Summary8 min read

Podcast Summary: Daily Cyber Threat Brief - Ep. 1077

Date: February 26, 2026
Host: Dr. Gerald Auger (Simply Cyber Media Group)
Special Jawjacking Segment Host: Eric Taylor
Main Theme:
A fast-paced, expert-led run-through of the top eight cybersecurity news stories of the day, with actionable analysis for practitioners and leaders. The episode covers real world cyber threats, breaches, technical developments, and their practical implications. The tone is educational, energetic, candid, and community-driven.

Episode Highlights

Overview

Dr. Gerald Auger welcomes listeners, emphasizing the show's mission:

“We inspire, we educate, we support, we empower you to go as far as you want...but I can't force feed you. That's not my speed.” (01:31)
He explains the format: live reactions to curated news, bringing expertise without prior prep, and breaking stories down into operational takeaways. Regular segments, active chat engagement, and continuing education credits (CPEs) add further value and interactivity.

Key News Stories and Insights

1. Google Disrupts Chinese Hacker Group UNC 2814 (Gallium)

[12:36]

Google, with partners, dismantled infrastructure used by UNC 2814 (Gallium), a China-linked APT targeting at least 53 organizations across 42 countries, mainly in government and telecom.
Attackers used Google Sheets to coordinate actions and blend malicious activity into normal traffic.
No Google products themselves were compromised.

Discussion:

Dr. Auger demystifies cloud abuse:
*“Just because you weaponize an EC2 instance in AWS or you weaponize some type of VM in Azure, does not mean that Microsoft was compromised or Google was compromised.” (12:57)
Notes the creativity of using Google Sheets as a C2 or planning tool:
*“Even like sophisticated threat actors, they do work the same as you and me… they’re using Google Sheets to write stuff down.” (17:32)
Emphasizes China’s expertise in cyber-espionage.
Takeaway:
Cloud abuse does not indicate platform compromise—look to vendor clarifications. Even APTs use ordinary business tools for nefarious goals.

2. Massive Trizetto (Cognizant) Healthcare Breach Affects 3.4 Million+

[18:57]

2024 breach exposed Social Security numbers, addresses, and insurance details via a web portal vulnerable to unauthorized access.
One year of credit monitoring offered.

Insight:

Auger suspects classic weaknesses:
*“I would bet money this portal did not have multifactor authentication in front of it... this portal had a user account with a crappy password or one reused in a different data breach.” (20:00)
Governance and risk management are critical:
*“I’m not willing to budge on MFA required on Internet-facing systems because it’s absolutely gross negligence to not have it. Especially a system like this…” (22:54)
Hyperbolically illustrates how to advocate for MFA and sound governance over convenience.

Takeaway:

Internet-facing systems with high-value data must require MFA. Neglecting basic controls is a governance failure.

3. Cisco SD-WAN Zero-Day Bug (CVSS 10.0) – Ongoing Exploitation

[25:17]

Since 2023, attackers have exploited SD-WAN authentication bypass (affecting large enterprises), allowing complete controller compromise and addition of rogue peers.
Patching required by Feb 27th. Cisco provides indicators of compromise (IOCs).

Analysis:

“Any Internet facing system… when you have a critical bypass for authentication, that means you don’t need creds. You can have quad factor authentication…and it’s not going to matter because you’re going to walk around the gate.” (26:31)
Suggests immediate patching and collaboration with networking teams.
Explains how to check for compromise (“cat your logs and grep…”), and how cybersecurity teams should build bridges with IT/networking staff using incidents like this.

Takeaway:

Act fast on Cisco SD-WAN bug: Patch immediately, check for rogue peering events, and collaborate with networking for both remediation and detection.

4. Discord Delays Age Verification Rollout

[36:43]

Discord postpones global age verification to H2 2026 after backlash, promising more options (not just ID/selfie), and transparency about systems. Aims to comply with global regulations.
Community distrust centers on involvement of surveillance firm Palantir.

Commentary:

“This seems like a great way to help manage some of the risk… but if you’re a criminal, it’s kind of easy to bypass this, right? Just keeps honest people honest.” (38:25)
“Maybe Discord’s backing away not from pressure from the user community, but because of bad optics.” (39:49)

Takeaway:

Age verification is increasingly mandatory but faces privacy, trust, and implementation challenges. Reputational risks shape platform responses.

5. Critical Flaws in Anthropic Claude Code

[45:20]

Researchers reveal vulnerabilities allowing RCE and API key theft via project config files and malicious repositories. Simply opening tainted code can compromise a developer’s AI environment.

Analysis (colorful analogy):

“Imagine you went to a buffet ... but instead of the restaurant putting all the food there, random people get to cook a dish and bring it in ... now imagine you put a blindfold on and you just... start eating the food. Does that sound like a good idea? No.” (47:01)
Warns that end users and “Carl in research” are likely to download and run code without scrutiny, increasing risk massively.

Takeaway:

Supply chain and developer ecosystem attacks are surging, especially with AI agent tooling. User education and code provenance checks are critical.

6. North Korean Hackers Target NEXT JS Repos & Fake Dev Jobs

[51:22]

Malicious repositories and “job interview projects” used to compromise job-seeking developers, establish persistence, and exfiltrate sensitive data.
Microsoft: Campaign abuses developer automated tasks (VS Code, etc).

Advice to cyber leaders:

“Make developers aware of this... [If they run malware] you’re going to be compromised. It’s not a real job, it’s bad. Be aware of this.” (54:02)
Suggests direct communication with dev teams, outside executive eyes, for effective defense.

Takeaway:

Developers are high-value targets. Social engineering combined with supply chain compromise is a growing threat—raise awareness tactfully.

7. Marquee Solutions Sues SonicWall over Backup API Breach

[55:49]

Marquee blames SonicWall for ransomware damages after hackers exploited a backup API flaw, accessing credentials and configuration data. Marquee faces 36 class-action suits and seeks indemnification from SonicWall, alleging withheld information.

Viewpoint:

“Whether SonicWall is right or wrong, Marquee is playing a numbers game. They’re being sued... so they’re turning around and suing SonicWall. This is America.” (56:44)
Notes that transparent vendor disclosure is critical, especially when third-party SaaS or infrastructure is involved.

Takeaway:

As lawsuits mount post-breach, vendors failing in disclosure may be at legal and reputational risk. Legal actions are now common fallout from cyber incidents.

8. PowerSchool & Chicago Schools Settle Privacy Lawsuit

[59:42]

$17.25 million to settle claims of eavesdropping on student communications via mandated tech tools (Navience platform, 2021–2026).
Following a 2025 breach impacting millions of students and teachers, the settlement requires improved privacy practices and governance.

Comment:

“This is like some fallout... Basically Power School got hacked and this is like some fallout from it, period. Full stop." (61:15)
Most class action settlements yield little financial relief for individuals, mostly benefitting lawyers.

Takeaway:

Data privacy lawsuits extend beyond companies to school districts and platforms as awareness and data regulations increase.

Notable Quotes & Memorable Moments

“China is the best at espionage. If I needed espionage done by tonight, I'm calling China.” — Dr. Auger ([15:39])
“Governance is super valuable because governance would point out that this [vulnerable portal] should never have been there in the first place.” ([23:56])
“When you have a critical bypass for authentication, that means you don’t need creds... All the controls don’t matter because you’re just walking around the fence.” ([27:18])
On risky AI code execution: “Just because you can doesn’t mean you should. You have to... [end users] are FREAKING downloading and connecting to all the things.” ([48:42])
“If your networking team won’t give you access, ask for a grep of specific log lines— build those bridges!” ([34:58])
Community celebration: “Congratulations Soap Flavored... you work in cyber!” ([20:47])
Jawjacking: “I get pretty spicy a lot of times, so… instead of cursing, I do a dolphin sound…” – Eric Taylor, on community in-jokes ([66:14])

Jawjacking! – Q&A with Eric Taylor (Barricade Cyber)

[64:53] – [90:00]

A freestyle, audience-driven segment with candid advice and blue-team tactics.

Highlights:

On Panelist Advice: “Just be you. If you don’t know, just say you don’t know. It’s better to be authentic and honest than anything else.” ([67:11])
On Being On-Call: “Talk to management, rotate, negotiate compensation ... I’m on call 24/7 as a business owner.” ([70:41])
On Living Off the Land Attacks:
- Discusses Quick Assist, AnyDesk, TeamViewer: “There’s two sides to living off the land... either built-in software or software that doesn’t require installation.” ([74:18])
- Warns about multiple versions of Quick Assist and attackers exploiting user trust.
On Documentation:
- “If you’re doing a NIST CSF home lab, document everything! It’ll bake in the concept of acceptable risk. I just hate documentation personally.” ([79:18])
On AI Threats:
- “AI agentic pen-testing tools are going to put defenders back on their heels... it’s going to cause a lot of noise and issues on both sides.” ([72:15])

Actionable Takeaways

Patch Cisco SD-WAN IMMEDIATELY and check for IOCs. Collaborate with networking teams.
Audit MFA on all Internet-facing portals, especially those holding PII/PHI.
Developers: check provenance before running code, especially for job interviews.
Beware supply chain attacks via code/AI repositories—educate end users, not just devs.
Class action and legal exposures are growing. Vendors must be transparent about breaches.
Privacy is a hotbed for both regulatory and class action fallout.

