Summary8 min read

Daily Cyber Threat Brief – Ep 1060

February 3, 2026 | Host: Dr. Gerald Auger (Simply Cyber Media Group)

Episode Overview

This episode of the Daily Cyber Threat Brief delivers the top cybersecurity news stories for Feb 3, 2026, unpacking vital threats and industry trends for professionals, analysts, and leaders. Dr. Gerald Auger brings both expertise and humorous commentary, breaking down why these stories matter and how they can impact organizations and careers. The episode covers everything from AI-fueled malware, targeted supply chain threats, geopolitical cyber operations, vulnerability exploits, SaaS extortion, to record-setting DDoS attacks, always with practical advice for defenders.

Key News Stories and Insights

1. OpenClaw/Claudebot Malicious Extensions Spreading Crypto Malware

[11:00-17:48]

Summary:
Security researchers highlighted how “OpenClaw,” a popular self-hosted, open-source AI assistant (formerly Claudebot/Multbot), is being abused by attackers. Over a dozen fake “skills” disguised as crypto trading/wallet tools were uploaded to Clawhub, tricking non-technical users into running malicious code on Windows and Mac.
Expert Analysis (Gerald):
- The core AI tool is “legit by itself”—attacks arise when users download third-party skills/extensions.
- This is a classic “perfect storm” as a huge, non-expert user base is eager for the newest AI features and blindly follows install guides, making them ripe targets.
- “Threat actors are well aware… You’re getting unsuspecting, unskilled, non-technical users…as a defender you can’t really get better threat insights than this.” [13:00]
Practical Risk:
- Shadow AI “sprawl” is now coupled with malware risk—installing these open-source tools can give attackers network footholds.
- Detection is hard: users install under their own permissions. “This might be an American thing…but this reminds me…the ripe population of unsuspecting victims.” [16:00]
Advice: Caution end-users against installing unvetted AI assistants/skills. Incident response and monitoring should anticipate new “shadow AI” infection sources.

2. Notepad++ Targeted in Highly Specific Software Supply Chain Attack

[17:48–24:06]

Summary:
Nation-state attackers (attributed to China’s “Violet Typhoon”) hijacked the Notepad++ update infrastructure, using it to selectively deliver malware to telecom and financial orgs in East Asia.
Insights:
- The “compromise occurred at the hosting provider”—classic supply chain manipulation.
- Attack was “super targeted”: only machines of organizations that attackers cared about were redirected to receive a trojanized update.
- “If you had Notepad++ and updated recently, you’re good to go…This was a very specifically targeted [campaign].” [22:00]
- Similar in sophistication to classic SolarWinds and NotPetya supply chain breaches, but at smaller scale.
Action:
- If you use Notepad++, check sources of updates; ensure you have recent versions.
- For most, risk is low unless you’re a high-value org in targeted geography/sector.

3. Russian APT28 Exploiting New Microsoft Office Zero-Day

[24:06–29:49]

Summary:
CERT-UA reports Russian APT28 (“Fancy Bear”) is actively exploiting a fresh MS Office zero-day against Ukrainian gov and EU targets. Phishing emails with malicious Office docs pull down malware and deploy post-exploitation tools.
Analysis:
- “Microsoft published the details…and within one day there was an exploit chain waiting.” [25:50]
- Concern about how AI may enable even faster vulnerability weaponization: “Turnaround times are blistering fast.” [27:20]
- Exploit delivered via phishing (file: “Consultation Topics Ukraine.doc”), triggers C2 via dropped DLL.
Advice:
- Patch MS Office immediately—including older builds.
- “Even if you’re not a Ukrainian target, similar techniques can be reused for business email compromise.”
- Educate users and apply defense-in-depth for email/file exploits.

4. Windows Update Bug: Affects More PCs, Causes Restart-Lock

[29:49–33:23]

Summary:
January Windows Updates introduced a shutdown bug now known to affect more systems (Win 10/11 with Virtual Secure Mode). Computers may restart or fail to hibernate properly.
Commentary:
- Issue requires manual shutdown or command-line workaround until a full patch lands.
- “Last time I checked, holding the power button on my computer successfully shuts it down. I don’t know if that’s crude…but it works.” [31:51]
Practical Tips:
- Apply latest Microsoft out-of-band fixes if affected.
- In the interim: use shutdown /s /t 0 or power button for shutdown.

5. Poland: Russian Cyberattack on Energy Infrastructure (Sandworm or Berserk Bear?)

[41:18–45:41]

Summary:
December attacks (attributed by Dragos to Sandworm, by CERT Polska to Berserk Bear) hit Polish wind, solar, and heat plants. No power outages, but major security lapses exposed (default credentials, unpatched devices, no MFA).
Key Insight:
- “Dragos attributes to Sandworm, CERT Polska attributes to Berserk Bear—who’s right? This is the headline.” [42:50]
- First destructive activity attributed publicly to Berserk Bear; shows difficulty in attribution and potential for geopolitical confusion.
Action:
- OT/ICS operators in Europe need to heed these lessons and harden visible infrastructure.

6. ShinyHunters: SaaS Extortion Campaigns Escalate

[45:41–53:33]

Summary:
Mandiant reports “Shiny Hunters” have shifted from Salesforce breaches to targeting M365, SharePoint, Okta, Slack and more. Vishing and credential harvesting are rampant; attackers use stolen SSO creds for SaaS extortion and ransomware, backed by data leaks and DDoS.
Deep Dive:
- “There’s an explosive increase in vishing activity…They have so many people and such a corpus of seed data…it’s all hands on deck.” [47:50]
- Real-world example of how vishing attacks succeed—helpdesk staff giving away sensitive info without robust verification.
- “Executives need to eat their own dog food…you’re going to be the downfall of us.” [51:30]
Advice:
- Educate helpdesk and workforce about vishing and social engineering.
- Ensure strong procedures for credential resets: no exceptions for “VIPs.”
- Layer MFA and detect SaaS access anomalies.

7. Isuru Botnet Sets DDoS Record (31.4 Tbps Attack)

[53:33–57:35]

Summary:
Cloudflare logs a historic DDoS (31.4 Tbps, 200M req/sec) by Isuru botnet, which commandeers 1–4 million IoT devices (routers, cameras, Android TVs). Sold as “botnet for hire,” it enables DDoS, credential stuffing, and more.
Context:
- “This is the equivalent of Tony Stark doing a weapons demonstration…If you want something blown off the Internet, call these guys.” [54:20]
- Underlines IoT insecurity: “You just log in with defaults, and you own it. Internet-facing in a lot of instances.”
Takeaway:
- For any online service: DDoS protections are essential (Cloudflare remains gold standard).
- Policy changes needed for IoT device security standards and enforcement.

8. Stop ICE App Hacked; Users Targeted with Scare Tactics

[57:35–61:12]

Summary:
“Stop ICE,” an activist app used to organize around ICE activity, was hacked. Attackers sent fake texts warning users their information was given to authorities. The attack allegedly originated from a US Customs agent’s server.
Analysis:
- Not necessarily ICE itself; could be a sympathizer.
- “If you’re going to vibe-code or write an app…use good credentials, don’t use default creds.” [59:10]
Broader Implication:
- Activist and protest organization apps face distinctive cyber risks.
- Draws parallel to protest coordination under oppressive regimes (“This is what you see all the time in China…” [61:12]).
Advice:
- App developers: enforce security best practices.
- All: be aware of data protection if using activist or crowd-sourced safety apps.

