everyone that appears on this table is more than 500 patients involved. And, dude, like, Oregon Coquel Wellness Center, February 3, 2026, got hacked. So two weeks ago, 500 records. Right? Baltimore City Health Department, Bay Area Community Health. Elliot Mati Stafford, get some of that 9,900 records. So this breach portal is fine. Back in 2014, like, being on this portal was like, you know, being SMU in the 80s, getting a death sentence from NCAA football. Like, if you were on this list, it was like, oh, my God, we are gonna go in the can with this squirrel. How do we sign up for points for watching Simply Cyber Podcast? Just say what's up in chat. Grab a screenshot, include the date and title, which is in the title of the episode with the unique identifier. File it away. It's a piece of evidence. Just submit your CPEs, and then once a year, if you are audited, you will have all the screenshots to support it. Look at this. Bosch Choice Welfare. 55,000 records. Central Jersey doing 88,000. I'm sure there's a Texas one in here. That's huge.

Eric Taylor (21:16)

Hold on.

Dr. Gerald Oer (21:16)

On Texas doesn't do anything small. So let's see. Come on. West Texas oral facial. Only 11,000 records. You can do better than that. Texas OBGYN, 2100 records. So, anyways, this breach portal is a real thing worth looking at. Yeah, also good point. It's not called points. They're called continuing professional education credits. Maybe we should start a scoreboard here. That'd be fun.

Sarah Lane (21:40)

Advocates warn against replicating humans. Data protection authorities from 61 countries, including many across Europe. Also Canada, South Korea, the uae, Mexico, Argentina, and Peru are warning generative AI companies to prevent systems from creating realistic images or videos of identifiable people without consent. This follows backlash over the Grok chatbot generating millions of notified images of real individuals. The regulators want safeguards against non consensual intimate imagery, defamatory content, cyberbullying and child exploitation. UK Prime Minister Keir Starmer also announced plans to require platforms to remove non consensual intimate images within 48 hours or face fines of up to 10% of global revenue. Shy.

Dr. Gerald Oer (22:35)

All right, 10% of global revenue. I mean, I don't know. I mean, yeah, I get it. That's a. That's a very strong way to. To curb behavior. I don't know if you can find people like that much on global revenue. But, guys, here's the deal. Two things. One, AI is off the chain, right? As far like, dude, you could take a picture of anyone and say, take the clothes off this person and it will do it. Grock is. I know some people like Grock. Grock seems borderline, like, unhinged. I'm not going to get into politics and different parties and stuff like that, but the fact that it can do it and do it so well is disturbing. I. I'm almost positive in the United States, like, deep faking. Well, I mean, mostly women, but like, there. There was a rash there where you could have adult film and then like, splice someone's face onto a female actress. Like, early on, there was like a Taylor Swift one, there was a Daisy Ridley one. And I'm sure it's only gotten better. And there were protections put in place to curb this, either making it illegal or like the major adult streaming, I don't even know what you call them, but the websites that people go to to watch that kind of content, we're. We're not hosting that type of stuff. So this has been a thing people know about, and now you can just ask people to take it with a query, which is problematic because now it can be. You don't need a ton of footage of, like, a celebrity to be able to do this. It could be a picture of, like, your mom, right? Just. Okay, there you go. Your mom. Let's make it personal. So I appreciate that these legal bodies are trying to put in protections. 61 countries published a statement. It says, global data protection. 61 countries. I think there's like 200 countries in the world, so not quite a quarter of Them. I definitely think it gets de deplorable with when kids get involved. Of course, we're dealing with this current, you know, situation that I am super glad is getting absolutely uncovered and, and continues to be investigated with this creep guy who, you know, may or may not have unalived himself and, you know, Andrew over there in the uk. But anyways, here's what I want to tell everyone about this. We do need to put protections in place. This is one of those ones where government is trying to move at the speed of AI, but still AI is moving so much faster. We're going to get into a situation where, you know, like, let's use X first example. X has millions and millions and millions of users. This grock is on X and has the ability to do this. And they're giving people 48 hours to remove it. So if I say, hey, Grok, take the clothes off of this person and it posts, and it's one of like a hundred million tweets that happened that hour. You know, I'm not, I don't. I'm just saying, like, the actual operation of implementing this is quite challenging. And then like, if all of a sudden a country's like, oh, you missed your 48 hour thing. Like, you're fined 10% of global revenue. Let me just really quickly. Twitter, global revenue 2025. So X generated $2.26 billion in revenue in 2025. Also, just fun fact, like, way to go. Because Twitter is one of those, like, darlings that was like burning money forever. So what they're suggesting is that if you don't pull a picture down in 48 hours, you owe whoever this global body is $200 million. That's what they're suggesting. Do you really think any CEO is going to be like, all right, let me just cut a check here. So we'll see how this goes. This. There's a, there's a long distance between regulated policy and, you know, global posturing. But I hope it happens. Just as a quick side side note around generative AI and people replicating real people on a whim yesterday, I, I do happen to have a trademark lawyer and I contacted him and asked him if I could trademark my voice and my likeness. Right? So, because James McQuigan and others have made deep fakes of me and they look quite real. So I was wondering if you could trademark my, my likeness. Right. Because the last thing I want is some company deep faking me and have all of a sudden, I'm the spokesperson for Vanta, right? So that wouldn't be okay. Guess what? You cannot do that. You cannot trademark your likeness. You can trademark like. Like Matthew McConaughey trademarked. All right, all right, all right. You could trademark that crap, but you can't trademark yourself. Facts.