Community & Culture

CPE Credits: Listeners can claim .5 CPE per episode—encouraged for career growth.
Special Segments: “What’s Your Meme?” by Dan Reardon brings humor to cyber news.
Listener Engagement: Chat shoutouts, Q&A, career tips—an inclusive, supportive vibe.

Overall Tone and Utility

The show blends deep technical expertise with easy-to-understand analogies, actionable advice, and genuine encouragement for cybersecurity professionals at all levels. Auger (and Eric Taylor in Jawjacking) deliver clarity, urgency where needed, and practical next steps.

Best For:
Anyone serious about keeping up with daily cyber news, understanding practical ramifications, and advancing their cyber career.

Useful Timestamps

UNC 2814/Google Sheets hack: [12:36]
Trizedo Healthcare breach: [18:57]
Cisco SD-WAN zero day: [25:17]
Discord age verification: [36:43]
Anthropic Claude code vulns: [45:20]
North Korean fake job attacks: [51:22]
Marquee sues SonicWall: [55:49]
PowerSchool/Chicago Schools privacy settlement: [59:42]
Jawjacking kickoff: [64:53]
Q&A on living off the land: [74:17]
NIST CSF home lab advice: [79:18]

Summary by: Daily Cyber Threat Brief | Simply Cyber Media Group
For more: Visit https://simplycyber.io or join the next live show at 8AM ET.