Notable Quotes & Memorable Moments

“Ain’t nobody got time for that… No cyber professional goes through, reads a bunch of stories, digests it, and then pretends to go through it for the first time with others.” [04:50]
On targeted supply chain attacks: “Let’s be real…this was a very specifically targeted campaign. China’s wicked good at espionage.” [22:00]
“This used to be like Microsoft Office every day…Nowadays, they’ve disabled macros, cleaned up…I guess APT28 is highly effective—they’ve gone and done it again.” [25:10]
“IoT—well known, default security accounts, trivial to compromise, Internet facing, easy to find on Shodan…Finding these devices is absolutely trivial.” [56:00]
“Executives—get top cover. You’re not allowed to threaten support desk people if they don’t reset your password.” [53:00]

Jawjacking Q&A Session (Eric Taylor, Barricade Cyber)

[66:00–88:54]

Topics:
- Deep dive into Notepad++ supply chain attack, with live walkthrough of IOC resources.
- Best practices for designing tabletop exercises: “Build out a cut sheet of approved vendors, disaster contacts—don’t wait for an incident to figure this out.” [78:00]
- Open source certificate authorities like Let’s Encrypt: “I don’t know if anyone really cares anymore—Let’s Encrypt is legitimate; just ensure automated renewals.” [85:40]
- Advice on MDR reporting: “Instead of ‘number of threats stopped,’ frame it as ‘here’s what we learned, how MDR helped, and the threats we stopped proactively.’” [86:30]
Style:
- Eric’s answers were open, candid, and practical—emphasizing real-world strategies over academic perfection.
Key Quote:
- “People jump at crimes of opportunity—it’s rarely personal unless you’ve attracted state-level threat actors.”

Lighter Moments & Community Vibes

Community shoutouts throughout: welcoming first-timers, emote sound effects, and invitations to Discord and conference meetups.
Tidbits Tuesday: Gerald recommends the show Ludwig (on Brit Box) for true crime & puzzle lovers, and shares his affection for Psych, Brooklyn Nine-Nine, and the deep-cut Garth Merenghi’s Dark Place.
As always, the episode blends expert threat coverage with community humor, inside jokes, and audience engagement.

Timestamps for Key Segments

| Segment | Topic | Start Time | |---------|-------|------------| | Opening, Community Greetings | CPEs, show structure, engagement tips | 00:01
| Story 1 | OpenClaw AI abuse for crypto malware | 11:00
| Story 2 | Notepad++ supply chain attack | 17:48
| Story 3 | MS Office zero-day exploitation by APT28 | 24:06
| Story 4 | Windows shutdown bug | 29:49
| Midroll | Sponsors, Tidbits Tuesday, TV recs | 33:57
| Story 5 | Poland’s energy cyberattack attribution | 41:18
| Story 6 | ShinyHunters SaaS extortion/vishing | 45:41
| Story 7 | Isuru botnet DDoS record | 53:33
| Story 8 | "Stop ICE" hack & activist security | 57:35
| Jawjacking Q&A | Notepad++ deep dive, tabletops, CAs, MDR metrics | 66:00 |

Final Takeaways

Be proactive: Patch quickly, monitor emerging SaaS and AI tools, and educate both technical and non-technical staff.
Security basics matter: Strong credentials, update hygiene, supply chain vigilance, and user training prevented or limited most of the day’s breaches.
Threat actors are always evolving: From sophisticated supply chain attacks to wide-net SaaS extortion and next-gen DDoS, the playbook is ever-changing.
Community & collaboration: Sharing insights and resources accelerates threat detection and response.

Dr. Gerald Auger closes with appreciation for the community and encouragement to keep learning and leveling up together. More episodes, Q&A, and resources available at simplycyber.io and on Discord.