Sarah Lane (27:53)

Hulu like Worm targets developers. Researchers at Socket uncovered a supply chain worm dubbed Sandworm underscore mode, spreading through at least 19 malicious npm packages published under two aliases. It uses typo squatting to mimic popular Node JS and AI development tools executing hidden multi stage payloads that steal developer and CI credentials, crypto keys and API tokens. It also targets AI coding assistance by injecting rogue MCP servers into tools like Claude, Desktop cursor and VS code. Continue harvesting secrets from local environments. NPM, GitHub and Cloudflare have removed the malicious infrastructure and affected developers are advised to rotate credentials and audit repositories and CI workflows.

Dr. Gerald Oer (28:48)

All right, so this is attacking. This is looking for AI related secrets like API keys, any type of, anything that basically your AI is going to have access to. And they're using NPM packages to basically poison them. So NPM is like public libraries, these packages. I want to say what is npm? Is it. Is it node packages? I don't want to install global, I just want a friggin npm. Hold on one second. I always like to spell out the acronyms. Yeah, no, no, JS packages. Okay. JavaScript development, all the things. All right, so a lot of people use it. Very popular threat actors aware of this. So threat actors are putting malicious NPM code in there. They're using typo squatting techniques. Typo squatting is a classic technique where it looks like what you think it would be. So like the package is called Beautiful Soup and they swap the O and the U in soup. So it says beautiful sou op. But you look quickly, you're not paying attention and you download it accidentally thinking it's beautiful soup. And it's beautiful soup thinking it's chase.com and it's cha like the. The a with the two dots above it dot com. Right? It this is typo squatting and they're trying to steal credentials and crypto keys from AI tools. Yeah, 100%. I mean obviously the goal here is to steal. You know, ultimately they can steal your, use your tokens and your credits to grind their own AI tools. They can get additional secrets if you have, if you've put in API keys to like your AWS infrastructure or you've put in private keys for in authenticating to, you know, SSH infrastructure or just authenticating to anything in general using certificates that could get in there. They're using malicious McP servers. So McPs allow you to kind of, I guess compartmentalize and modularize functionality and skills for these AI tools into other solutions. So like basically instead of telling your AI to go scrape Google, you can just connect into a Google mcp. It's like an API or application programming interface for your AI tools to be able to get extended function functionality. And that's what's up. So number one, be careful whether it's mcp, whether it's NPM like this story is saying or it is anything. The, the, the Open Claw skills are super murky. I would not be downloading Open Claw skills without doing a full investigation into them. This is a hot, hot situation up in here. And I want to tell everyone too, like I've been doing a lot of work lately with Claude code and with Open Claw and messing around with them. And yeah, man, it's like there's a lot of, there's a lot of power there and, and you know, threat actors are well aware of it. So this worm like code is definitely something to be mindful of. It is targeting developers. Of course, my Aunt Dorothea is not downloading an NPM package. So, you know, educate your engineering folks, your IT folks, your R D folks, like basically anyone that's really going to be like screwing around with a integrated development environment and ide, anyone trying to vibe code and cursor, like those people, holler at them and be like, yo, just, you know, kind of be careful. Don't tell them not to do anything because they're going to do it anyways and they'll stop listening. But just tell them, you know, you might want to, you might want to be careful what you're doing in there, right? There was something else I was going to tell you. Oh, really quickly. I don't know if you guys know this, but like I'm trying to. Well, forget it. I won't even bother telling you guys. You guys don't care.

Sarah Lane (33:02)

Suspected Anonymous members detained in Spain Spanish police arrested four suspected members of Anonymous Phoenix for allegedly launching DDoS attacks against government ministries, political parties and public institutions following the deadly 2024 Dana floods, which killed more than 230 people. The group claimed the government was responsible for mishandling the disaster. Authorities seized the group's X, YouTube and Telegram accounts and said several attacks were successful.

Dr. Gerald Oer (33:39)

All right, a four person team under the moniker Anonymous. Remember, Anonymous is a ideologically motivated Hacktivist group of very skilled practitioners. Anonymous membership has been very fluid over the years, hence their name Anonymous. Like very clever that they made it in such a way that they can swap pieces in and out. They did a distributed denial of service attack which is, you know, basically blowing something off the Internet in I guess 2024. See the Dana floods? I don't know what the Dana floods are, but let's see here. Oh, we got some perp walk looking film. Very nice. Their denial of service attacks were on government ministries, political parties, public institutions. Okay, Okay, so a natural disaster, effectively. Heavy rainfall and storms affected Spain and 230 people died due to intense flooding. Okay. Many Spaniards blame the government for poor handling of the disaster. So Anonymous took it upon themsel to basically attack Spain. I mean this is the thing, this is what Anonymous does. It's ideologically motivated. They're pushing back against the system. You know, I don't know, personally, I don't know. Like it was a natural disaster. I mean, I guess this would be like if you live in the United States, to me, if you're trying to like for me I was like, wait a minute, why would they fight this government when there was a rainstorm? My first thought initially goes to Hurricane Helene just a few years ago where western North Carolina absolutely got destroyed, like Asheville area. And there was all sorts of, there was a lot of very passionate social media posts around how locals were being stopped from going in and helping people, how people were stranded in that area, how FEMA was not allowing people, the military got involved. Are they covering something up? What's going on? And people were pissed off. Right. So to me I could see like a, a group like Anonymous or something similar ideologically motivated hacktivist group taking action as essentially having some way to lash out at the powers to say we do not like this now for, for better or worse, Like I don't like here's my thing. Anonymous attacking the government of Spain in reaction to 230 people dying because of floods. Like, I don't know, like what was your goal? Like what? Like the Spain isn't going to be like, all right, we're going to bring these 230 people back to life. Like, or were you hoping Spain would apologize? Like for me, I hate to be so pragmatic and so academic, but like if you're going to do something, what is the goal? Like if you're just flipping out for the sake of flipping out, fine, that's your goal. But like if your goal is to promote change and have some type of impact. Like play it out like I don't know, Anonymous has been around for a long time. They do coordinate on I guess telegram. Now I don't know anyone can technically be anonymous. That's part of the thing too. So we'll see. They got arrested. They said they were self proclaimed so I don't know how much being self proclaimed anonymous is not evidence that they were involved in this distributed denial of service attack. So we'll have to see how that goes.