Loading summary

Transcript38 lines

[00:01]
A
What's up, everybody? Good morning. Welcome to the show. If you are looking to stay current on the top cyber news stories of the day while getting educated and entertained by industry professionals while you're in the right place, welcome to Simply Cyber's daily Cyber Threat Brief podcast. I AM your host, Dr. Gerald Ozier, coming to you live from the Buffer, Osier Flow Studios. We got a great day for you. Get settled in, get your coffee, let's get cooking because it's time to get to work. All right, what's up, everybody? I hope you're doing well. Today is February 26th. This is episode 1077. We're gonna go through eight cyber stories of the day. We're gonna break them down, and again, you can go through these stories on your own. You can have RSS feeds. Heck, you can even have AI write you a daily brief and have it piping hot in your inbox right at 6am but what you're not gonna get, what you get here, in addition to the ls, if you will, is we're gonna go beyond the headlines. Know there's a lot of industry professionals, myself with 20 plus years in the GRC space, CISO space, we're going to go beyond the headlines and tell you how you can operationalize this information or whether it's worth operationalizing. We had a story yesterday where I made fun of it because it was absolutely a nothing burger. But if you're new to the industry, maybe you don't know how to evaluate one thing from the next. You don't know how to dig in and get under the hood of things. And that's what we do here at Simply Cyber. We inspire, we educate, we support, we empower you to go as far as you want. Right? I can put everything, I can lay everything out on the table, but I can't force feed you. That's not my speed. Now for the eight stories we're going to go through. You might think this is reckless, but no, it's part of the experience. We don't. I don't research or prep for any of these. I have no idea what's coming. Ain't nobody got time for that. That's right. Ain't nobody got time for that. But we'll do the best we can. We've done it 1,076 times before and it's been okay, right? We've. We've made it happen. If you're here for the first time, what's up? You drop a hashtag first timer in chat, hashtag first timer in Chat. We have a special sound effect for our first timers. We have a special emote, and it could be your first time. Like you just found us. It could be your first time in studio, right? Maybe you listen to us on your audio podcast app of choice, like Spotify, Apple Podcast, maybe your team Replay, and you had a change in schedule and you're checking the show out live, whatever it is. Welcome to the party, pal. First timers unite. I saw I say hello to some. Some folks in chat. Marcus Kyler, Toasty Pops in the Kansas City, Kentucky connection. I see Mar Ley Doom, Kraken dropping bombs here all the time. Tj, Jim Wales, my man Berg, ssj. Space Tacos in the GRC Mafia is in the house. Mondo Ailia. That blue badge is looking good, guys. Every single episode of the Daily Cyber Threat Brief is worth half a cpe. A Continuing Professional Education credit. And you need these in order to maintain existing cyber Cyber security certifications that you worked so hard to obtain. If you don't have a cyber security certification, that's okay. I would still recommend you collect cpes, because if you plan on getting one this year, then you'll already be, like, you know, ahead of the curve on getting your CPEs done, right? You're picking up what I'm putting down here. So how do you get the CPEs? First of all, stay through the show. Like, that's. That's a requirement. That's not optional. You have to stay for the hour, right? Say what's up in chat right above me. You will appear on the stream. You are part of the show. You are live with us. Grab a screenshot with the title of the show and the episode number in the title and. And your message in the chat. Right? That's a piece of forensically sound evidence. It shows you are here. It's like your ticket stub that you went to the movies. Okay? File it away in a desktop folder called Daily Cyber Threat Brief Screenshots, right? Get crazy. And once a year, count up those screenshots, divide by two, because every CPE is one hour. But we goof around here. We have fun. So 30 minutes is a safe bet. Marcus Kyler, Detroit's own 38 months, three plus years with the Simply Cyber team. Don't know where I'd be without Jerry and Team sc. Marcus, we are better. Community with you in it, my friend. No doubt about that. DJ B's in the house, my man. Love myself some DJ B. Another solid stalwart of the community, providing mentorship to all. All right. It's Thursday, which means every day of the week has a special segment. And for Thursdays, we know it's not dad joke of the week, it's Dan Reardon's what's your meme? This guy. I love it. You are going to love it. We allow people to try to guess what the meme is going to be. I got to tell you, Dan was inspired by something that happened yesterday. I know Elliot Matice and others like to guess what it could be. So go ahead, drop those in. But yes, a unique one of one meme of the week. We should nft these. Justin. Crypto. All right, but before we get into the news, before I melt your face, I am going to take a slug of this coffee, please. If you have a cup, drink. Oh so good. Mad Destroyer knows what I'm talking about. When you get that. When you get that coffee and it just hits. All right, this show's not made possible without the support from our sponsors. Let me tell you about flair. I hope you guys got to go to the flare CTF walkthrough yesterday. If you did go to that sound off in chat, I would like to know how it went. Guys. Oh wait, I gotta show you the. Hold on one second here. Let's. Let's do this. Let's talk about Material instead. I'm actually. Hey, by the way, Material Security, they've been a sponsor for the month. I had a call with them yesterday. I'm actually going to try to deploy this in my own business because I use Google Workspace for simply Cyber. Right. If you didn't know that I was Microsoft 365 but I don't like it. I don't like Microsoft 365. So I switched over to Google Workspace and I should say I like Google Workspace better for my workflows. So I'm going to deploy this myself actually. Listen, about material security. Cloud workspace security is hard. Email security alone stops phishing at the perimeter. But that's not enough. Today's threats target email files and accounts across your entire workspace. Material protects Google workspace and Microsoft 365 by providing holistic visibility and automated remediation across your entire cloud environment. And it goes beyond phishing protection to detect and protect sensitive data, monitor account threats, respond to risks across the workspace. Now Material uses advanced AI detection, automates user report triaging and delivers flexible one click remediation for email files and account issues. Best of all, it scales your security without scaling your team protects your entire workspace at the Cost of traditional email security. So if you want to learn more about this, go to Simply Cyber IO Material. Many of you know like I run a small business, right? I am in addition to being the CEO and janitor, I'm also like information security. Like I was. We use Crowdstrike here, right? For our edr. I only have five licenses but we use edr. I had to go in yesterday and clean up the. The queue, right? Somebody called casually Joseph and Wade Wells. Let them know I'm clearing cues out up in this piece. Dan Reardon. So I'm looking forward to trying out material. Also want to say what's up to Anti Siphon Training? If you've been taking John Strand Cyber Security Foundations course, today's your last day. I hope you've been enjoying that. Looks like let's go to March. Can't believe it's almost March, y'.
[08:55]
B
All.
[08:57]
A
Anti Siphon Training disrupts the traditional cyber security training industry by offering high quality, cutting edge education to everyone, regardless of financial position. If you want to learn about ir. Oh my God. This is quite the topic. Hey, get some of this. This is a free. This is a free webinar. Okay, one hour webinar. This is pretty cool. How to do incident response for AI incidents. How to do IR for AI incidents. This is a. This is an area I hadn't even thought about. Frankly, I would just treat IR as ir, but here we go. When you got an AI incident, what do you do? Guess what Gerard Johnson's or Johansson's going to tell you. I'm going to drop a link to this Anti Siphon. Really bringing the heat on education. This is cool. All right, thanks. Ellipsis. I hadn't seen the identity module yet. I'm using Crowdstrike Falcon. I don't think I have the full Crowd Strike suite. I have like the, the baby, you know, like Tinker Toys version of Crowd Strike. Go to anti siphon.com anti siphon training.com check it out. Also, I'll be at Zero Trust World next week doing the show live from the show floor. If you're going to be at Zero Trust World, holler at me. Also, if you're going to be at Zero Trust World and you play Magic the Gathering, bring your Commander deck and holler at me. I started scouting out local game shops. They're really far away. It sucks. Let's hear from Threat Locker and then we're going to get into the news. I want to give some love to the daily Cyber Threat Brief sponsor, Threat Locker. Do Zero Day exploits and supply chain attacks keep you up at night. Worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how ThreatLocker can help prevent ransomware and ensure compliance. Visit threatlocker.com DailyCyber. All right y', all, you know what to do. I didn't see any first timers in here, so all you long timers, you know exactly what to do. Sit back, relax and let the cool sounds of the hot news wash over all of us in an awesome wave. See you at the mid roll.
[11:35]
B
From the CISO series. It's Cybersecurity Headlines.
[11:42]
C
These are cybersecurity headlines for Thursday, February 26, 2026. I'm Sarah Lane. Google disrupts UNC 2814 Google says it disrupted a Chinese linked hacking group known as UNC 2814, also known as Gallium, that breached at least 53 organizations across 42 countries. The group's been active for nearly a decade and mostly targets governments and telecom firms and and used Google sheets to blend malicious activity into normal network traffic. Google and partners shut down the group's Google Cloud projects infrastructure and accounts, stressing that no Google products were compromised. China's embassy denied the allegations. Google said the activity is separate from other China linked campaigns such as Salt Typhoon.
[12:37]
A
All right, so really quickly, number one, I feel like this is super obvious, but I never want to make assumptions about common knowledge, especially because many of us have been working in the industry for like ever. So you know, things that are just common are not always common like acronyms and stuff. So whether it's Google, Microsoft or Amazon, you know, they have the capability to allow customers to stand up their own infrastructure and do infrastructure as a service, platform as a service, software as a service. Right? So just because you weaponize an EC2 instance in AWS or you weaponize some type of VM and Azure, does not mean that Microsoft was compromised or Google was compromised. Right? So that, that's one thing that these, you know, tech giants always have to qualify to make sure that oh, we got a first timer. Hold on. Who's the first timer? D Birch4@dburs4 welcome to the party palan. Thank you squad members for, you know, I Might miss the initial thing, but I don't miss John Mlan. Oh no. I mean, I miss John McLean, but I don't. I don't miss seeing John Mc. I mean, I miss seeing. You know what I mean? Here we go. Welcome to the party. Welcome to the party, pal. D Burch 4 Hope you enjoy the experience. Eric Stratton also welcome back. Welcome to the party. Okay, so now that we've cleared up that Google's not compromised, let's look at this. Chinese linked hackers attack 53 groups. Now, these groups are basically just businesses. It sounds like, not necessarily like, you know, threat actor groups or anything like that. Let's see what they did. One interesting thing that I'm going to come back to is that they use Google sheets to evade detection. Pretty clever. I have a, I have a fun story of my son using Google Docs to evade detection at school. Got in trouble, him and his friends. Let's see. So Gallium is the threat actor name and decade long of history. So you