Loading summary

Transcript32 lines

[00:01]
A
All right. Good morning everybody. Welcome to the party. Today is February 3rd. It is a checking calendar. Tuesday, February 3rd, 2026. This is episode 1060 of Simply Cyber's Daily Cyber Threat Brief podcast. I'm your host, Dr. Gerald Ozer, coming to you live from the Buffer Osier Flow studio. If you would like to be educated on the top cyber security news stories, which is enable you to be able to go beyond the headlines and, and, and garner value from it. Learn acronyms, learn concepts. See how all the individual parts that you learned about in a classroom, a boot camp, a textbook, how they all sync together and honestly, the real reality of working in cyber security. Well then, my friend, you are in the right place because that's what we're doing every Single day, weekday 8am to 9am Eastern time. We're off and running on this beautiful day. Let's go. All right. Good morning everybody. Very astute observation by one of the Simply Cyber community members. BW5542 for sure. No collared shirt today. It is this guy. I will be teaching today's class remotely. Still dealing with some issues here at the house. And you know, it's, it's not a, it's not a, an option. I like to exercise often, but it's nice to have it in the back pocket when I need it. Episode 1060 brute 7679 knows what's going on, guys. Every single episode of the Daily Cyber Threat Brief, including this one, is worth half a cpe. So yes, we're gonna. Thank you, Sierra. We are gonna go, you know, way beyond the headlines. We're gonna have fun. 30 minutes though, we'll be working our little keisters off getting value in an instructor LED webinar, actually. So effectively you get a half a cpe, all you gotta do is say what's up? In chat, grab a screenshot and file it away. You might never need the screenshots. That's a, that's like a pro thing like that surprises some people. You may never need the screenshot. You literally only need it if you're ever audited. Someone calls bull crap. I don't think you got 120 cps from this, this daily Cyber Threat brief. And it's like, nope, you're. Here you go. Here's 120 screenshots or 240 screenshots. I leave it to you auditor to go through them. Thank you very much. So say, what's up, Chad? Also, pro tip, keep today's title of show in the screenshot. It has the episode number 1060 and it has today's date, February 3rd. It is not a coincidence. I deliberately designed it that way so it would be indisputable evidence for you. Now, we are going to go through eight stories. I'll let you know how many I have gone through, how many I've researched and prepped for. The answer is zero. Ain't nobody got time for that. That's right. Nobody ain't got time for that. You know, honestly, no one does that in reality. No cyber professional goes through, reads a bunch of stories, digests it, and then pretends to go through it for the first time with others like they're some type of savant. No, ain't nobody got time for that. For reals. Now, I do want to say good morning to the Simply Cyber Community. I definitely appreciate you guys showing up. So many regulars green labeled and. And not green labeled. Honestly, there's so many of you that show up on the regular. Even folks showing up on the left coast like Elliot and Phil Stafford on the regular. Marcus Kyler, Toasty Pops in the Kansas City contingent up in here. Sierra, just bringing the heat, guys. It's great to see you. And shout out to the mods. I see Dan Reardon in chat. Guys, if today's your first episode, Hello, I'm Jerry. Welcome to the party, pal. Welcome to the party. I hope you enjoy yourself, first timer. But in order for us to be able to serve you to the best of our ability here at the Buffer Osier Flow Studio, I would ask that you can let me know that you're here for the first time with a hashtag, first timer. Hashtag first timer. In chat. We have a special emote, a special sound effect. The squad of Simply Cyber Community members like to get together and welcome people for the first time. Just so you know that it's like legit. We're not just making crap up here. Okay? So first timer in chat. Welcome to the party, pal. Welcome to the party. And hey, if it's been a minute, if you're just tuning back in, you've been here from a for a while, you've been a long timer, but you had to take some time off for whatever reason and you're just popping back into chat. Welcome back to the party, pal. It's great to have you. Now I do want to say, let me think here. Oh, every single day of the week has a special segment and Tuesdays has been the long standing tidbits. Tuesday where I share a little bit about myself and we see if we vibe on it now, many of you probably think I'm going to be belly aching about cutting my thumb tip off yesterday, but that's not it. I've got a good one for you so stay tuned for that at the mid roll. Now before we get into it, I do want to say shout out and holla to the stream sponsors, those, those who I genuinely appreciate because they enable me to bring this show to you whether I have all of my fingertips or not. Good to see Casually Joseph in chat. Poor guy's been missing the show because he's had, you know, because his work schedule. These things happen. All right guys, I gotta say shout out. Holla to Flare. You guys know Flair Flare is the cyber threat intelligence platform that I, I've used, I like quite a bit. Quite a bit. I think it's super handy. Not only does flare go into the dark web and telegram channels and really get all that muck on them, they bring it back to you, put it in their database and then they provided a very slick, very intuitive searchable interface for you to look for, oh, I don't know, your company's domain name, your company's users password, doms, Info stealer logs. Like even telemetry around potential targets. Like you know, if there's going to be an uptick in activity around your company, it's really, really awesome. I have a whole video on the Simply Cyber YouTube channel. If you would like to experience it for two weeks on your own, no strings attached, go to Simply Cyber IO Flare. I will tell you, this is not just something you sign up for and start accessing. They do have to validate you, which is not a problem if you're legit. If you're, if you're, if you're criminal, you don't need access to this stuff anyways. But they do vet you first simply because dude, the value of the information in here is ridiculous. Like if I was a threat actor, I would want to access to Flare. It's such good information. But as a defender you can't really get better threat insights than this. So give it a two week trial. Simply Cyber IO Flare. Thanks Flare for sponsoring Let me tell you about anti Siphon training. You guys know anti Siphon training is disrupting the traditional cyber security training industry, offering high quality, cutting edge education to everyone, including you. Wild West Hacking Fest, Mile High next week. Are you going to Mile High? Let me know in chat. Looks like they've got so many trainings. Michelle Khan will be there. But if you can't make it or you can tomorrow you got a free anticast M365 exchange online configuration. Guys, if you want to know how to properly configure the email security gateway provided by Microsoft in their Azure instances. If you have a client, if you're an MSP supporting clients with Microsoft Office 365 if your own business is on Office 365 dude a lot of times configurations are set it and forget it. So don't sleep on this opportunity. It's one hour. It's absolutely free. You do have to register. I'll drop a link in chat. Thank you very much. Anti Siphon Training as always we've got. Hey by the way, we've got some some fun stuff. Jason Blanchard contacted me over at Anti Siphon. He is working with Rekka Comics and he's going to be providing several special comics for us to raffle off the Simply Cyber Community exclusive raffle which is pretty dope. Looking to get some more info on that but just a little something to to put on the shelf and look at as we get closer into the month. But do enjoy it. AG Flex show is going to be in Denver. Cheddar Bob will be there in Denver. Good to good to hear that. If you guys want, you know, if you're looking really quickly, if you are going to Wild West Mile High and you don't already have like you know a group to roll with. Don't be shy guys. Simply Cyber Discord Server does have a Con Chat C O n Con Chat channel. Take advantage of it. There's always a bunch of simply cyber people running around in there. Always. Very cool. Oh all right, all right. Real quick. Let's hear from Threat Locker and then prepare the phase melting. I want to give some love to the Daily Cyber Threat Brief sponsor Threat Locker do zero day exploits and supply chain attacks keep you up at night. Worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how Threat Locker can help prevent ransomware and Ensure compliance. Visit threatlocker.com Daily Cyber. All right, it's that time. Everybody sit back, relax and let the cool sounds of the hot news wash over you in an awesome way.
[10:49]
B
CISO Series It's Cyber Security See you.
[10:52]
A
At the mid roll.
[10:55]
C
These are the cyber security headlines for Tuesday, February 3, 2026. I'm Sarah Lane. OpenClaw targets crypto users on Clawhub. Security researchers warn that OpenClaw, the self hosted AI assistant formerly known as Claudebot and Multbot, is being abused to distribute malware. Open source malware says at least 14 malicious skills posing as crypto trading or wallet tools were uploaded to Clawhub in late January, tricking Windows and macOS users and into running obfuscated commands that fetch malware. The incident highlights how OpenClaw's UN sandboxed skills model and rapid rebranding have made it an easy target for social engineering. Notepad+ all right.
[11:46]
A