Sarah Lane (37:46)

Huge thanks to our sponsor, Adaptive Security. This episode is brought to you by Adaptive Security, the first security awareness platform built to stop AI powered social engineering. Today's phishing doesn't just hit inboxes. It can sound like you're CFO or look like your CEO on zoom. AI, voices, video and deep fakes are turning trust into the attack surface. Adaptive fights back with AI driven risk scoring Deepfake simulations featuring your own executives and interactive training your team will actually Remember. Take a 3 minute tour or request a CEO deepfake demo@adaptivesecurity.com I forgot.

Dr. Gerald Oer (38:31)

Someone in chat put the chief Wiggum emotes. I forgot. Hey, when law enforcement arrests cyber criminals. All right, All right, all right, all right. Hey, if you're watching on replay, you're probably curious why this part isn't in the show. It's because it's been cut out. Post production. Hey guys, thank you all so much for being here. Thank you to the sponsors. Threat locker, anti siphon flare in material. It's been a banger of a show. We're doing all right here in my spirit. Halloween see tech CEO costume getting ready for rsa. But before rsa, I'll be at Zero Trust World next week. Super pumped about that, guys. Every single day of the week has a special segment and Tuesdays is tidbits Tuesday. I never really. I mean, sometimes I know exactly what I'm going to talk about, but sometimes I don't. I don't know if I've already said. I don't know if I've said this one before, but I'm gonna, I'm gonna share this one with everybody. Okay? All right. I'm a huge Costco guy. Love, love myself some Costco. Okay. Love Costco. Now I, you know, bless my wife's heart, my children, my family. I will only go to Costco on Monday, Monday evenings. Okay? I've done the. I've crunched the numbers. I've been to Costco a thousand times. I'm telling you, the optimal time to go to Costco is. Is Mondays between 6 and 8pm period, full stop. You could go Sunday at 10am when they open, there's a freaking line out the door. You could go Tuesday night right before they close. It's slammed. I don't know what's going on. I mean, obviously it's Costco, so it's awesome. But, like, if you're looking for the best time Mondays, 6 to 8pm we were there last night. I mean, you're not bumping into anyone. Can just casually move as you wish. If you want to, like, not go with the traditional flow and kind of cut around and double back, no problem. There's no lines at the free sample station, so the kiddos get in there and get what they want. Oh, my God. And then at the registers. Oh, dude, it is like the running man trying to get to a register at Costco. Any other day of the week, it's basically Mad Max. Like there. There's probably scenes cut out from the original Mad Max with Mel Gibson where, like, he gets to the bad guy's base and it's just like Costco checkout lines, and they're all. All the guys with their football pads and spikes are trying to check out at Costco. It is mayhem. Okay, so if you're a Costco person, holler at you. All right, let's go ahead and drop to the la la la la's. You know what to do. If you don't know the words, it's la la la la. Just let it wash over you. I'm gonna leave myself full screen so you can watch me completely embarrass myself dancing and my tech CEO outfit. All right, you know the words, guys. If you don't know the words, I'll give you a hint. It's. Just if you have to close your eyes and let it wash over you. Oh, it's so good. So good, So good, so good. All right, guys, we got work to do. Let's finish strong, everybody. I hope you enjoyed that. If that wasn't your cup of tea, thank you for allowing us to indulge in that.

Sarah Lane (42:38)

Round cube flaws exploited in attacks. CISA has added two recently patched round cube webmail flaws, a critical remote code execution bug, and an unauthenticated XSS vulnerability to its known exploited vulnerabilities. Catalog warning. They're being actively abused in attacks federal agencies have been ordered to patch by March 13th. Roundcube is widely used via cPanel and has more than 46,000 Internet exposed instances. Its vulnerabilities have previously been targeted by cybercrime and Russia state linked groups.

Dr. Gerald Oer (43:16)

All right, yeah, roundcube has had its share of problems in the past. It. Ooh, I mean I'll take a, a somewhat geographical map of the world from Shodan. Hey, Shodan. All these pins are showing where roundcube is. Roundcube is a, an email solution that is, you know, got web admin interface, cpanels. In this instance, these are all exposed to the Internet. If I had to guess, this is people who deployed it and are not practicing good cyber hygiene. Here's the deal. I said this before. Scan your Internet facing assets, see if you what technologies you have and then secure them. If you're running round cube, you should know that you're running round cube. If you have some shadow it meaning unmanaged infrastructure, meaning someone deployed it for whatever reason and you don't know about it, shut it down or make them get an exception or you know, put acls on your firewall around that IP address, not allowing anything into your network. Right.

Sarah Lane (44:31)

Fraud investigation reveals Python malware A fraud

Dr. Gerald Oer (44:36)

investigation obviously on the round cube one. Ah, you gotta patch it.

Sarah Lane (44:41)

Unauthorized PayPal transfers uncovered a sophisticated Python based malware campaign involving obfuscation, disposable infrastructure and commercial hacking tools. Researchers at Secuinfra found the infection used hidden PowerShell commands to download a fake svchost executable from infrastructure linked to Tencent, establish persistence and deploy a concealed Python environment. Memory forensics revealed heavily obfuscated payloads including X Warm, Rat, H Tran and Cobalt Strike Beacon, along with credential theft targeting browser autofill data and crypto wallets. The system was deemed fully compromised, though the initial infection vector remains unknown, with phishing or malicious downloads suspected.