know what's interesting right off the rip, usually this unk and I know you gen Alphas who are in the car right now rolling your eyes, looking at your parents, being like, you're so old. When you hear me say un, you're like, oh my God, I rolled. But it is unk unknown essentially, like this A. This. I forget what the UNC stands for, but basically it bas. It means that it's a threat actor that they can, they can associate to multiple events, but they don't have enough information or telemetry to definitively say who it is. But the weird thing is they say that it's nearly a decade long history. I don't know how much more telemetry you need to like bump them up from the unk category to like the full blown apt category. But okay, this, this group's main deal is to surveil, right? Remember I, I mean I've been saying it all week. I'll, I'll say it till, you know, I'm proven incorrectly. But China is the best at espionage, right? Like if I, if I needed espionage done, you know, by tonight, like I'm calling China, get them on the phone. Like I needed, I need to hire the best, right? You want to do incident response, you call Mandian, right? Like they're, they're the gold standard for IR if you want, you know, nobody gets fired for buying IBM, which is a thing that was said in the 80s. But my point is China's great at espionage. So how are they using Google Sheets, Okay. They used. Which is. Okay, so basically this doesn't sound nearly as nefarious as you would think. Basically the, the threat actors had a Google cloud project and they were using Google Sheets to keep track of what they do. Listen, if you use a spreadsheet as a task manager, right, Like I don't know about you guys, but I, I have had many, many systems over the years. I like to put things down and cross them off. That's how I get my work done, right. It's like how I stay motivated. You know, micro wins. Like, get this done, get this done. They were basically using Google Sheets for that. And of course it allowed them to evade detection because they're using Google Sheets. Like that's like a core function of Google. They're not going to know. Google's not going to detect anomalous behavior of Google Sheets. So Google seat take threat intelligence group. I'm trying to figure out what they did here, the compromised entities. That said no one, no, no one. In the case, the group had installed a back door called Grid Tide. Okay, all right. So basically I don't even know. This has like nothing to do with Google. This has nothing to do with. So this looks like it was basically just a threat actor group that was using Google Sheets to maintain their, their, their situation as far as what's going on and to coordinate with each other. But they broke into 53 businesses, 42 countries and, and basically Google Sheets was their scratch pad to keep track of things. So I don't know how Google caught it. Good stuff. Thanks Google. But also worth pointing out like it just goes to show you, even like sophisticated threat actors, they do work the same as you and me. You know what I mean? They're using Google Sheets to write stuff down. You know, I bet you one of them uses Apple products and has like Apple notes. They're just threat actors are threat actors, but they're not like scary Bane, Batman level villains. They're just people that are going about their job like a normal person. It's just their, their job is crime. Although you could argue right in China, these people might be seen as patriots. You know what I mean?
[18:58]
C
More than 3 million impacted by tries that oh breach. Health insurance. Technology provider Trizado Provider Solutions said a 2024 breach exposed data from 3,433,965 people, far more than initially disclosed. The company discovered in October that a hacker had access to historical insurance eligibility reports through a web portal beginning in November of 2024, compromising Social Security numbers. Addresses and insurance details. Trizetto is a cognizant subsidiary and notified law enforcement and hired Mandiant to investigate and is offering one year of credit monitoring to affected individuals.
[19:42]
A
All right, here we go. Space Tacos is definitely, like, co hosting the show right now as she's visually calling out things. I see Soap Flavored got a wrecking ball. So I'm scanning to look for Soap Flavored's comment in Chad, I suspect I know what Soap Flavored said, but I don't. I don't see it. I don't see it. So at Soap Flavored, if you can, let us know. All right. Health insurance tech provider Trazetto. 3 million impacted. Okay, great. So this breach was two years ago. Sweet. Second of all, you all get a year of identity theft protection, which, by the way, the breach was two years ago. You know, when identity theft protection would have been good. Two years ago. I'm sure the company is going to say that they have no evidence to support that this information has been used maliciously, but chances are that they're not looking. All right. Oh, here we go. Thank you. Dan Reardon. Dan Reardon says at Soap Flavored, it's not really cyber. I just got a job working with my school as support staff for their cyber range. My first IT cyber related job. Oh, yeah. Congratulations. Soap Flavored. And I would call that cyber. I mean, you are supporting the infrastructure, right? I. I mean, I would call it counting towards CISP domains. Yeah, you're going to be doing user accounts, you're going to be patching that infrastructure, you're going to be doing account reviews, you're probably going to take backups. Soap Flavored, you work in cyber. Yes, sir. Okay, so this company got hacked and data got breached. Hello. Welcome to Thursday. And then of course, like, like any of these stories, there's like a ton of information unrelated to this actual main story. So, like, this company, Trizo, got breached. Now, let's talk about other county governments in Oregon that suffered a breach. All right, so the, the actual technical execution of this attack, a hacker used a web portal to access historical eligibility reports stored in Trizato's system. Sweet. Okay, so here's what happened. I'm going to tell you this, like, definitively, okay? This portal, I, I would, I'm, I would bet money this portal did not have multifactor authentication in front of it. First step, second step. This portal had a user account with a crappy password or one that was reused in an leaked in a different data breach. Number three. They definitely weren't like looking or tracking for this. So I always go back to like governance, okay? Oh, governance is so lame. Who cares about governance? Okay, listen, why is this web portal in there in the first place? Is there a business need to have an Internet facing portal that has access to this information? Could this be put behind a vpn? Does anybody need to access this that wouldn't have access to the internal network anyways? Why is the system not have MFA on it? Is it inconvenient? Guess what? I don't care. I'm willing to work with the business on lots of things. I'm willing to have a Windows XP machine on my network. I've done that before in the last five years. I'm okay with it because I know about it and I can manage the risk. I am not willing to budge on MFA required on Internet facing systems because it's absolutely gross negligence to not have it. Especially a system like this where like this isn't like Netflix, where like your customers are the one logging in and they need. You want a frictionless experience. This is like obviously the health care staff or who, like someone who has a, a, a, a like a business need to access these historical medical records needs to access this. So guess what? You get to tell them, yeah, gotta log in with mfa, you gotta stand on your head. You gotta, you know, bark at the moon before you log in. Like whatever requirements you want to outline you, you put them in place. Because guess what? That person is absolutely going to do those things in order to get access to the system because they need to do that to do their job. Again, I'm being hyperbolic by saying bark at the moon and stand on your head. But my point is for systems that are Internet facing, that are business systems, there's absolutely zero excuse that is acceptable to not have MFA on short of the system doesn't support mfa. And then you've got a different set of problems. Okay? Exactly. Rogue cyber. I was being hyperbole. I was being silly that governance is lame. I was actually making, I was pretending to be other people who yell governance is lame. What I'm outlining here is that governance is super valuable because governance would point out that this should never have been there in the first place. Governance stops this before it happens.
[25:18]
C
Cisco SD1 bug exploited since 2023 Cisco disclosed that a critical Cisco Catalyst software defined wide area network authentication bypass flaw has been exploited since 2023 to compromise controllers and and add rogue peers. The 10.0 severity bug lets attackers gain high privilege to access and manipulate network Configurations with evidence they escalated to root by chaining a known flaw CISA ordered federal agencies to patch. By February 27th. Cisco released fixes and urges customers to investigate and secure exposed systems.
[25:57]
A
All right, critical SD WAN bug. This is legit. Okay, so Cisco also, full disclosure. I'm. I just signed a contract, I'm doing a lot of work with Cisco in March. So just for whatever. So SD WAN is software. I think it's software defined wan. Basically it is allowing you to have multiple facilities kind of on the same network. And it's, it's a pretty cool technology. In fact, wildly. The guy who invented SD wan, he works at Cisco. He was a guest on Simply Cyber Firesides. And I like discovered in real time like during the interview live, that he invented it. And he was like so, so chill about it. I think his name's Scott Connors. Oh, hold on one second. Craig. Craig Connors? Yeah, Craig Connors. This dude, he was on there, he's a super chill dude, but yeah, he. So if I probably got to talk to him at RSA, I'm like, Dude, what's up with your SDWAN? But listen, Cisco is enterprise grade, right? Fortune 500 companies, people with money, they buy Cisco, they buy Aruba, they buy Gigamon, right? You're not getting, you're not getting tp Link and Fortinet, you know, at this tier. So when you see something like this, for me, my immediate thought is, oh boy, this is really bad because this is large enterprise, big money, you know, like nine figure businesses, ten figure businesses in the billions with a B businesses that could be compromised. So now the next thing is looking at the technical details of this like again, on the surface, this, this headline says Zero Day Exploited Since 2023. Oh no. We better run. Right, so you doing, you know, classic cyber security thinking or GRC thinking? How, how bad is this? Is this really bad or is this some obscure, novel, nuanced zero day that can be exploited? That only is, you know, you're, we're only seeing it in like the, the most random places. Okay? And you've got to have like, you know, the moon has to be in, you know, full, you know, a full moon and it has to be a Tuesday for like the exploit to actually fire correctly. So let's, let's look at this together. All right? It's a authentication bypass vulnerability already. That's bad. So that means it's like you don't have to log into the portal. So any Internet facing system, it's, it's Internet facing by Design. So you can't, you can allow list certain IPs to be able to basically serve the web page. Right. But for the most part Internet facing web portals are going to be Internet facing web portals, which is why you have multi factor authentication. Right. You again, you can set it up so you know only certain systems can query those. But for the most part that's not going to happen. So when you have a critical bypass for authentication, that means you don't need creds, you can have quad factor authentication. All right, you got to do username, password, six digit pin, hardware token and a blood sample. And guess what? It's not going to matter because you're going to walk around the gate. Right? This is an example where there's like a gate on a path and, and then on either side of the path there's no, there's no fence, you just walk around it. Okay, okay. Remote attackers can compromise controllers and add malicious rogue peers to the targeted network. Yep. Okay. Again, this is a network layer device. So adding rogue peers I would imagine means adding either software malicious infrastructure. Yeah, I mean it has to be software malicious infrastructure. Okay, now what do you do with those rogue peers? I don't exactly know. I guess you could do man in the middle attacks. You could do poisoning. You could do denial of service. Technically, the CVSS score is 10.0. Remember whenever you see a CVSS score of 10.0, that means it's really bad and it's actively being exploited. CVSS 9.8 means really bad and not actively exploited. 