You know, it's interesting. Okay, so really quick, if you haven't heard about this and I actually posted something on LinkedIn yesterday, it was like if you click on the link I get like a buck or something. But it was a link to a report, a researcher report on this Claude bot. And I've been hearing about this Claude bot and I, I whatever, read this blog and found it interesting then and then found out I could get a dollar a click for it. So I was like, all right, I'll share this. So I'm a little bit up on this. Basically, it's a open source AI tool that not only can you query with prompts like, hey, write me a recipe for butternut squash ravioli, but you can have it configured to do things like you can have it pop a shell, type things in, you can have it draft emails and then send them for you. Right? So it's like an assistant, but it's all open source and you can run it locally, which unlocks all of the shadow AI issues. Right? So Carl, you got, you got some, somebody who's like, oh, this is interesting. I could do this FedEx saying John Hammond made a video about it. Oh, that's awesome. Go check that out. So this means that there's a lot of people who want to use this thing or have seen other people use it and are like, oh wow, like I don't understand it, but I know that it can do things. I've seen it do things. I want it to do things for me too. Download all the things. And threat actors are well aware of this. So quadbot or openclaw is not malicious by itself, it's legit by itself. It's just threat actors have discovered or it's come onto their radar that there is an entire massive user population that are effectively not technical, that are Being given, you know, an on Rails experience to download and install this thing. And it's honestly, for threat actors, this is a perfect storm. You've like, you're getting unsuspecting, unskilled, non technical users who are just blanket installing this technology and following the guidebook on what to do next. Oh, download this, run this, do that. And they're pulling down, you know, third party extensions or skills that, you know, propose to do something like, oh, you'll do high frequency trading, we'll do arbitrage with your Bitcoin wallet. You'll make millions of dollars. I'm AI, let me help you. Right, so people are just wholesale downloading it because all they see is dollar signs in their eyes like Scrooge McDuck. Right? Drink, by the way, if you don't know Scrooge McDuck is, I don't think that's a generational thing. But my thing is, you know, and like they're doing it with, you know, cryptocurrency wallets and such. So interesting. Even if, even if I advise people to, you know, be mindful about what they're typing in or what they're downloading or reviewing you and I can do it, right? Ad tech, Amish Node, Sierra, Phil, like you and I can crack open a Python library or some type of interpreted language command and look for obfuscated code, look for bizarre functions, look for things that say like copy off or reach out to some weird IP address. We can do that like Timmy and Jojo over in the engineering department or, or you know, Kathy and Bobby over in sales. They don't know what they're looking at. They're just like, oh, I saw it. You know what it makes me think? So anyways, it's a, it's a high risk. And on top of that, you as a professional, me as a cso, like, we can't see when people are installing this crap because they can install it under their own permissions. So this is going to result in not just AI Sprawl, Shadow, AI Sprawl, but it's also, you know, if it's Bobby's crypto wallet getting pinched, that sucks your Bobby, but that doesn't affect me. But you're giving a foothold onto our internal network on a corporate asset to a threat actor. Now it's my problem and now I'm pissed. This, this, this Quadbot thing right here, this might be an American thing, so I don't know, you let me know in chat, but this reminds me of it. This happens Every couple, like every five years, there's like a big flare up of this, okay? People will buy these like little modified Amazon Fire sticks that has access to like, you know, all sorts of streaming services for free. Like, it's illegal, right? It's like a pirated software that you just plug in the Amazon Fire stick and you have like all the IPTV channels, including the, you know, Cinemax After Dark channels, right? And you know, some tech user gets it and plugs in and then they have family over for Thanksgiving and then like uncle, you know, Gregory's like, oh, that's interesting. So Uncle Gregory is a little tech savvy, gets one and then his son, cousin gets to see it and they're like, oh, I'm gonna take it back to school when I go back after Thanksgiving. And then all the kids at the school are download, are, are getting these things for 50 bucks. These pirated fire sticks, right? None of them know anything about it or how it works. All they know is, oh, you got to plug it in, download and whatever. Like that ripe population of unsuspecting victim is right on. What's going on with this thing? I'm telling you, this is like an explosive rash. Okay? Having said that, from what I've heard, it's actually quite useful. Just don't download malware with it. Yeah. Okay, let's go.
[17:48]
C
Plus Update delivers malware State sponsored attackers hijacked Notepad update mechanism, redirecting some users to malicious servers that delivered malware. According to the project's maintainer, the compromise occurred at the hosting provider level, not in Notepad code, and involved targeted redirection of update traffic starting as early as last June. Security researchers linked the activity to China Nexus Group Violet Typhoon, which targeted telecom and financial organizations in East Asia. Notepad has since moved hosting providers and hardened its update process.
[18:28]
A
All right, this is. We don't see this very often, okay? And what this is is Notepad plus plus, which is a very popular text editor, if you will. You do have to download it. It's not native. Note Notepad is native. Personally, in case anyone cares, I'm a Sublime editor user Sublime. That's my jam. But a lot of people like themselves some Notepad. Now, Notepad was not compromised, okay? This was not a vulnerability from a decompiled version of Notepad that some threat actor wrote a zero day four. This was the update servers and infrastructure that updates Notepad. And while I don't know the story was coming or researcher prep for it, I am a cyber professional and I'm very Passionate about cyber security. So I get a lot of feeds and stuff. I will tell you, Matt Johansen over at Vulnerable, you did a nice YouTube short on this one. So I do have some insights already from Matt reporting on it. But when I said you don't see this very often, this is a, I don't want to call it an obscure app because it. There are a lot of people that use Notepad but my understanding is China, right? So state level, nation state, putting valuable, valuable resources like operators on this project said I want you to infect Notepad Plus. I want you to infect these people. Right? I don't know who these people are. But it was determined by China that these people needed to be infected or this organization. They then discovered that people, those people are using Notepad plus plus somehow. All right, so that right there is interesting. Their target population was using it. They had, they hacked the update servers and then put in patches. So whenever an update was pulled, if it was the people that China wanted specifically, it would infect them. Everybody else would just get the regular updates. So this was, this is not a wholesale infect everyone and sort, sort the bodies out later kind of thing. Which is part one of why it's very unusual. Okay, so it's super targeted attack number two. It makes it unusual because this is not a, this is not Microsoft Word. Like this isn't one that everybody's going to have. It's a very. If you hadn't even heard of Notepad until today that you're making my point, right? So obscure, not obscure but like less common app, very specific targeted users. And the, and the way that they went about it was through the update service, which is not an unprecedented attack vector. Now if you are Notepad++ person, you can like thank God you're still listening to the show as you're walking to the dumpster to throw your computer in it. You can do an about face and walk back into the office or into the house and put your computer down. Because if you are running Notepad and you have updated it recently, then you are good to go. The, the, the. The compromise has been eradicated and the updates now push out the changes made by the threat actors. It's unclear whether or not they were successful in getting their target and doing whatever action on objective was their goal. But it's just wild. Like if you're looking for an example of this done in a more common way, Russia invaded or invaded. Russia did the same exact thing with SolarWinds a few years ago. They, they infected the Update servers and took over, you know, SolarWinds, Orion and got into hundreds and hundreds of companies and US Federal agencies. To me, that makes sense because, you know, SolarWinds is going to be installed in all those places and then it becomes a let's see what we get right? Cast the dice and see what we score. Also, Russia did this with Ukraine with the My Doc accounting software. If you're not familiar with that particular attack, go look at Not Petya. Not Petya. That was the attack. That was the payload that Russia pushed onto the Ukrainian users. Again, you know, wides widespread attack. Lots of people who are not Ukrainian targets got compromised. Mondelez and Maersk Shipping notably so very interesting. I will say if you have anybody in your office, like, I feel like this would be like one of those ones and I'm, I'm borrowing this kind of from something casually Joseph said yesterday to me in dms. But, but like if you have someone at your office today who's like, actually I use Notepad plus plus and I, I have fears that I'm compromised. Oh no. It's like, all right, pump the brakes like Chicken Little. Like, chances are like, first of all, good on you for using Notepad plus plus and thanks for letting us all know. But let's, let's be real. Like, I think that this was a very specifically targeted. Again, China's wicked good at espionage, so I have to. And Notepad plus plus is more like your, your nerd tech engineer, R and D developer type thing. Notepad editor, right? My aunt Dorothea doesn't need to upload an note. Aunt Dorothea doesn't need Notepad plus plus because Notepad by itself does everything Aunt Dorothea needs, right? Notepad Plus plus, she's not going to get any more functionality.