Dr. Gerald Oer (45:33)

All right, so let's unpack Python based malware. So Python is a programming language. It's an interpreted programming language, which means it's not compiled just for those who are curious. Right. There's different kinds of programming languages. The common ones that you'll see are compiled, assembled like executables that like exe or dot elf on Linux those are compiled and assembled, then there are interpreted. So this is like powershell, Python, JavaScript, right. These are ones that like you can read the source code because in an interpreter engine takes it in and executes based on what it's interpreting from your source code. There's also other ones that are more obscure like logic programming and I can't even remember the other ones. I took a class in like a million years ago on all these different things. But Python is Very popular in cyber security. They're using it to deploy malware now. Let's see what we're looking at here. The victim noticed strange black windows. Yeah. So really quick. I mean, anytime. It's almost a joke for cyber security professionals. If you see a terminal shell pop up and then something happens, and then it closes, pops up, closes. That could be an indicator of compromise. All right, so they had logs. This is another, like, very subtle fact right here that if you're not paying attention, you may have missed. You'll notice that the first thing that the incident responders did was look at the logs. Logs are vital. If you're not capturing logs, if you suspect something's afoot and you don't have logs, you could take your suspicion in a cup of coffee and move on down the street, because that's about as effective as you're going to get. You've got to get logs on these devices. In this instance, the logs revealed repeated PowerShell commands configured to run in hidden mode. That would not be another indicator of compromise. And then file name SVC hoss, which I think might be trying to do a typo. Squatting of SVC host from IP address. This one. This is another indicator of compromise. You could put this in your SIM logs and look to see if this IP address shows up. Yep. You could see it was trying to mimic the SVC host. The IP addresses, you can associate IP addresses with AS or autonomous system networks. And in this instance, the IP was with ASN132203, which is. ASNs are assigned to areas on the Internet. You can't. Like, you can't hide your ASN because it's how network traffic happens. Right. This one was associated with 10 cent in China. 10 cent, if I'm not mistaken, is essentially like AWS, right. Alibaba is like Amazon. I'm pretty sure 10 cents is like AWS, not 10 second. Oh, I can't even read that. Okay. All right. Yeah. 10 cents. A Chinese multinational technology conglomerate. It's basically, and this isn't xenophobia, like, 10 cent is like the equivalent of, like, the. The bad guy tech oligarch in, like, any future dystopian movie where, like, they have, like, unlimited power and access to everything. Not. Not unlike, you know, Google or Microsoft or Amazon. Just so we're all clear. Like, I'm not just saying it's because it's Chinese. All right? Because they have IPS or, you know, infrastructure. They're running C2 ops. Okay? So basically, here is the deal. There is A piece of malware. It doesn't say how it's getting deployed. If I had to guess, it's. Social engineering. Oh, yeah, you can see here. Again, I don't research or prep for the show, so I can't. I have to figure it out on the fly with you guys. It says that the investigation could not confirm initial infection vector. They suspect social engineering, malicious downloads or email, which is 100% right. Like, definitely, definitely. If you don't know initial infection, start with phishing, emails, social engineering. Like, it's. It's like overwhelmingly. Most likely, you know, you can get elite level next day, the next zero day hacks or. But chances are it's either phishing or very popular right now using legitimate credentials because your infrastructure doesn't require MFA because I don't know, your program manager has been living under a rock and crappy password. So sometimes a criminal doesn't hack in. They log in. Oh, my God. Get the t shirts made.

Sarah Lane (50:43)

Ukrainian heads to US Prison for aiding North Korean fraud. Ukrainian national Oleksandr Dedenko was sentenced to 5 years in U. S. Prison for selling stolen U. S. Identities to North Korean IT workers and helping operate laptop farms that let them secure remote jobs at US companies. Through the Upworksell.com domain, Dudenko managed 871 proxy identities and facilitated payments and access to the US financial system, letting overseas workers earn hundreds of thousands of dollars from about 40 US firms. He pleaded guilty to wire fraud, conspiracy, and aggravated identity theft, agreed to forfeit more than $1.4 million, and was ordered to pay restitution after being extradited from Poland.

Dr. Gerald Oer (51:35)