10.0 means and now it's been actively exploited. So the CVSS score does have a temporal dimension to it that changes as across a time horizon. Okay. DJ B SEC is just throwing from the back row that sdwan is a great way to save money. So I guess if you're looking for enterprise grade network for, you know, multiple facilities and you got a light budget, then SD WAN is a good option. Come this coming from DJ B sec at this, at this time. All right, there's a, so Cisco comes out and explains why there's a problem and essentially they're sending craft a request to an affected system. All right, so they get to log in as a high privileged non root user account. So you know, high privileged is not good. You know root would be better for a threat actor. But I mean you're on the box. Yeah. So once they're on the box, they're on there. So okay, so now again I'm, I'm walking you through my like workflow so now this is, this is definitely bad. You know, I, this is not good. Okay. A threat actor exploits this, which, it's been in the wild for two years, so they may have already exploited it, but if they exploit it, they can really mess with my network infrastructure, which is not good. So now the question is, how do I fix it and how do I go threat hunting to determine if I have been compromised previously? All right. Of course they do. Privilege escalation to root. Okay, buddy, where's the, where's the indicators of compromise here? Or what's the, what's the mediation? Oh, here we go. Oh, thank you, dude. See, I don't research or prep for these stories, but, you know, they know what, they know what the people want. People want IOCs, indicators of compromise. So review logs of any Internet exposed SD WAN controller system. Sure. And you're looking for unauthorized peering events and suspicious authentication activity. You'll have to figure out like, I'm sure that there's some like, unique event ID for unauthorized peering event. Well, not unauthorized, just peering events. Right. The Cisco SD WAN isn't going to realize it's unauthorized. That's the actual human element of looking at it and saying, oh, this doesn't look right. So look in your var log, auth log, which is, you know, standard Linux log for authentication. You're looking for the phrase accepted public key for V manage dash admin. So basically, you know, cat your logs and grep for this and that means you, you've got an indicator of compromise. Can we get this thing patched? Bro, they're giving you a lot of good stuff here. Check it out. Here's some log files to also analyze for compromise. This. Hey guys, really quickly, how do we fix this thing? Let me see if there's a patch. Okay, it says here the exploitation poses eminent threat and they must be patched by 5pm on tomorrow. Okay? So first of all, you gotta patch it. Ah, you gotta patch it. Okay, Number two, I'm gonna drop this bomb on you. All right? We, we don't get these all the time, but what I will say is this right here, this right here is a phenomenal opportunity to build bridges with your it specifically networking counterparts. Okay? A lot of times IT people just want like keep, you know, keep packets flowing. Right? That's how they manage. That's how they are graded. That's how networking people are evaluated. How many, how many? No one's going to be like, oh my God, like the packets are flowing so well. But they will say, do you remember that downtime back in April, Kevin, that was a problem. We don't want that again. Right? So, like, Networking Team is hyper focused on keep IT packets flowing. Cyber is focused on keeping it secure, right? So this right here is a legit issue. You absolutely need to investigate this. If you're running Cisco SD WAN now, what do you do? Listen, send this. Well, send this email to your networking team or your IT team, if they kind of like consume networking as well, and just say, hey, y', all, this came across the feed today. This is a pretty serious issue. Can you confirm what version of Cisco SD WAN we're running? I want to make sure that we're on a. The current version. Right? And can you look at these log files for this specific, you know, basically string, right? That. That string that you can grep, by the way. Grep is like filtering for certain strings inside of text files, right? So log files are really huge and you wouldn't want to scan them manually. So you use grep to, like, pull out those things. Ask them, say, hey, can you run this command right? If you want. If you want to go to that level, like cat var log, auth log grep and the thing. Just run these. Tell me if you see anything or give. Give me access. Like, in every organization I've ever worked in in my life. The networking team is not going to give you access to the networking gear. There are exceptions, right? DJ B came up on networking and now he manages information security. So, like, he already has the keys to the networking closet, so he would just go himself. But most people are not going to allow a cyber person into the networking, like, into the gear. So be mindful of that. Okay? Go check this out and, like, build some inroads. I hope nobody's exploited.
[36:43]
C
Discord puts Global Age Verification policy on hold Discord delayed its Global Age verification policy to the second half of 2026 after user backlash. The platform will expand verification options beyond ID or selfies, including credit cards, and. And publish a technical blog explaining its systems. Discord said most users won't need to submit IDs, apologized for poor communication, and emphasized the update is to comply with growing global regulations in Australia, the uk, Europe, Brazil, and some US States.
[37:21]
A
All right, I'm not going to spend a terrible amount of time on this. This does affect all of us. Not all of us, but many of us. Because simply, Cyber does have a Discord server. That's where the community meets and congregates. We've been doing it for years, and it's not as simple as just Having a place to meet. There's a lot of. There's been a lot, especially recently in the last two, three months of management of the Discord server. But this right here would have affected all of us. Discord wanting to verify people's ages. And obviously you would do this through like, you know, snapping a pick of your license or some other mechanism. The reason that people are concerned about this is, or I haven't heard, I don't know if people are upset about this. Just in general, I'm like, no, I'm not gonna identify myself or if it's because Palantir is behind this. And if you don't know about Paler, go Google them and then take a shower. So, you know, there could be that. Guys, there are a lot of scammers, a lot of scumbags. There's a lot of kid predators. There's a lot of just charlatans a holes. There's some people who are emotionally having a tough time that, I mean, they would still be able to verify their identity. That's not going to keep them from getting on the platform. But my point is, on the surface, this seems like a great way to help manage some of the risk associated with randos hopping on there or bots hopping on there. Like anything else, guys, if you're a criminal, it's kind of easy to bypass this, right? North Korea is able to get I. T. Jobs illegally, right. And they prove they provide all sorts of stuff. Know your customer in the financial industry, those get worked around. So this is basically going to keep honest people honest. And then obviously, much like Microsoft recall, people flipped out. And now Discord is like, maybe we shouldn't do that. I mean, Discord's been making a lot of money. Like, I don't know if you've noticed, but like, Discord's like got a shop and you can like upgrade your account and do all. So they're making money and I think that they're just like looking for more ways to make money. Yeah, you can see here sending a government ID or a video selfie. It doesn't say Palantir in the story. So let me fact check this to make sure I'm not making crap up on you guys. Discord distance itself from Peter Thiel verification software after its code was found on a Google cloud endpoint. So, all right, this is just a few days ago. So maybe, maybe Discord's backing away not from pressure from the con, the user community, but because of bad optics. Anyways, this is the Palantir angle computer
[40:17]
C
Huge thanks to our sponsor, Adaptive Security. This episode is brought to you by Adaptive Security, the first security awareness platform built to stop AI powered social engineering. Attackers don't need malware anymore, they need trust. Tip. Set a simple passphrase for high risk actions like a wire request or urgent account recovery attack, especially within finance teams and families. If the caller can't answer it, pause and verify. Adaptive runs deep dake and vishing simulations so employees practice this before it's real. Learn more@adaptive security.com all right, we're at the mid roll.
[41:02]
A
All right. Hey, thank you all so very much for being here for the show. It's been a banger so far. We're running a few minutes behind, but that's okay. I, I feel like that Cisco SD WAN story warranted some extra attention considering the severity of it. Again, I'd like to take a hot minute to say thank you to the show's sponsors and thank you to all of you. Threat locker, anti siphon, flare and material. Really quick about flare. Did, did anyone go to the, the CTF thing yesterday? I had to go get my hair cut, so hopefully you guys think I'm looking like pretty dapper up in this mother trucker, but let me talk about Flare for a second, all right? Flare Cyber Threat Intelligence platform provides a very easy web based portal for you to get into and search dark web repositories, telegram channels controlled by criminals, info stealer logs, etc to find out what's going on relative to your company. So you could be actively compromised data just flowing out of your company and you might have no idea because you, you know, you can't, you can't block all the doors, right? We, we work in risk management so there's always some risk. By adding Flare's threat intelligence platform to your kind of tech stack, you're able to proactively go out and look for your domain name, your endpoint, your email addresses, your, your users systems, etc and, and really take a look at and see if you are actively involved in a breach. See if threat actors are talking about you. See if your industry is having an uptick. This is really awesome. And right now if you go to Simply Cyber IO Flare, you can sign up and get a two week trial and check it out. They do have to verify your identity. So if you're big on privacy and you know, you're like, oh, no one's going to see who I am, you're not going to get access to this Flare. The value of this platform is ridiculously high value and it would be unbelievably like a criminal starter kit if you had malicious intentions. And Flare's well aware of that. So they do have to verify your identity. I know several of you in chat have actually taken this two week trial opportunity and went through the verification process and had a few days. For those who have gone through and successfully been verified, I hope you're getting value from the platform. Remember guys, links are in the description for all the sponsors. If you want to support the show, support me. Click the links in the description, go check it out. I do not take sponsorship money from products or companies that I think are trash. I. I like Flare Plus, I like the people at Flare quite a bit. All right, guys, Every single day of the week has a special segment and. Stop it, James. Thursdays is. What's your meme Thursday? We get a piping hot fresh meme every Thursday from Dan Reardon. And yesterday on the stream I was talking about marketing for CairoSec. For those who don't know, I am essentially a. A partner or co owner, however you want to kind of frame it, of Kairosec, the the pen testing company. Tyler Ramsby and I run that and we have great success with it and it's awesome. And I was talking about marketing it, so Dan Reardon took it as a call to action. Here is your meme of the week. You can see here I am outside LinkedIn headquarters with one of those arrow signs, dancing, doing flips, twists. I got my, you know, my millennial cargo pants on and my hoodie. I'm out here. Dan, you outdid yourself this time. This is quite exceptional. So here we are. This is me marketing Kairosec all up on LinkedIn. I think that's how I'm supposed to read this. All right, all right, there you go. All right, let's continue. Continue to. Yeah, Co founder. Makes sense. Roswell, uk. Let's continue to get the news cooking. By the way, for those who are wondering, CairoSec is doing exceptional. It's like exceeded 2026 expectations and it's only February.