[24:07]
C
So ET28 attackers abuse Microsoft Office Zero Day. CERT UA says Russia linked APT28, also known as Fancy Bear, is already exploiting a new disclosed Microsoft Office zero day to target Ukrainian government agencies and organizations across the eu. The bug went from disclosure to active exploitation in days, with phishing emails delivering malicious word documents to that quietly pull down malware and deploy the Covenant Post exploitation framework. Microsoft has released patches, but Cert UA warns attacks are likely to increase as many users delay or are unable to update January.
[24:48]
A
All right, so way to go, Russia. I mean, I feel like it was just yesterday as I get whimsy in my eyes and blurry around the edges as we fade to a, a call, you know, like a, a, a historical callback memory here, dude. Microsoft Office Zero Day. This used to Be like every day. They might as well have called it Microsoft Office every day because, you know, five, 10 years ago, man, it was insane how common it was nowadays. Like, they've disabled macros, they, they cleaned up some of the issues. It's, you know, browser based in many instances. So. But don't worry, Apt28, who is highly effective, has gone and done it again. Finding a zero day in Microsoft Office. So let's see what they do. It leverages this particular vulnerability. Let's go look at EPSS lookup. And it's a 78 out of 10, which means you're probably never going to get to it. 86 percentile chance that you get exploited. That's very high. Like if I was gonna go to a casino, I don't, I don't really gam. I actually, I don't gamble at all. Like whenever I play, like poker or something like that, I'm, I'm, I'm not expecting to win. But 86, I'll take those odds every day. I wish the patriots had an 86 win chance of winning on Sunday. I'll take that. The c. This is in the known exploited vulnerability catalog, meaning that it is being actively exploited by APT28, also known as snake Mackerel. Okay, See, so what do they do? They have to send a file. They're sending a file called Consultation Topics Ukraine Doc, but just a Microsoft Word document file. Look at this. Microsoft published the details of the flaw, and within one day, there was an exploit chain waiting. This is what I'm telling you. To me, this is one of the. I don't want to call it concerns because I'm not losing my mind, but this is one of the areas of interest to me. With AI, you can take a vulnerability patch and reverse it. You could take an instance before and after a patch and look at the difference. And then you can ask AI, what is the problem here? What's the vulnerability? It'll tell you. Then you can ask AI to write an exploit. So these turnaround times are blistering fast. Okay. There was a parallel phishing campaign at the same time. All right, this should have a infographic on it. Does it? No, it should have an infographic. There's a chronological flow to it. So once you get this, Microsoft opening the file in Office, quietly initiates a WebDAV connection to an external server and downloads a file and then drops a DLL for a side channel attack.
[28:20]
C
And.
[28:20]
A
Then establishes C2 and restarts Explorer. Yeah, so this sucks. Guys, here's the deal. Number one, I mean this is a Russia attacking Ukraine. Last time I checked, we didn't have any Ukrainian government officials in the Simply Cyber community. But that that while that means that you're less likely to get hit, that doesn't mean that the same attack sequence can't be utilized for a business email compromise attack. Right? Instead of saying consultation Ukrainian plan doc, it could be called invoice seven two three doc. Right? And now I send it to your finance team, you double click it and boom. Quietly installing second stage payloads and I own you. All right. Is there a patch for this? Microsoft has patched including older Office builds so you got to patch it. Ah, you gotta patch it. All right. To do that get get your patches on, educate your end users if you can. Email security gateways I don't know what this exploit looks like, but it's hidden inside the Microsoft doc file itself and it quietly initiates infection. So chances are it's it's some type of macro or something not it's not like written you don't open the Word document and it's just code okay.
[29:49]
C
Update affects more Windows PCs Microsoft says a shutdown bug introduced by January Updates affects more PCs than previously known, extending beyond Windows 11 to Windows 10 systems with virtual Secure Mode enabled. The issue causes affected devices to restart instead of shutting down or entering hibernation. After installing recent updates, including secure launch capable machines, Microsoft has issued out of band fixes for some Windows 11 systems and advises impacted users to manually shut down via command line which while it works on a broader fix.
[30:28]
A
Okay, so you know Microsoft's having a rough go these last couple days. The patch Tuesday for January was reported yesterday is causing an error where it basically can't mount the hard drive that last time I checked that's a problem, right? We, we need our hard drives mounted, y'. All. And now there's another bug that prevents you from shutting down your Windows 11 system or Windows 10 if it has Virtual Secure Mode enabled. I don't know. I mean yes, I super pumped that they're going to fix this. They released an emergency out of band update which is quite wild for this issue. Ah, you gotta Patrick But I do want to point out like lol, I don't know about you, I probably I don't shut my computer down every day at the end of the day, right. I've got a thousand tabs open. I've got things set up and running. I kind of just hit Windows key L and walk away. And then you know, at least once a month I apply patches and do my maintenance and all that stuff. But for the most part, if, if my computer was impacted by this flaw, I wouldn't even know it. You know, I don't know about you, maybe I'm just projecting. Maybe, maybe everybody just reboots their computer on the regular. But like, I don't. So anyways, TLDR, if you need to shut down your Windows 11 machine and you can't, this is the problem. You gotta, you gotta patch it. Or this emergency out of ban. Just because you can't shut it down through the GUI doesn't mean you can't hop on the command line and run this command. Shut down, slash s, slash to. Oh, and that'll do it also, I mean, I hate to be. I hate to scream that the emperor has no clothes here, but. I don't know, someone call me crazy. Someone called me an executive. Someone call me a. Away from the keyboard. But like last time I checked, holding the power button on my computer successfully shuts it down. I don't know if that's crude and barbaric, if I'm a heathen, but like if my. Like yesterday my laptop froze because I was like unplugging and plugging in cameras and stuff and my, my laptop just absolutely took a poop. And you know what I did? Just held the power button for a good five seconds. To me, that, that, that shuts it down. And you know what? It actually solved all my issues too. It fixed the problem I was having.
[33:23]
C
Huge thanks to our sponsor, Strike 48. It's no secret that AI is only as good as the data available to it. Strike 48 unifies agentic AI with unmatched log visibility while avoiding the typical hefty price tag. Build and deploy agents for phishing, detection, alert, triage, threat, correlation and more. Query existing logs where they currently live so you can keep the technology you already have. Learn more@strike48.com.
[33:58]
A
All right, we are at the mid roll everybody. Thank you very much for being here. I hope you're having a good show. We're right there about 8:30. Yeah, I know, I know. The screensaver is messed up. I don't know what's going on back there. We're just. I just kind of like. It's its own thing. The thing is the TVs on wireless and I have a repeater directly underneath it for my ubiquity mesh network. But every once in A while this TV's like, you know what? You know what we're gonna do today? Not work. You like apples, Jerry how about these apples? I'll put the YouTube logo up here and make it look like you have access to the Internet. But I'm not going to give you any type of performance which is like, this is like the ultimate information security trolling. Because in information security we don't care about performance. No. We care about confidentiality, integrity and availability. You have access. It's just poor performance. Enjoy it, you secure nerd. All right, guys. Hey, I do want to say what's up everybody out here? Straight kicking it. Appreciate you. I don't know if Zach Hill's in chat, but he's always kind of bopping around. Thank you to the show sponsors, Threat Locker, Anti Siphon Flare and Material. You. Oh my gosh. You go to simply. Oh my gosh. You can go to simply Cyber IO Material. Check it out. Stop email attacks and protect sensitive data. Guys, email is like literally, it's like the top threat attack vector. May I call your attention to, You know this Microsoft Zero Day Apt 28. Sending files through. Sending files through email. Listen, I don't care if you use it in Office 365 or Google Workspaces. I've used both. I've administered both. Whatever it is, managing security in the cloud workspace, it's hard, okay? You got fishes coming in everywhere. People can access the email security gateway. You might have multiple admins. So how do you protect that space, right, in a way that is like deliberate and effective? Well, that's what Material Security provides. They've got this essentially unified protection that has both threat detection and response across email files and accounts. And because you get a single platform, you got less to manage. You can have clear visibility and simpler operations. This is great if you're a smaller business or an MSP providing security for multiple clients who are running Google Workspace in Office 365. Another cool thing is that you can rapidly mature your ability to detect and stop breaches because you can step up authentication for sensitive contest content. You can have blast radius visualization for accounts like attack paths, like who's got access to what, when, where