All right, so two things here. One, I don't know why these people do that. Dude, if you're committing crime, if you've decided you're going to, like, make your money committing crime, why would you ever go to a country that has extradition agreements with the country that you're committing crime in? Like, it's. I'm not saying it's easy. I'm not a criminal. I don't commit crime right anymore. But, like, I, I'm a. I'm a, you know, I'm a dope and I know not to go to a country that's going to extradite me. Like, when you make the decision to commit crime, you're also making the decision that, like, you're not going to travel to these places anymore. Like, and so anyways, this guy also. Hey, shout out to this guy, Dude. Shout out to this guy. You know, now that I run my own business, I'm always thinking, like, oh, like, business opportunities, business opportunities. Like, this guy saw a business opportunity. North Koreans are trying to do it. Worker fraud, right? You know, like, deep fakes, North Korea, all this stuff. This guy's like, oh, hey, here's an opportunity. I'll be the. The belly button. I'll be the liaison between all of the victim organizations, and I'll get stolen US Identities. And I'll just be like, I'll be the interface for North Korea. Hey, North Korea. You guys want some IT jobs? I'm your man. Come on down. Like, basically compartmentalizing the. The. The. The step between North Koreans wanting an IT job and North Koreans having an IT job. This guy saw a business and made a ton of money off it. Now, of course, he's going to spend some time in jail. He had to forfeit $1.5 million or whatever. As I said on yesterday's daily cyber threat brief, if someone find me a million and a half dollars right now, I would be. I would be. I'd be very much in debt. So, you know, I don't know what's up with this. Also, I want to point out, because I feel like I. I don't know. When I was a child, I saw things as very, like, very black and white, right? Like, very much like 1950s comic book superheroes, right? Where it was very clear that Superman was good and Lex Luthor was bad, right? Like, there was no gray area. You didn't have a Thanos, you didn't have a Bane, like, oh, Batman, right? Like, you didn't have these kind of gray, morally just kind of criminal things. Anti here, like Batman, anti hero. You like rooting for him, but he's, like, beating the crap out of someone because he's determined. Judge, jury, executioner, okay? Like, Ukraine is definitely getting the crap smacked out of him, right? And they, like, unfortunately, they've been invaded by Russia four years ago. They've been dealing with, you know, military conflict on their own soil. That doesn't make all Ukrainians, like, not like, you can't. Like, this guy's committing crime and defrauding US Businesses and stuff. So anyways, we'll see what happens to this guy. I mean, it sounds like they have him dead to rights. 29 years old. You know, he was running this website, which was like, his basically home base. He was sentenced to five years in order to pay $46,000 in restitution. Okay? I don't know, guys. Sometimes you got to ask yourself the question, if you were young, right? If you were 22, 25, would you do five years of prison if when you got out you had like $4 million sitting in like some type of Swiss bank account or Justin Gold is holding your bitcoin from all this crime? You know, again, I'm not promoting crime. Don't do it.

Sarah Lane (55:24)

Air Cote d' Ivoire confirms cyber attack. The airline Air Coat d' Ivoire confirmed it was hit by a cyber attack on February 8 after the INC ransomware gang claimed it stole 208 gigabytes of data and demanded payment by February 24. The airline said parts of its information systems were affected and that it notified French and Ivorian authorities. While investigators assessed the scope of the breach, flights continue to operate normally. The INC gang has previously targeted government entities and US Municipalities. We see third party breaches in the news all the time.

Dr. Gerald Oer (56:04)

All right. I mean, if there was ever an indicator that like this country was colonized by France during like the great colonization of the 1700s, this would be an indicator. All right, so airline out of West Africa got hit with a cyber attack. We've seen a lot of airlines interestingly compromised or impacted by cyber security attacks even not directly. Sometimes it's third party. Like the crowd stroke attack. I mean that wasn't an attack. That was like a MIS configured patch that wasn't tested. But like it just. I don't know if it's just in the news more often, but I feel like of all the transportation industries, airline or air travel gets punched quite a bit. Let's see, They have 14. I mean, whatever. Who? Who, who? The Ink ransomware gang. Okay, so the Ink Ransomware gang has threatened the company to pay an undisclosed ransom. Here's my thing. Are they like down? Okay, so it did affect part of their information system. So inc ransomware looks like they stole 208 gigs of data, but also impacted some of the IT operations. With things like this guys, the plane itself. Unless there's something next level, the plane itself is safe. It's not like they're controlling the plane. Like it's a, you know, Microsoft flight simulator. Just like Colonial Pipeline, like the oil was flowing down the pipeline. It wasn't in the ot, was not impacted. It's just the ability to deliver service. Like who's getting on this plane? Who's getting off the plane? How much food do we put on the plane? How much gas do we put in the plane? We, where's it flying? Like all of those things. Did someone pay for their ticket? So definitely sucks. But you know, it is what it is. And, And I. I hate to say that so flippantly, but, like, you know, it's 2026. Everybody's getting hit. Just as a quick side bonus, Tidbits Tuesday. Because it occurred to me, my tidbits Tuesday was how much I love shopping at Costco. I did want to tell everyone we had a funny thing because it said, as the airline company, there were croissants last night at Costco. And my family had an entire conversation. I'm like, oh, should we get croissant? And Mrs. Was like, it's pronounced croissant or croissant. Like Nadine present pronounced it correctly. Croissant. And. And I can't say it. First of all, I can't even say it correctly. Second of all, I say croissant because I grew up in New England, where I'm like, you know, get, like. I'm at like, Dunkin Donuts being like, let me get a bacon, egg and cheese croissant. Right? Simple, right? But my son said, what? You what? Hey, what are you guys talking about? And I said, we're saying how to correctly pronounce croissant. He's like, how do you do it? I'm like, anyways, croissant's a funny word, all right.

Sarah Lane (59:30)

Odds are, most of those companies,

Dr. Gerald Oer (59:36)

If you can't, it's hard to imagine. Guys, this was a fastest hour of cyber security and continues to be the fastest hour of cyber security. This was your daily Cyber Threat podcast. If you enjoyed it, breaking down the stories, giving you all the hot news of the day, come on back tomorrow. I want to remind everybody, I'm very excited about this. Do not sleep on this today.