[45:21]
C
Code flaws abound. Researchers at Checkpoint disclosed multiple vulnerabilities in anthropics Claude code that could allow remote code execution and API key theft exploits involve project configuration files and untrusted repositories letting attackers run arbitrary commands, exfiltrate API credentials and potentially access cloud stored data. Simply opening a malicious repository could compromise a developer's AI environment.
[45:51]
A
Yeah. Okay, next. Listen. All right, so for those who don't know, I have been going hard in the paint On Open Claw and Claude code. Okay, first of all, OpenClaw, I think is overhyped. Like, I'm super pumped that that guy got acquired by open AI, like a one person unicorn tech startup. Good for him. My level of. With open clause and yeah, so Claude code. I'm also doing a lot with Claude code. I like it quite a bit. Here is the deal. I don't care. Like, listen, Billy Oralana with the squad membership, welcome. Listen, if you're using Claude code, awesome. Use it. Claude coworks. Basically the same thing. Use it. All right, if you are connecting to unknown MCP servers or you're downloading code and skills and things that you have no idea where it came from, what the integrity is of it, you are literally taking a risk. Like the, like the closest analogy I can think of for running Claude code and connecting to like random MCP servers and random code.
[47:01]
C
It's.
[47:01]
A
It's the equivalent of like putting on a blindfold. This is going to be like an insane thing. Imagine you went to a buffet, right? You're at like, you know, ground, not ground round. Golden Corral, right. I think. Or yeah, you're at Ponderosa Golden Corral, a Chinese restaurant. Like pick your. Your own adventure, right? You are at a huge buffet, but instead of like the restaurant putting all the food there, random people get to cook a dish and bring it in and stick it on the buffet line. So you've got like 40 dishes on the buffet line and each one came from a different person. Now imagine you put a blindfold on and you just like randomly walk up to a tray and start eating the food. Does that sound like a good idea? No. Chances are some of those are going to be delicious. And they're, they were, they were made for good intent and, and it's just people doing the thing. And then there's going to be ones that are absolutely vile, that are deliberately designed to make you want to throw up. But you got a blindfold on and you're just cranking food into your gullet because why not? All you got to do is say get, get food and you. Right, that. That's what's going on here. So please stop. Just because you can does not mean you should. You have to. And this goes, by the way, this is Everybody in chat right now probably is pragmatic and taking a measured approach to getting in bed with these things. But for our end users, for Carl in research, who's like, oh, I'm gonna automate my job. I'm out of here, baby. They are Freaking downloading and connecting to all the things. Right? Star, dot, star, let it fly.
[48:42]
B
Don't.
[48:43]
A
You can't hold me back. Right? Right. That's what's up. You are getting polluted and your machine is going to get compromised. Like, this isn't going anywhere. If anything, this is going to increase because threat actors are well aware that this thing is incendiary hot. Meaning there's a huge population of people who are trying to use this thing, and many of them are going to fall for this. So remote code execution on your box. Claude is an AI agent. It's not thinking like, oh, maybe I shouldn't run this. This seems dodgy. They're saying, you told me to run this. I'm deferring to you human. I'm gonna run it. So they're gonna run malicious payloads. They're gonna reach out to C2 controlled infrastructure to your machine. They're going to pull second stage payloads down. They're going to infect everything on your computer. Sure. Steal your API key, whatever. Who cares? Like, they get access to your tokens and they can burn your money, or they can, they can, you know, steal your data. But for the most part, remote code execution would be more of my concern because they're detonating on your box, which means they're going to take your box over and move around your environment. And because Google CLAUDE code. Excuse me, executes initially on your machine under the permissions of your account. Because you installed and let CLAUDE code run under your permissions, all the connections are going to originate from inside the network. So all connections are going to be outbound to initiate. So none of your firewall is. I don't even know why. I. I'm like Boston accents coming out. I'm getting all frothed up. Your firewall is not going to stop outbound connections. I. And I don't know what. Phil Stafford might be able to answer this question. I don't know if MCP servers use port 443 or not. Like, does MCP servers have their own port? Let me know in chat here. But, like, my point is, if it's web traffic, you're not blocking it. So your network layer control is not going to be doing anything. You're gonna get picked up and dropped on your head. And it. Again, it doesn't matter. It's quad code. Wait for open AI to come out with something. Wait for who else? Gemini to come out with something. The. The. The. The paradigm of this is what is incendiary hot? Okay, It's Gross. You know what this is? This is basically polluting like NPM or PI PI or GitHub these. These repositories. But before we only had to worry about developers making bad choices. Now we have to worry about like my aunt Dorothea making bad choices. Right? This is like unlocked a sh. This has unlocked a lot of risk for businesses. You got to be on top of this thing.
[51:22]
C
JS repos target devs via fake jobs. North Korean linked hackers are targeting developers with malicious NEXT JS repositories disguised as job interview projects. Opening these repos can trigger remote code execution, establish persistent command and control channels, and exfiltrate sensitive data. Microsoft warns the campaign exploits developer workflows, including automated Visual Studio code tasks to deliver backdoors. It's meant to access high value assets and poison the software supply chain. Defenses include enforcing IDE trust policies, monitoring no JS execution, and restricting outbound connections from developer endpoints. All right, marquee sues SonicWall over backup breach. Stop Marquee software.
[52:13]
A
Listen, I don't research or prep for the show, so I don't know what stories are going to come up, but this, like, this is tailor made. So whoever curated these stories, thank you. The story I just flipped out about, about how everybody's going to be getting compromised because they're just like yoloing MCP servers. This is much more of a, you know what I'm talking about standard. This is North Korean threat actors compromising code repositories to target developers. This is, this is like basically the predecessor to the, the Claude code issue that I just laid out. Okay, here's the deal. This is, I mean, whatever, North Korea is doing this, they're getting fake jobs. You know, for people who are having a tough time finding work in the US right now, this must be double infuriating because like these people aren't even allowed to get jobs and they're getting jobs, which is crazy. Here's what I would say real quick for the sake of time. It's not, it's going to go over like a lead balloon. So I would not send this enterprise wide so your executive team sees it. But what I would say is I would talk to, if you have developers, right? I would talk to the manager of the developer team and say, hey, I want to tell the team this. Get, get kind of like not approval, but like socialize it with the manager first before you talk to the developers and then join their meeting, their weekly meeting, or their morning standup. If you're an agile development team, or whatever and just say, hey, listen, all right, this is all you got to say. I'm telling you, this is going to help manage this risk. Listen guys, we, everybody works here. It's wonderful. At some point some of you may leave to go to other jobs. It's real. Like, let's, let's not pretend that this is a family and you guys wouldn't take another job if it paid more or if you moved or if it offered better benefits or your life situation changed. You have a kid and you want better health insurance or whatever, right? So let's just be real that you come to work for money, okay? So what I want you to know is criminals are targeting you. Make it personal. They're targeting you by giving you tricked job, job interview tests. Okay? So you're obviously not going to be like, oh, I'm interviewing for a job at 2 o' clock today at work. But just be mindful, if you ever do go do a job interview and they want you to download something or run something to prove your technical acumen, be aware this is a real thing. They are trying to trick you and run malware on your machine. And if you run malware on your machine, you're going to be compromised. It's not a real job, it's bad. Be aware of this. Don't, don't even bring up like running it on a company machine. We're going to detect you. Like, don't, don't even, like, just make them aware of this. They're developers, they know what malware is. They, they, you know, they're going to think they're the smartest people in the room anyway. So like just make them aware of it. Because here's what's going to happen. If they're interviewing for a job, they're not going to be overt about it at work unless they're absolutely self destructive, right? Unless they're sending emails to management about how they don't want to, you know, they don't want to do the job, whatever it is, right? So just make them aware of it. Right? Let's be real. But anyways, this will help protect, develop. What I really want to stop is developers from running malware on company assets and then not telling anyone because they're trying to hide the fact that they're looking for a job.
[55:50]
C
Solutions is suing Sonic Wall for gross negligence. After a ransomware attack from August 14th disrupted 74 US banks, hackers accessed marquee data by exploiting a February 2025 vulnerability in SonicWall's MySonicWall Cloud Backup API. Not an unpatched firewall flaw. The breach exposed encrypted credentials, configurations, and MFA codes, marquee claims, damages, reputational harm, lost revenue, and seeks compensation, indemnification, and attorneys fees while defending 36 related class action lawsuits.
[56:28]
A
All right, so, I mean, in the United States, you can sue, like, all over the place. So here's the deal. This company got hit with ransomware, they lost a bunch of money, they're pissed off, and they're starting to sue people. That's what I think's happening. They want Sonic Wall to take the fall for this. They probably didn't have cyber insurance, if I had to take a guess. All right, so let's take a look at how this. Why? What's their argument here? Okay, so Marquis is saying that, you know, basically a threat actor detonated ransomware and screwed up their business. They're saying that SonicWall had a security failure because they thought that a hacker bypassed a firewall through a technical exploitation. But in reality, the attacker got configuration data from SonicWall's cloud backup infrastructure. I still don't see how this is a SonicWall issue. Cause of the breach was a security gap that introduced its MySonic wall cloud backup service via an API code change. Yeah, this was well communicated. All right. Oh, they hired Mandian to come in. So they were. They were quite serious. Right. As I mentioned earlier in the show, state sponsored hackers did it. So MAR is saying that they had all the things. Right. Sonic Firewall was fully patched, MFA was enabled, all the controls were in place, and the threat actor used the Sonic Wall cloud backup breach data to get in there. Right. Oh, so, okay, so here we go. This is a problem. Marquee actually contacted Sonic Wall, and Sonic Wall withheld critical information and ignored the request. Now, now we have a case. Okay, here's my thing. By the time Marquia contacted Sonic Wall, it sounds like they had already been compromised. So. Yeah, and Marquis is being sued by 36 or has 36 class action lawsuits against it. So this is. I mean, whatever, dude. I mean, whether Sonic Wall is right or wrong, Marquis is playing a numbers game. Like they're being sued by 36 different class action lawsuits. So they're turning around and suing Sonic Wall. It's like, I mean, basically, you know, it's like, you suck. And they're like, don't look at me, look at them. They suck. Let's all yell at them. So. So this is. This is America. America. So we'll see how it goes. Not A good look. I think Sonic Wall is gonna have a pretty strong case. The fact that they deliberately withheld information is not a good look. But you might be able to say the person on the phone didn't know, you know, whatever.