and then the cool part is being able to respond to it, right? Visibility is one thing. Doing something about it's harder. See, you can go to simply Cyber IO Material today, Simply Cyber IO Material today and get a demo of the product. Like I said, I've actually taken this like quick Google Workspace configuration survey thing that they provide. It helped me out. There were a couple things in my Google workspace that I didn't even know about. So I Hadn't configured because I didn't even know about it. All right, so thank you, material security. Again, guys. Links in the description below. Don't be shy. It does help the channel immensely. Honestly, it helps the channel immensely. I continue to show up and bring these things. Plus I. I don't partner with businesses that I think suck. So material security, you're on board. All right, guys, check it out. Every day of the week has some special segment and Tuesdays is tidbits. Tuesday. Now, I do want to share this with you really quickly. Listen, let me know if you vibe with me on this one. I'm not saying it's exclusively the ladies, but I would argue that there is a larger population of women over men that are into like true crime TV shows, true crime podcasts, Bailey Sarian and the makeup. Like, I know a couple things. All right. I'm not into the true crime stuff. Right. Mrs. Is. I do like puzzles, though, and I like. I like intellectual stimulation and challenge. I'm very competitive. If you didn't know, if you didn't know this about me, I'm very competitive and I wanted to call your attention to a perfect intersection of intellectually stimulating, entertaining and kind of crime, in a way. Mrs. And I started watching a TV show called Ludwig and you do need Brit Box, which is like a British streaming service, so I had to sign up for that. But Nadine told me about it. We checked it out, we started watching it together. If you watch Ludwig, let me know it in chat. But. But what I'll say is, like, if you like shows like Psych or Monk or any of these shows where it's like, each episode's like a self contained crime and there's like a unorthodox detective using unorthodox procedures that are considered quirky or outside of the mainstream approach. There was a show where the, like Eric McCormick was playing, like kind of an absent minded germaphobe professor in solving crimes, stuff like that. Ludwig is awesome. It is awesome. So give that a shot really quickly. L U D W I G and I'm just saying, I again, I can't, I can't assume you and your family and your situation. But like Mrs. And I, we don't have a ton of overlap on shows we like to watch and these type of shows we do. So we started watching Ludwig giving you guys a shout out and a call out. And by the way, Psych. Psych is a wildly underappreciated show. It's awesome. And by the way, it wouldn't be it wouldn't be a. If we're talking TV shows. Brooklyn Nine Nine. In my opinion, Brooklyn Nine Nine is one of the biggest hidden gems on the Internet. Love myself some Brooklyn Nine Nine. And if you want a super deep cut, I guess doing tidbits Tuesday here. Garth Merengue's Dark Place. Garth Meringue. If you like the IT crowd, that British show, the it crowd, check out Garth Merengue's Dark Place. That is a very, very, very deep cut. Okay. And if you know Garth Moringi's Dark Place. Jesus. We should talk. All right, let's keep. Get back to the news. Yeah.
[41:18]
C
Poland's energy infrastructure lacked security measures. Sirt Polska says a December cyber attack linked to Russian threat actors compromised wind and solar farms and a heat and power plant in Poland, though it didn't disrupt electricity supplies. The agency claims the affected operators had basic security failures, including default credentials, unpatched perimeter devices, and. And no multi factor authentication. While ISET and Dragos attribute the activity to the GRU linked Sandworm group, Sirtpolska ties it to a separate Russian cluster known as Berserk Bear or Dragonfly. This marks the first publicly described destructive activity linked to that group. Shiny.
[42:03]
A
All right, so this is interesting. This is just a little bit of a follow up on the attempted Russian attack on Poland's energy infrastructure that did fail. I love it. Nine, Nine. A lot of people in here loving themselves in Brooklyn. 9 9. Russia tried to attack Poland's energy infrastructure. They failed. Poland is in a very strategic location around Europe and you know, kind of your Ukrainia, Ukrainia, what the hell, Ukraine support Russian long term strategic goals, etc. Etc. They failed, the attack failed. But like any good, you know, cyber incident, they are doing lessons learned and postmortem to figure out who got in, who did what, why, what were the motivations, this could have larger geopolitical implications, etc. And you know, they didn't say this is an issue, but I find this, to me the most interesting thing in this story is that Dragos, which is considered like, you know, the OT incident response darling private sector organization, like it's, it's synonymous with like thinking mandiant for Fortune 500 companies or sans for, you know, expensive training. Right? Like it's, it's when you think OT ir, you think Dragos and they are coming out and they are attributing this attack to the Russian GRU threat actor Sandworm. But Cert Polska. So the cyber, excuse me, the Computer Emergency Response Team, or CERT that's basically like the lead incident responder, you know, government organization in general for the countries. The Polish version of CERT is attributing this to a different threat actor named Berserk Bear or Dragonfly. So to me, that's the headline. Like, I don't know, man. Like, if these threat actors are claim. I mean, when security research companies are claiming that is this group. And then there's discrepancies. You know, to me, it's interesting. Like, how confident. What was the level of confidence that Dragos had or Sir Polska has in their attribution? Is it like low confidence, medium confidence, etc. And what does that. What does that mean? I mean, at the end of the day, Poland still got hit, right? But what does that mean for other organizations, other countries that are looking to make sure that they're addressing their. Their concerns around being the next victim of this threat actor? Oh, my God, I gotta take this top off. It's so hard with my thumb being messed up. All right, so anyways, there's nothing for you to do here, really, as a practitioner. Just know that if you run an OT in Europe, like, obviously you should know about this, but chances are if you're. If you're responsible for OT in Europe, like you work in the Netherlands at a windmill farm, you're probably already kind of dialed into this scene. I will say that the. From the outside looking in the OTICS cybersecurity practitioner scene is pretty small, right? Like Don Weber, Tom Van Norman Bryson Bort, James McQuiggin back in the day, Joe Marshall, Nick Biasini. Right. It's not. It's not that big. They know each other. So chances are. My point is, like, they're well aware of this.
[45:42]
C
Hunters expands scope of attacks Mandian says the Shiny Hunters cybercrime group has expanded its software as a service extortion campaign beyond Salesforce to platforms including Microsoft 365, SharePoint, Slack and Okta. Using Vishing and branded credential harvesting sites to steal SSO credentials and MFA codes, Google tracks multiple Shiny Hunters linked clusters that exfiltrate sensitive SaaS data and use it for aggressive extortion, including ransomware demands backed by data leaks and DDoS threats. Researchers warn the activity shows a clear escalation in both targeting and tactics, despite earlier law enforcement takedowns. Massive attack.
[46:29]
A
All right, so vishing is definitely. So Shiny Hunters was involved in that Salesforce breach. They got a ton of, I guess, seeding, seeding SED seeding information. And in order to inform Future attacks. They obviously, they got a ton of phone numbers and they're using it to call people and voice fish them. So I attended the Flare Academy's Syndicate Inside the Life of a Ransomware Threat Actor the other day. And they talk about the different tiers. Like, you know, how like in the mob or the Yakuza or any of these organized crimes, like when you start day one, they don't make you a capo, right? You start as like bottom rung, cleaning up crap, running and getting people coffee, doing, like, doing the. The grunt work, right? And then if you prove yourself or whatever, you. You get promoted and then you start, you know, whatever. It's. It's not that much different in these cyber criminal gangs, except they're targeting younger people because it'll be like, I'm a threat actor, right? And I'm on Tik Tok and I'm like, oh, look at my lifestyle. I'm driving a gold Bentley and I got, you know, PlayStation 6 somehow, right? Look at me, look at me. You want to be like me? Come on down, right? So then you get this, like, idealized or idolized identities, and it's like, it's like Shredder in the Teenage Mutant Ninja Turtles movie, the first one, right? It becomes very appealing, like, oh, I can have access to a saron and, and new PlayStation and the newest phone. And like, I don't have to ask anyone for it, like my parents. So younger people are getting indoctrinated into these cyber criminal gangs, which, which, by the way, when you have a host of phone numbers and you can just give out a hundred phone numbers to this guy and 100 phone numbers out to this lady, and 100 phone numbers out to this lady and say, call these 100 numbers when someone picks up, harass the crap out of them or, you know, read this script or whatever. So that's what I suspect is happening here and why there's just an explosive increase in vishing activity. Let's see what else we got. So they're stealing SSO creds and MFA codes, which obviously they use to get access to things. Let's see, see the expansion in number and type of targeted cloud platforms. To me, that just means that they have more bodies to throw at it. It's not, they're not. To me, they're not like changing their playbook because, you know, the heat is on. Like, to me, it's. It's not that at all. It's just there's. They have so many fricking