Sarah Lane (60:01)

Today,

Dr. Gerald Oer (60:04)

today at 1:00pm Eastern Time, we have a Simply Cyber Skill Stream. Now, if you didn't know, this is a brand new service that I've installed for 2026. We did the first one in January, remember? Mike Miller and I did a personal branding workshop. This is Tim Papa talking about emotions in ransomware negotiations and how to hack the hacker. This is going to be a dynamite session. It's one hour, absolutely free. The whole point behind Simply Cyber Skill Streams is that you show up for an hour and you leave with a new skill. Very simple. Remember, go to Simply Cyber IO schedule, Simply Cyber IO slash, schedule, in order to see the upcoming ones. But what I want to call your attention to is this one right here. You can click on it and get a calendar note on your calendar so you don't miss this live stream. Come on down, support the channel, help yourself out, get a Skill Bring a friend. Don't go anywhere because Eric Taylor is the Tuesday Jawjacking host and he's going to be answering all your questions. So get your questions queued up, whatever they are. Cryptic Roses. It will be recorded and available on replay. But if you show up live, you can ask Tim questions in clarity. All right, guys, I'm gonna go teach the youth. I leave you in the capable hands of Eric TAYLOR Until. Until 1 o' clock today. Stay secure. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking where industry experts answer your burden warning questions about the cyber security field. Live, unfiltered and totally free. Let's level up together. It's time for some jawjacking.

Eric Taylor (62:07)

What help if I unmuted myself. Good morning, good afternoon, good evening, wherever in the world you are. Thank you so much for tuning in for Jawjacking. Question. Do y'. All, y' all hear this? What? Let me know in chat if you hear the music. Awesome. Thank you. Jerry. Got some royal free Spotify again. Really advancing it. Trying to get things, you know, dialed in and stuff like that. Hopefully the chat is much readable this time. But if you're new, just like Cryptic Roses just did, put into chat, put in there col, a Q colon. Oh, that's a little loud and even in my ear. Sorry about that. But put Q colon in there and ask your question so that way I can easily find your question and answer it. So with that we are going to open up the chat here and let me find that. All right, here we go. Cryptic Roses asked. I've managed to get myself into a London expo. That's pretty cool. I've been told the best people to talk to are not the. Not the venue, but the fellow visitors. Any tips and tricks? Let me. I've been told the best people to talk to are not the two are not the venue, but the fellow visitors. So in most expos and most conventions, there's two sides of it. You have the business development side and those are the people that you, you'll see walking around. But you never see them any in any of the. These sessions that we're conducting business, we're talking business, things of that nature. And you have those that are going to the actual sessions of the conference or the expo. So there's two sides of it. I would say be in both of them. Find out, you know, what sessions you want to attend. Like these are, let's just say hypothetically it's a one day event, you know, and there's 20 sessions. But these three I really want to attend. So lock those into your calendar. If there is a way to start doing social media posts ahead of time, say, hey, I'm going to be here. If you'd like to meet up, let's do that. And like maybe look at the sponsors, things of that nature, and schedule meetings around the sessions that you're going to be attending. That way you see both sides. You do business development, you're able to advance your career, learn from other people, things of that nature. And you're attending these sessions that you are most interested in while you're there. And the other ones, you're just like, ah, you know, this is. I'm not really interested in those sessions. Book some meetings. That's how we work it. That's how I work it for most of the part. So hopefully that's a benefit to you. Brown code barricade. Oh, let's see. I, I think I have a spoiler or maybe back away the earphones. I think I have it turned down. But if you're hearing this, then you should be able to hear this. Hopefully that worked. Hopefully. I got the dolphin going. Teaching an old dog new tricks over here, ladies and gentlemen. All right, let's see, what else do we got going on? Got another question here, Let me find it. Where'd it go? Where'd it go? Oh, there it is. From puns or pun slinger one, what roles in cyber security or it in journal is it most likely to be a remote or mostly remote position? Okay, I really think it's not a, I mean role does like you can't really be. Well, hold on, let me take a step back. This is, this is a very tricky, complicated question to answer and unwrap. Okay, first things first, if you're going to be a remote, and let's just say hypothetically you're going to be a system administrator or a help desk and or, you know, network technician or network admin, things of that nature. Right. Are there technical people on premise that will help you facilitate like, hey, I need to get remote access to Carl's PC. Can. Who do I have as a local resource to, you know, piggyback off of, say, hey, can you go make sure that computer's on that is connected to the network, things of that nature, be able to find an IP address, things to help you because you're not going to be on site, you're going to be in a remote facility. So that is one side of it. The other side is remote work is not designed for Everybody. Right. I even fall victim to it myself where you'll start doom scrolling and it's three hours later. It's kind of hard to doom scroll in the office unless you're in your own office room and nobody's coming in and bothering you. But it really depends on the individual as well. Can they be functional in a remote setting and be able to keep and make sure they are actually able to facilitate the tasks that are handed to them in a reasonable manner. So again it really is a two sided situation. So. So let's see what's everybody talking about because I don't see any other questions coming in. Oh, got one in here from Angela or Angela Wolverton, Pleasure to meet you. I don't think I've seen your name come across before playing with splunk bots and would like to write ingestion or investigation reports. Any suggestions where to find some to read? I. I will find a template but would be like to. Okay, so I'm not supposed to do this, but I will for this group. So I'm really not supposed to do this, but we'll do this. Let me. So let me pull up. There was a. Some stuff that came out the other day. Let me find. Okay, so Venom Ransomware group, they released a. And I'll put it here in chat. They released a full source code of everything. In fact, let me. Sorry, let me hide the chat because that is. Okay, I'm actually learning obs look at me. But they, they released the full chat. So what this basically does is, is it weaponizes certain aspects for BYOD driver loading and getting past the UAC and it's the next version of an AV EDR killer. So Tammy over there at Ransomware Live, I'm in a part the Ransomware ISAC group. We share a lot of intel and stuff like that. Well this is a report support. So I went down a rabbit hole after Tammy from over there sent that to the group and it's got to go to the marketing fluff. Let's see if I can blow this up for everybody to read. Now again, this is not the prettiest thing. Again this is completely technical. It's on a markdown file but you know, I put classifications the date, the version which is kind of whatever had to go through and o or sanitize a lot of my stuff. Couldn't really say what EDR tool that I used. But if you've been around in the channel and watching the streams for a while, you know what EDR tool we use. But I just don't want to create some public shame or anything like that. But yeah, I go through the entire attack phase. I go through the Mitre attack stuff. You know, I really just break it all the way the freak down like it's unreal. Right. Gave my executive summary, my key findings, what it is. You know, go through the whole mentality of everything and then marketing is going to go through it. I think this thing is going to be released with ransomware, ISC or ISAC later today. I just dropped this over with all the images so you'll see what this looks like once it gets the marketing fluff. But again, I. I just went through and I just freaking just did mind dumps after mind dumps after mind dumps and just spent like six hours just any which way that I could do, you know, this deep dive analysis and just dumped and dumped and dumped and dumped. And then I put in my other folder the what it looks like for the images and all that. So marking is going to like I put in their image tags and stuff like that because there's literally a markdown file kind of like what Notion. I think I'm actually probably going to spend move over to Notion. But anyway, I digress, but hopefully that's beneficial to you. Again, I think it's going to come out in the next day or twos. If you're not following the ransom dash ISAC group over on LinkedIn. Definitely go look them up, Follow them. Like I said, I know Ellis and a couple of the other folks over there are taking my mind up and my images. Plus Kim and I just gave it