[59:42]
C
School Chicago Public Schools have a good day. Linda Smith Power School and Chicago Public Schools will pay $17.25 million to settle a class action lawsuit alleging they eavesdropped on student communications via school mandated technology. The settlement covers users of the Navience platform from August of 2021 to, to January of 2026 and requires PowerSchool to improve privacy practices, delete third party data and create a governance committee. Heap Incorporated was removed from this case but faces separate litigation in New York State. The lawsuit follows prior concerns including a 2025 hack exposing data for 62 million students and 9.5 million teachers. We know.
[60:32]
A
All right, so Power School got straight up pwned last year. Power School is run by an 85. Sorry, I didn't change the graphics. Power school is in 85% of schools in the United States. It's basically like allows you to like log in and look at like reports and stuff like that. Instead of the old paper report cards, the. They got hit and now. I don't know why. Power School and the Chicago Public Schools are going to pay $17 million in a class action lawsuit. I don't see how Chicago Public Schools is somehow liable for this, but okay, yeah, whatever. So I guess this is one instance where like we always talk about like oh, you know, like a company has data stolen and you and I are the ones who are compromised or you and I are the ones who have the issue. But you know, the business is the one who had the compromise and somehow the business gets to skate away scot free. In this instance, they're paying $17 million. Of course with any class action lawsuit I would imagine like half of this goes to lawyers and then the other 8 million goes to you know, you know, 100,000 people. So everybody's going to get like 5 bucks. See if I can. Yeah, there's no, there's no, there's no details on what the breakout is. There's not, I don't know, there's nothing really here. Like basically Power School got hacked and this is like some fallout from it, period. Full stop. All right, we're going to wrap. All right. All right guys. Hey, I want to say thank you all very much for being here today. I hope you got value from the stream. Oh, There we go. FedEx got 112 check from the Navient breach. All right. All right, Good news, guys. We got Jawjacking for you coming up in just a minute. If you're not sure what jawjacking is, this is a 30 minute AMA. Basically, we at Simply Cyber Media Group can't do one on one coaching, but we can do 30 minutes of answering your questions to the best of our ability. Today's guest host will be Eric Taylor. Eric Taylor did it on Tuesday. We will be the Thursday slot was Zach Hill for a minute, Jesse Johnson for a minute. So we're still kind of rotating that seat to find other perspectives and make sure that you guys get all the opportunity you can get to level yourself up like a boss. I'm gonna go teach George. I'm gonna go teach the cadets Code Brew. I've been telling you guys what I'm doing every day with the cadets and Code Brew. You seem to enjoy it. So today I'm actually deploying a wi fi pineapple and teaching the cadets how to set up a rogue access point to commit espionage. Come take my class at the Citadel. Oh my God. Okay, guys, I'm Jerry from Simply Cyber. I want to say thank you very much. We'll see you tomorrow at 8am There is no Simply Cyber firesides today. Also, there is no workshop today. So there was supposed to be a workshop this afternoon. I had to cancel the workshop. I refunded, you know, anyone who had paid to go to the workshop. We could talk about the workshops later. I. I might just cancel that entire initiative. It doesn't seem like anyone actually wants the workshops, but I'll talk to the community about it later, guys. Have a great time. Jawjack. And I'm Jerry from Simply Cyber. Till next time, stay secure. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field. Live, unfiltered, and totally free. Let's level up together. It's time for some jawjacking.
[64:54]
B
Good morning, good afternoon, good evening. This is. My name is Eric Taylor. I am here for Jawjacking. Excuse me while I get a little comfortable. Hopefully everybody's been caffeinated up. Let's talk about some, some stuff. Let's get some questions answered. If you're new to this, this is the way that we work. We do, it's a freestyle. Ask any questions you want. Put a Q colon mark in the chat and it will. That way I can easily find your question. So definitely do that. If the music is loud, let me Know, for those who are new, the reason people are putting the dolphin in there into the chat is because most of the time instead of cursing, I do a dolphin sound like so. So that's why you see the dolphin. I get pretty spicy a lot of times, so. That's right, Carrie. You know, it says spicy dolphin. Awesome. You guys are digging again. I'll. I'll put the playlist here. I've been ever since LA on Tuesday. This chill royalty free music on Spotify
[66:14]
A
been.
[66:14]
B
It's been pretty good. It's been pretty good. I've been enjoying it. Sorry, I didn't mean to click that. Let's get rid of that. Let's see what's everybody talking. The dolphin just jumped over the boat. I guess if you. While we're waiting on questions and we just don't have dead air, let me actually fire up my Chrome browser and switch over. Bottom left and let me pull up something if you're not following. This is kind of a shameless plug a little bit. Sorry about it, but we got. We've been partnering and being a member of Ransom ISAC and really working with them a lot to get some stuff taken care of, really put out some publications and stuff like that. We've got a major, major one coming out. This freaking thing is like 30 freaking pages and as soon as I can get the link, I can give it to you guys and gals here. Come on, come on, come on, come on. Thank you. Where did my Chrome browser go? There it is. Too many tabs. Go away. Cancel. Go away. Go away. So we got now put it here in chat. So if you're not following it, you know, this is not something that we do. You know, it's not a barricade cyber initiative or anything like that. It's just somebody that we're partnering with to help bring out stuff. But we have a full breakdown on Venom ransomware. Tammy Harper, who runs or helps run ransomware live.com, which does a lot of threat intel stuff about threat actors, things of that nature. She posted it into some of our private feeds and we just went ham. So got some contributors that really helped polish up the thing. But yeah, I'm pretty happy about this one coming out. So again, if you're not following them, consider following them, please. There's a lot of good people putting out a lot of good content and this year is going to be even better. So happy to be a part of that. All right, question coming in from the Kaukow. I'm invited to be a panelist On Career Village. Got any advice for a good panelist? Honestly, no. As much as I, I don't. In short of just being you. Right. I mean, a lot of times we get. I get asked to be on panels and stuff like that, which I prefer that more than, hey, will you do a talk? I'm like, I don't know what to talk about. What do you want me to talk about? I don't know. So just be you. If you don't know, just say, I'm sorry. I, I just don't. I don't have any insights on this topic. It's better to be authentic and honest than anything else. Have we all been part of those, those talks when you're like, this individual has no clue what they're talking about? From Taiwan. Gone. What are your thoughts on on call? I personally don't like it. I'm assuming that you're being on call to respond. To be honest with you, I'm on call 24 7. As a business owner, I, I try to make sure that people aren't or they get rotated. But you know, if you are, if you don't like being on call, I'm not sure, you know, short of potentially talking to management like, hey, can we do a rotation on this thing? Or if you're not getting compensated in some way for being on call, you know, I mean, unfortunately you don't state why you don't like it, so I'm not sure how best to give recommendations.
[70:42]
A
But
[70:45]
B
yeah, I've just talked to management about it, to be honest with you. From the rich, Any thoughts on the Quad Mexico government hack? Seems to be a lot of false information out there. There. Is there? I don't have anything meaningful and, or accurate to say. Like you stated there, there's a lot of false information and believes to be false information. However, what I will say though is the agentic AI and being able to put workers together in tools like Claude Code and anthropic and stuff like that. When you're running CLI versions for a lot of these things, then AI pen testing, I should say, is going to be even more problematic in the near future. Open claws, really making it easy for folks to do that type of thing. So. And there's like four or five different GitHubs out there for those type of things. So it's going to be a problem. It's going to put defenders and back on their heels if they're not already.
[72:15]
A
So
[72:18]
B
my current fear right now is, I'm sorry if. I know I sound nasally I'm still fighting this stupid head cold thing, but it's how viable are those? Right? Yeah, I think I've talked about it before. I was on, we were doing a podcast for a while there and we had one of the EDR vendors on and I'm not trying to shame them by any means, I'm not going to mention her name, but I was bored on the podcast and if you've been around for a while, when I get bored, I get malicious sometimes in terms of like doing osinting and just doing discovery and just doing whatever. And I had several boxes that I just plugged in a domain and I just let it run well, I brought down their entire billing system and things like that. Just creating noise, just doing osinting on them and getting a lay of the land stuff that shouldn't be easily knocked over. I say that to say, I don't know if a lot of these AI bots and workflows are just going to do that. They're just going to cause a bunch of noise and false positives on potential vulnerabilities inside of an environment and just keep the already stressed out blue teams and defenders even more stressed out in the frayed. So I think it's going to cause a lot, a lot of issues. So on both sides of the fence. But to your specific question, I really don't have any insights unfortunately, because like you said, there's a lot of false information out there. One second. Sorry, I had to cough there. Nothing likes coughing in their ear. All right, from Shane F. 719 Eric, can you talk about some of the interesting PS living off the land techniques you see or some favor? I don't really have any favorites right now, but I do see
[74:18]
A
once a
[74:18]
B