people and they have such a corpus of seed data to work from that it's all hands on deck. All right? Of course, Gen Alpha has got to love this recent threat activity link to UN66661. Here's the deal. UN has been around for, you know, at least a decade more. So we were there before you, Gen Z or Gen Alpha, with your. With your unk comments. Okay? So what do you do, people? Let me teach you. Let me either teach you or reiterate what you already know. Here is the deal. Number one, this applies to everybody here, okay? For real, Everyone. I don't care if you're responsible for information security, your organization, and you can talk to and educate 10,000 employees, or if you're an aspiring cyber professional and you can just educate your family and loved ones, your church, like, whatever, okay? Whoever you care about, you can help vishing voice phishing. You have to educate people on what it is and how it works and like. And by the way, and your help desk. I. I would probably start with your help desk, because that is where at least scattered spider likes to go first. But, you know, help desk is by default there to help you, so they will do things. But I have heard. I've heard literal phone calls, Devin Grady and Rhonda Rummerfield have heard it, too, of one of these threat actors calling a support desk and saying, hey, my name is, you know, Zach Hill. Can you reset my password? And they're like, you know, all right, sure. I just need you to prove who you are really quickly. What's the last four of your employee id? Oh, I. I just started two days ago. I don't even know it. Like, that's, like. That's why I can't even log in. I set up my password at orientation and I forgot it, and I'm just trying to reset it. Okay, okay, well, can you tell me who your boss is? Sure, one second. And then they're, like, looking on LinkedIn or whatever, and they're like, it's Kevin. No, it's not Kevin. Well, I thought I was supposed to report to Kevin. No, it's. It's not Kevin. Okay, is it. Is it John? No, no, it's not John. It's. It's a woman. It's a woman who's your boss. So, like, the help desk guy is basically giving the person on the phone every opportunity to figure out how to answer the. The security questions. And eventually the freaking help desk guy's like, it's a woman whose first name starts with T and they're like it's, Is it Tina? And they're like, yes, it's Tina. Let me reset your password. I'm not kidding you. That was the literal phone call. So these guys on the phone, they don't have to be next level psychologists doing 4D chess moves on your support desk. Your support desk in some instances will give them repeated opportunities over and over and over, over, including hints, until they get the answer right. You have to educate your workforce. Vishing is a legit attack vector that you have to account for and you must address the risk of it. And by the way, get your if you can, depending if you're too large an organization, get top cover. Get executives to buy in on the fact that if an executive calls in, they don't get special treatment. You're not allowed to threaten the support desk person that you're going to fire them if they don't reset your password. That's the only way it works, people. You've got to be unified. And again, this is why executives need to eat their own dog food. Instead of being like, well that applies to you, not me. It's like, do you understand that you're one of the VIPs? Ooh, you're very important, but you're also got access to everything and you're going to be the downfall of us Breaks records.
[53:34]
C
And no, I'm not talking about the band. Cloudflare reports that the Isuru botnet set a new DDoS record in December with an attack peaking at 31.4 terabits per second and 200 million requests per second. Primarily targeting telecom providers. The botnet, estimated to control 1 to 4 million compromised devices, including home routers, CCTV systems and Android TV devices, is sold as a botnet for hire and can also be used for credential stuffing, scraping and phishing. The scale highlights how poorly secured consumer devices are increasingly being weaponized for Internet wide attacks. Stop.
[54:16]
A
I. Yeah, I mean this is one of the arguments that, you know, United States national security people have around Chinese based IoT devices, right? And like not to be like a xenophobe around China. I mean if you look at Amazon and the Echo devices and the Flock cameras of your ring doorbells, right? It's like surveillance state all over the place. So we're all equal opportunity big tech oligarchs over here. So denial of service attack. Add this to the list. I mean, record setting. I'm actually teaching a lecture today in about half an hour to the students at the Citadel about denial of service attacks. So there you go. I get to show them like literally this is in today's news. So 31 terabytes this or terabits. This was simply a exercise. This is the equivalent of Iron man or not Iron Man. Tony Stark showing. Hold on one second, my hand. Okay, if you've seen this famous scene, which I know many of you have from the original Iron man movie, right? This is Tony Stark doing a weapons demonstration for, you know, militaries of the world looking to buy it, right? This was like a really cool scene. Super effective sales pitch. Don't just tell them that your, your weapon can do cool stuff. Show them that's what this people are doing. The Isuri botnet is a botnet for hire. If you want something blown off the Internet, call these guys. They got the, they got the goods, right? We're not futzing around here. Yeah, you can tie a pork chop to a chicken wing and call it a meal or you can just order fillet and have it uber eated to your house. That's what they're offering. Okay. Now obviously if you're an online business, you do want to make sure that you have denial of service attack defenses. Cloudflare is kind of the darling of the industry for having the solution. The thing that I need to point out to Hugh is that most of this botnet is compromised of IoT devices that have crap security, well known default security account like user accounts, trivial to compromise. You just log in and you own it. Internet facing in a lot of instances. And when I talked at the beginning about China Xenophobe and American Echo devices, these things, you can use Shodan to very quickly find them. I again I ask you as a project, if you've got an hour to screw around, spin up an Amazon EC2 instance download or put up, you know, a Linux EC2 instance download teapot tpot like, like literally the most robust full featured honey pot, stick it on the CC2 instance and then open up the dashboard and watch it. Five minutes, you're gonna like within five minutes you will be probed, prodded, you know, massaged, tickled things, lifted and looked underneath like the Internet's constantly looking. So finding these devices is absolutely trivial.
[57:35]
C
Hacked admins accuse sabotage Stop. I says it was targeted in an attack that sent fake text messages warning users their data had been sent to the authorities, which the group claims is false. The ICE Tracking service says it doesn't store users names, addresses or GPS data and alleges the attack originated from a personal server linked to a US Customs and Border Protection agent. An accusation. As of this recording, CBP has not yet commented on. Stop ICE says the attempted server attack was quickly contained and describes the incident as part of frequent DDoS and harassment campaigns against the service. All right, you checked it.
[58:19]
A
So again, we don't want to get political up in this piece. I mean, obviously this story is about ice, so we will touch on it, but, you know, please be respectful to all parties involved. Okay, So a lot of people and, And I, I'll say myself included, there's a lot of issues with the current approach to, I guess, how ICE is handling its business and, and also how getting hired into ICE and the people involved and stuff like that. So because of all of the issues and challenges and, you know, obvious, like, massive stories happening nearly daily of ice, and, and I'm focusing mostly on Minneapolis here. A Stop ICE service. Someone stood it up. And it's basically for individual citizens to organize and coordinate to know where ICE is setting up. And somebody from ice. Right. It could have been. Here's the thing, it didn't have to be an ICE agent. It could have just been a citizen who's like, you know, pro ICE or whatever hacked this service. It wasn't really well put together, so obviously that, you know, it probably had like an easy to guess password or something like that, or it was vibe coded. My. If I had to bet money, I would bet that it was a crappy password. Anyway, someone hacked, quote, unquote, hacks into it and then sends all the user a text message saying that their information has been turned over to authority. I'm sure the individual thought that that would scare them and to stop using it potentially and disrupt the use of it. And in reality, somehow it got out that it was these people. I'm not, I'm not a. I'm not a fan. First of all, they shouldn't as law enforcement. I think they're considered law enforcement. As law enforcement in individuals, I don't know why they're taking it upon themselves to hack people's apps. That's. That's a crime. Okay? The Computer Fraud and Abuse act of 1986 clearly spells that out. So we'll see if that's ever brought up and any accountability is held. But I, I just, I just gotta say, guys, I, you know, this is the right to protest peacefully. It's kind of a protected right. And, you know, this coordination, this is like, to me, here's the deal, guys. You see this in China all the time. There was a situation in China. Hold on. China airdrop safely messaging I guess revolution.
[61:12]
B
Right?
[61:12]
A