Dr. Gerald Oer (72:40)

to her

Eric Taylor (72:42)

marketing manager over here at Barricade and she's going to be doing stuff so you'll see from both sides here soon. Kind of like how it gets the polish and kind of go from there. All right, again, hopefully that was beneficial. Hopefully that'll answer your question. Let me know if I didn't.

Dr. Gerald Oer (73:07)

See.

Eric Taylor (73:08)

Looks like we had a couple more and let me know in the chat. Is the music too loud? It sounds a little loud in my ear, but I know obs and the volumes and stuff. I got to play with that a little bit. I don't see anybody say anything. Not a question. I was thinking Barricade Cyber Solutions on John Stern's class yesterday. Okay, cool. Very cool. Definitely do appreciate that. I think I've got all the. Yep. No, it's not loud. Okay, perfect. So what's new with everybody? Definitely a light conversation. I am really digging this Spotify music free channel. This is Really? I like this a lot better than the Restream, to be honest with you. In fact, let me in Spotify. Well, because we don't have any questions. Let me see real quick. Can I.

Dr. Gerald Oer (74:25)

Share?

Eric Taylor (74:25)

I think, yeah. Copy link to playlist. Yep. So here we go. All right, so that is the Spotify playlist. It's literally called Chill royalty free music. And Spotify is pretty good about finding royalty free stuff that we can be able to play. So. But I'm really digging this playlist. It's. I think we'll have to do this a little bit more often. And y' all seem to be liking in chat, so very cool. All right, we got another one here. What's up, Taiwan Gong? Have you ever had a bad evaluation? And if so, how did it, how did you recover? Oh my gosh. Taiwan Gong. I can go on a soapbox on this one, dude. So all of my life, that's all I've had, is I am the worst freaking employee ever. Ever. I really, really am. Being a business owner is literally the longest job I've ever had. I do not. I'm definitely one of those people. I do not play well with others. I just really don't. I mean, I think now that I'm older, I'm starting to get closer to 50. I've calmed down. Sorry if y' all hear it. I'm starting to fight this head cold or whatever that's going around. So if y' all hear me sniffling or whatever, I'm so sorry. Trying to make sure I mute myself, but it's not really working at all. All right. But yeah, I've been the worst employee ever, every job ever had. So what I would say when I evaluate my team and critique them, it's one thing to say, yeah, I'm going to do better or I see that. What make as a business owner when I know my team understands the criticism that I've given them. They come back in a couple weeks or a month or whatever a time frame that they've chosen that makes sense to them and ask, hey, about that last topic. I just want to check in real quick. How. How am I doing? Are you seeing improvement? What other areas can I improve to make sure I'm hitting your target? Team members, AKA employees. I call them team members here. But those who actually have a vested interest in their, in their career, in their longevity will come back and say these things. They will show an interest. They just won't take the criticism and then walk over here. You don't really ever hear anything. So it's like, did they really understand or did they just kind of like, yeah, whatever, and just sweep it under the rug. So I would say if you've gotten a bad evaluation, take the criticism, say, thank you for that. I really do appreciate it. I'm not going to grow unless I get that feedback from you. Take notes of it. If they didn't give you improvement steps, I'm not talking about a pip, a performance improvement plan. We're not talking about all that garbage. But if you didn't have action items to improve yourself, go back to them. Say, hey, maybe I misunderstood or maybe I just didn't write everything down. But I feel like I may be missing our action items. So I can make sure I am improving to be more in line of what you're looking at. Can we revisit that again if you. Again if you don't have it? So hopefully that helps you. Taiwan Gong Yes, Dream Logic. I am almost 50. From Find the true to going to any cons in the near future. No, I am not. I think my backside is going to be glued in this chair for quite some time. The rest of the team, Lisa will be definitely going to some of the conferences. So we will, we'll be kind of going through all that. But I don't know which conference I will be going to next. I got many webinars I gotta put together. I've got freaking tech analysis. I'm. I'm covered deep. All right, Gary537, new to cyber security. Been in it for 15 years. Congratulations, man. New role. I'm in charge of our EDR and sim. What are some things one should do daily for those. I'm going to make an assumption here, Gary, that you may be novice or entry levelish in the edr, in the sim. I would make sure that you're reading up and watching training videos every day, spending one or two days to two hours on that and searching Reddit for those those platforms, see what other people are saying. A lot of times you'll see in especially Reddit that their people are sharing queries or sharing ttps or sharing this, they're sharing that and it will help advance you. So thank you. Knowing how other people are thinking, how to apply it in your specific situation and kind of go from there, hopefully that helps you. I thought I seen another question. And I can't get over how good this Royal chill Royal free music this is. I'm vibing over here. That's what the kids say, right? Vibing. Yeah. I mean I'M feeling I am literally enjoying this music. This is pretty cool. I'm probably gonna play this all freaking day now. Nothing's happened with Kimberly Dream. She's very much in barricade. Like her full time job is Barricade Cyber, being the marketing director. Marketing manager, whatever her title is. Like, I just dumped some more stuff over to her this morning. I know she does some freelance stuff and I know she works with Jerry and some other folks and it's, it's