day I'm going to keep talking, I'm going to fill up my water bottle. It's literally right over here. So I won't go anywhere, so you won't see me on camera. But I will say some living off the land stuff, you know, some tools like any desk and team viewer and stuff like that, you know, it's. Those are not living off the land per se, but in a way a lot of people still consider it. And I kind of do to a certain percentage because those tools, they have executables that do not require an installation. And to me personally, there's two sides of living off the land. You know, you're using either built in software that is native to the operating system. Sorry, getting had to take a drink. Try to keep this stuff down. You're leaving stuff that's built into the operating system. Or again, this is my personal opinion. You're using software that does not require a service to run or installation of a software to run so you can. The only way to detect it is to detect processes executing. To me, that's living off the land. Again, that is my personal opinion and definitely not one of the cyber security community as a whole. That one, you know, depending on who you talk to is where they stand. Okay, so take that with a grain of salt. So to me, you know, running TeamViewer and just changing like any desk exe to any than the number one exe. I've even seen some people do any and then spell out one o n e exe so and TeamViewer has been a lot of the same way. I've been seeing a lot of using Windows Quick Assist, which is truly living off the land because you're using the native stuff that's built into the operating system. So if you don't know, you're a blue teamer. I don't remember which version in Windows it started, but there was a built in Quick Assist. And then at some point again I don't remember which version it started, but it started pivoting over to the Windows Store edition. Now when you launch the original one, it will prompt for this Windows Store upgrade version and both of them make different URL calls and different processes. So being able to fully understand that is some unique stuff. So a lot of blue teamers we're seeing are not and blue teamers defenders are not realizing there's essentially two different versions of Quick Assist inside of a Windows operating system. At present, Any threat actors or threat vectors are keeping a close eye on this week. Anything new or emerging you expect to make big waves in the coming weeks. Again, just the AI stuff. You know, like I mentioned a moment ago, just I'm really digging into trying to determine our AIs doing any sort of headers or anything like that to be like this is an AI bot that's you know, fuzzing the trash out of your IIS server. And most of the time they're f they're doing the same things like Burp Suite and stuff like that where it just pretends to be a Mozilla browser. So being able to determine that we got we I even built a custom tool. That way we can take all the IIS logs, parse all the IP addresses, dump them into our homebrew tool and start parsing through like abuse and spur to see, you know, is it been reported to abuse dbip. Is it known for like a no tour, exit node or known VPN things of that nature? I think again, this is going to cause a lot, a lot of noise and definitely something that's on my radar. One other thing, I mean you see the story earlier because I was actually in the green room listening and catching up. But the, the claim that nobody's going to attack my old gear is false. We've seen that with Cisco, you know, in the story earlier today. So, you know, making sure you're doing proper sanitation and being able to get yourself up and running in an obscure fashion. And while I'm talking, I'm going to change this because this is actually driving me nuts. I want to move this over. I don't like it being right under me. There we go.
[79:18]
A
All right.
[79:19]
B
Sorry. A little housekeeping. All right. From Circle Pits Ops. I'm setting up an OPN sense firewall router for my home WI FI and modem. Should I go through the steps and document my home lab utilizing the NIST csf? Thank you. Absolutely. You know, I am a, you know, a lot of people are going to say that's completely unneeded, unnecessary things of that nature. But I disagree because. Well, I guess let's take two steps. Are you, I assume you're asking this question is why I'm going to state this, that you're trying to understand, you're trying to learn this CSM and this is a good way to do it. Going through the practice of documenting things for NIST CSF or whatever framework that's of interest to you is great. It really is. It helps you understand. Am I applying things, things in a proper manner? Am I doing things, you know and you know, going through the steps of how to properly do documentations and what the term of really acceptable risk is and CSF is that it's baked so much in acceptable risk. Like what am I accepting as a potential risk that's really, really good to do? So a thousand percent, thousand, thousand percent. I would highly recommend it. I don't do that to a lot of stuff. It's know. Because those people do not want to really go through the time of that. And you know, those who. Jerry even mentioned a little bit ago that some people think governance is trash or whatever and I give Jerry a lot of trash about it only because I hate documentation myself. Right. And it's been a long running joke that I mess with Jerry on, you know, that I don't like GRC and it's because of documentation. You know, I really do think controls matter. You know, the R fortify is baked so much in controls. You know, any blue team defender, you're putting in controls. GPO policies are controls. I just hate doing documentation. It's. It's the worst thing in the world to me. I'd rather go play in traffic. So if you're new here and you ever wonder why I give Jerry trash about it, that's why. But I just love messing with him on it. And honestly, if you're in grc, literally, if I had a hat on, I would tip of the hat. Take hats off to you because you. You guys and gals live in so much documentation. You know, that's just not my world. Right. You know, that's like me being a. A doctor. I couldn't be a doctor. Yeah. It's not for me. Right. And that's where we all have great techniques. We have all great, you know, specializations. So. Taiwan gone. When can you get out to Kansas City? I don't know. Nobody's invited me. Is there a reason for me to go? I mean, short of meeting you? I'm assuming Taiwan gone. But I'm not trying to sound elitist here by any means, don't take this the wrong way, but right now, especially as busy as we are, there's got to be a benefit to the organization to get me out somewhere. Right now we're in a massive growth phase and, you know, being able to properly allocate, it's like, okay, I'm going to take a day or half a day away from running this freaking bus called barricade that, you know, I'm gonna go out to Kansas City. What is the real benefit? Now, let's just say hypothetically, there's 20 of y' all out there in Kansas City and you're doing something out there, like a meetup or something like that. I can meet 20 of y' all people. That can be beneficial. It doesn't have to be monetary, but there's got to be a reason for me to get to somewhere, if that makes sense. Wait, what? Quick assist has been view also via pit phishing. Ms. Team Dominic, I know that wasn't a question, but I seen that and it caught my attention. What exactly are you talking about? Am I. And I don't mean that negative. You're stating something that I have not seen before. If you've got a link or something, put Q and put a link or some documentation because you've piqued my interest and I would love to know more about it. And this right here, this, this right here, this right here is exactly why I say, you know, talking about the panel before knowing to admit when you don't know everything. I don't know about this particular situation. This may be, this is something that I'm not privy to and I'm not going to pretend like I know. If you've got documentation or there was a story I missed or something like that, please, please let me know. I'd be very, very interested to know that because that's a new tactic I was not aware of. Now if you're saying now that I say that out loud, I've heard story and I don't know how true it is by any means, but people would be threat actors were making Microsoft Teams calls to other teams users and asking them to open Quick Assist. I have heard that. Again, I don't know how true it is, but it seems plausible to me. Documentation is so imperative for even it. Oh, it absolutely is. Thousand percent agree. You know, it's. It really is. Because I mean, let's just say hypothetically you or I get hit by a bus tomorrow without documentation, nobody's going to know what in the world we're doing. So I understand the need for it. It's just being a. I guess, you know what, it's probably my ADHD brain that has a hard time focusing long enough to create documentation. Now I say out loud, I wonder if AI can help me do that. I'm gonna see if network Chuck has some documentation or a video on helping doing documentation because he's into AI a lot. I bet he does. If not, I know a lot of y' all follow him and I bet if a bunch of y' all message him and put comments like that, you know, hey, we need a, we need a video on AI doing, helping us do documentation and going through the vetting processes and stuff like that. I think that'd be a really good thing. All right, what else we got again? We got a few more minutes. If you have questions, please, please, please, please answer or ask them. Want to go through real quick, let me know. Are you, is the music still jiving with you? Are you enjoying this Spotify chill royalty free music? I am. I love restream and I love their music. But this playlist that I stumbled across has been to me anyway. I've been, I've been digging it like I'm, it's even helping me in my ADHD focus. Like I'll literally just play it and it's helping me Actually focus. I think I've got all the questions asked or answered. And let's see, can I. How do I copy the title to this again? Because I want to share it with you guys again. If you share, copy, link the playlist and pussy here in chat under me. There you go. If you want to listen to what I'm listening to, literally, it's. It's becoming one of my favorite playlists. Just to keep it on loop, it's been really, really cool. I think Quick Sys comes baked in. Yes, it does. Yes, yes, yes, it does. Absolutely. And I think the latest version of Windows 10, it has it on there. Don't. Don't quote me on it, but I'm pretty, pretty sure, pretty, pretty sure using AI documentation is actually very nice. So I assume dev CS2 you are using AI for documentation. If so, well, let's put. Because we are at the bottom of the hour and I do need to wrap it up. But if you're using AI for documentation, go into Discord, into the General or one of the other ones. Make sure you tag me. I'm not very active in Discord, but at least when I come in, I will be able to see those notifications. If you're using AI documentation or AI for your documentation, I would love to know what you're doing if there's like a setup guys or there's tools or whatever you're using. You know, I think being able to do mind dumps into a platform, even if I just do a bunch of text and with a bunch of screenshots and everything, like, hey, anthropic Claude chat, GPT, whatever the tool is. Here's a bunch of my random notes and here's a bunch of my images and screenshots and all that stuff. And I need to clean this up for some documentation and stuff like that. I think that'll be really, really, really cool because it's still my work. I'm just leveraging it to help me clean up my work and make it so other people can understand my freaking mental madness. I think that'd be really, really cool. All right, guys and gals, thank you all so, so much for tuning in. We are at the bottom of the hour. I do appreciate everybody hanging out and, you know, jawjacking with me. I will see y' all hopefully tomorrow. Maybe not. But next time. I like Jerry. Next time I see you, I will too, have a haircut so it won't be such a fro thing. And we'll kind of talk again hopefully tomorrow. If not. It will definitely be next week. Again, I really do appreciate it. Thank you all so much for all the questions. Sorry, I, I see that last question coming in. Unfortunately, we're, we're out of time at the moment, but save it. Come back tomorrow, ask Jerry that and things of that nature. So anyway, thanks again and we'll see y' all next week. Until then, stay curious.
[90:48]
A
Hey everybody. I hope you enjoyed that content. Keep the cyber security train going by connecting with the other Simply Cyber community resources. We have the Discord server that's lively and always keeps the conversation going. You can connect with me directly on LinkedIn. And also every single week, weekday morning on the Simply Cyber channel, we're doing live daily cyber threat briefings, 8:00am Eastern Time, as well as Thursday at 4:30pm we're doing live stream interviews with industry experts and we produce videos that we push out every Wednesday morning. I'm Jerry from Simply Cyber. I hope you enjoyed the content and we'll see you in the next one.