whatever, right? So. But yeah, Barrett, I don't think Kimberly's going anywhere. I, I'm very much ingrained with her. So she's, she's not, as far as I know, she ain't going anywhere. At least not as much as I can help it. Jason McQuicket used to do Hope Atlantic. Yes, I do. I've been covered up so much. James. You're on my radar to get conversation with. But yes, it is on my radar. I have not forgot about you. Question from Dev CS2. Thank you all so much for bringing in the questions. Definitely keep them coming. Any advice for a new. For an infosec compliance interview? That's a good one. I guess, to be honest with you, I don't play in that role so much. I mean, I do a little bit. However, the, I guess, you know, if you're going into this, you're going to want to know what frameworks are they currently adhering to? Are there any frameworks that they are aspiring to meet in the next year, three years, five years? What have there been roadblocks? What issues have they been having with their current compliancy? I think those would be great opening questions. So again, just a recap. What framework are they currently adhering to? Have there been problems, roadblocks, whatever that have been hindering them from getting to that compliancy and what frameworks are they looking at to get into within the next one, three, five years? And that really help you understand, you know, where they're going long term. Love it. Love it. Thank you so much for that question from Regong Host. Sorry if I'm butchering recogn Host. Sorry. Well, go back here. Recently was shifted to physical risk intelligence from cti. What advice would you give to get back into cyber? I don't, to be honest with you. Physical risk intelligence. I mean this. I could be completely out here in left field. Completely. And we'll drop this. Right. I'm completely way out here and left field. Right. But I think that is all around like pen testing. Right. Physical Access cards and things of that nature. That's, that's definitely not something. And maybe even camera system, cctv. So I'm not familiar with that per se. But that's not really. Now that thought for a second, that's not really your question is any advice you get back into cyber, you know, kind of like what we mentioned before is, you know, hopefully you're still in the same org. I may need to step away a moment, go blow my nose. But you know, if you're still in the same org, then you can, you know, ask them like, hey, why did I get pulled off of it? Maybe, you know, you're doing good at your job, but they really need you over here for another three, six months or something like that. Right. So, yeah, I would definitely have conversations to find out why you got pulled out of there. And again, like, I've made the other recommendations in here in the, in this jawjacking, you know, find out what do you need to do to get back there and follow up. Don't just say great for the information and walk away and never talk to the boss again. Follow up. Qk, I know we're all introverts. So am I like you? You know, this is kind of why I have business development people. Because I'm like, how about the Braves? And then I have no idea what to talk to you about. Right. I just small. I'm just not a small talk type of person. I'm just not. I'm one of those type of people. If we have something to talk about, let's talk about it. But to go up and say hi and do I. I just really, really suck at it. But yeah, I would, I would try to find out. If that doesn't answer your question, please let me know. We. I know we're getting toward the bottom of the hour, so we will have to cut this off in a moment. But if I could be able to squeeze a follow up in there. If I'm not hitting your question exactly, then please let me know. All right, maybe for the last one. Cryptic roses. Firstly, thanks for the CV review. Okay. That's the best way to volunteer for. What's the best way to volunteer for a bid plan to go to the leads 1. Putting it out there in case y' all didn't see it earlier. Most of the time. Cryptic roses. You know, most places are going to take volunteers, So I'd say just go out there and ask again. I guess that may go back to the introvert in all of us a little bit, but we kind of just need to get out there and ask, unfortunately. All right, I do believe we have gone through all the questions. Is there any last one? Let's see. I did answer that real quick. I just want to make sure. Because I. There's one here. I want to answer it real quick. Okay. I don't see any apologies to you if I did miss your question. Definitely come back next week. I will try to be here on Friday, but work is kind of hectic right now, but we'll. We'll kind of go from it from there. Again, thank y' all so much for the questions. I do greatly appreciate it. One more time. Since we've actually got this working, I'm pretty happy. All right. I just did a little snippet there. Don't want to make sure Jerry doesn't drive off into a. Into a ditch or whatever like that. Just kidding, Jerry. But anyway, thank y' all so much. I do greatly appreciate it. I feel like this is a well produced jawjacking session. Got the graphics going, got everything working. Chat showing, sound is going, music is vibing. I. I'm digging it. I'm digging it. All right, ladies and gentlemen, I'm gonna go blow my nose. Thank y' all for hanging out. I do greatly appreciate it. Until next time. Stay curious, my friends.

Dr. Gerald Oer (88:34)

Hey, everybody. I hope you enjoyed that content. Keep the cyber security train going by connecting with the other Simply Cyber community resources. We have the Discord server that's lively and always keeps the conversation going. You can connect with me directly on LinkedIn and also every single weekday morning on the Simple Cyber channel. We're doing live daily cyber threat briefings, 8am Eastern time, as well as Thursday at 4:30pm we're doing live stream interviews with industry experts, and we produce videos that we push out every Wednesday morning. I'm Jerry from Simply Cyber. I hope you enjoyed the content and we'll see you in the next one.