There was this story in China not too long ago. Let me see if I can get subway on here. All right, so this was a thing, okay, this was a thing last year in China, or I guess this is 2022. I feel like the story I'm talking about was last year. But basically, you know, if in China, if you're seeing kind of like organizing protest or revolting against the machine, you disappear. Okay, so people were airdropping on crowded subways. So you wouldn't know who sent. You wouldn't know who sent the airdrop. Right? So now there's a way to kind of share the message pseudo anonymously and get the word out. So this was kind of that way of receiving text messages with information for protesting and organizing. Right. And. And obviously ICE is wanting to stop this. Okay. So I do find it ironic that the type. Type of the app was called Stop ice, but it was ICE trying to stop it. So anyways, I just will tell you this really quickly. Ako. So a Okos friend. Pong. Welcome to the party, pal. Yeah, so I don't know. All I know is, you know, if you're gonna vibe code or write an app or whatever, don't use like, use good credentials, don't use default creds, don't do all those things. All right? I don't know what they're thinking. That's all. That is all. All right, let's go. All right. Holla, let me see. I do not see Eric in chat. I don't see Eric in chat yet. So we'll figure out what's going on there. Guys, I hope you had a great show. It was Tuesday, February 3, 2026 Episode 1060 Great to meet some first timers like Ako. I'm sorry, I don't know how to say your name. And some. Some long timers making a comeback, you know, Always nice. Nick Barker almost. Yeah, tell Nick Barker almost. That's right. Hold on one second. Let me do something really quickly. Stand by. All right. All right. The good thing is I can go for a minute here. All right, guys. Have a great day, everyone. I appreciate you. I certainly do. I hope you got value from the show. As always. I. I want to tell you every Sunday I am releasing a new video on the channel every single Sunday. And yesterday, William A. Not only did I release this Protegrity V video which has this free AI developer edition on GitHub that you can download. Let me share this with you. Right. But I was screwing around and I started making Some shorts. I don't know if anyone's seen this, but I did one of these shorts. Listen, we need where it's like, me as the CISO and me as the CEO. This should have been done years ago. Mfa. All right, so if you're interested in some silliness. I'm starting, I'm exploring these kind of like dual personality shorts. So we'll see if people like it. I don't know. I'm screwing around, trying some new stuff, seeing what sticks in 2026. Looks like Eric Taylor is in the green room. So, ladies and gentlemen, I wish you a fond farewell. I hope you have a wonderful day. Enjoy Jawjacking. I'm Jerry from Simply Cyber. Until next time, stay secure. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered and totally free. Let's level up together. It's time for some jawjacking. Foreign.
[66:00]
B
Good afternoon, good evening, wherever the world you are. Thank you so much for tuning in to jawjacking. This is 30 minutes quick fire rapid question and answer scenario or situation that we're going to go through and try to get any and all of your questions answered. My name is Eric Taylor. I am the owner and chief forensic operator here at Barricade Cyber and I'm happy to join you today. We do see people throwing in a dolphin. So if you're new here, I do get a little spicy from time to time. And when I do have my setup going correctly, then I do have the ability to do the dolphin sound instead of saying a curse word. Anyway, I always like to make sure that we are doing some sort of music. So let me get that going. If you are new here, you don't know, like, how do we participate in jawjacking? Put a Q colon mark in the chat there and with your question. So when I do search and find with the control F in my browser, I can easily find your question and answer them. See you later, legrat. See a bunch of people dropping off.
[67:06]
A
For.
[67:09]
B
Getting started with their day. Let me see if there's any questions that got started. If not, we'll try to figure no questions. So I didn't catch the show today. So I've been so Ned heads down the. So I'm not sure if it was discussed. Oh, here we go. We've been thinking our. I've been thinking you're fortified, serious. Thanks. Oh, you've been taking it. Yeah, absolutely, man. All right. Say Man, Loosely, have you seen the threat name? I have not seen that, but it makes sense, right? I mean, if y' all haven't seen it, there's now a new AI chat form and accordingly, supposedly the API keys are available. So you just point your LLM to it and it can just use Personas. And I made the joke in a couple of the my signal forms that I'm in that it's going to be interesting that the security researcher in a couple days or weeks or whatever realizes it's just like one person's, you know, three or four, you know, LLMs just all fighting each other and it may actually come to be true. Maybe like a handful of people. But yeah, with the open. With a plain text API keys that anybody could just interact with, the platform is turning to be true. I'm like, this is stupid. All right? I mean, when it comes to. Comes to this specific one, always remember people are going to jump at a crime of opportunity. Right? You know, we see it in paradiser space. You have a zero day. That is a crime of opportunity. You know, a lot of people when we get engaged on a case, they're like, why did this happen to me? Why is this. They're targeting me. No, you're just a crime of opportunity. You had a vulnerability and they were able to exploit it. It's no more sophisticated than that. Unless you have state sanction or state threat actors and ATP, you know, coming after you, then it's all pretty much just a crime of opportunity. Why does chat, GPT or whatever, why did that do that? Yeah, I can, but it's really, it's just really curious, right? What are your thoughts on a notepad plus, plus thing. Good segue from at ATP. Actually, we. Let me. I'll share something with you guys real quick. Let me minimize some screens. Let me do this, let me do this. Let me, Let me. Pivot, pivot, pivot, pivot, pivot, pivot, pivot. Share a screen. There's an X post now again, I'm going to share this. You're just going to see a blank, you know, generic. What the heck? That's not what I wanted. Stop sharing that window tab share. And I killed myself off. Okay, do that, do that switch. All right, let me find the link. This will make sense in just a moment. Ladies and gentlemen, I have again, I haven't had a chance to research how legitimate this is, but on X this morning, I seen a fella. What's his name? What's his name? Gordy. Karishan. Sorry, I really Struggle with names. Sorry, but we can I. So this gentleman goes through and just lists out a bunch of IOCs in here. But this thing is really interesting here with that image. You know the sir pretty much the server was. The update server was hacked. So from what we know today mark tape February 3rd at 9:12am Eastern Standard Time what we know as of today and what it appears to be, the update server was potentially compromised doing a supply chain attack and it was prompting some users with notepad port plus plus to do an update to a malicious update server or malicious C2 server or update server that the threat actors had. The APT group had to my knowledge at least of this one and I could be running behind by a little bit. There's not been an APT that's been accredited for this. It was just a security researcher that was looking at the binaries of the updates like hold on, something's weird here. So if there is an accredited apt, I just haven't seen it. So forgive me, but at least to my knowledge at this moment no ATP has been mentioned. But again it was just prompting users to go to a malicious update and then you updated with a malicious code that can I. I may have to blow this up. There we go. Well that didn't do very good. If I just remove myself, is my audio still okay? That's cool. So there is an execution. I do love how they put the Miter attacks in this thing. Whereas drop in user app data pro show pro show exe it. Was this the same one that was talking about? It might be a different story I was reading this morning. It is. Okay, so yeah, there's the URL that's in there. So it's very, very interesting to see, you know we are seeing more and more of these type of attacks in supply chain so. So honestly just go through, do your threat hunting, you know. Oh, let me actually post that link in there. My apologies. So research it. Take again, take it with a grain of salt. I haven't done any due diligency in it. I just seen it about 10 minutes before coming on stream and I thought it was very interesting to see some extra ttps. Anytime we're doing security research. Always consider, you know, take things with a grain of salt with doing anything, especially when you know, again we don't get political or anything like that. But just take any national news story you see. Always see how information comes out fast and loose and you got to take a grain of salt until some of the stuff flushes out. Take that anytime you're doing Security research, consider it thread hunt on it. If you see a positive notify, people say, hey, based off of this information that we have, we see a correlation with activity on this device. I'm not saying light our hair on fire, but we may want to shut that device down until we learn more information about it or keep an eye on it until we learn more. Whatever your protocol is. Right. So hopefully that answers your question. But yeah, definitely keep an eye on things. You know, we're going to learn more as the week goes on. We'll learn more IOCs as more people potentially get a hold of the malicious version and kind of go from there. So, good day. Did you have any advice or any resource on how to design a proper and good tabletop exercise? Yeah, we're actually, I'm actually getting with a couple folks on that and not a plug for barricade by any means, but we're trying to figure out exactly the best way to do some of these things because that is a hotbed topic and we'll probably, depending on who's involved, you know, if it's just a barricade team and maybe like one or two other folks, you know, we're probably going to tap Jerry, like hey, let's, let's bring you and the team in and stuff like that just to help get a visibility. But if there's some other people that are talking about it and they may, because of their company, they may want to keep it closed off to their specific ecosystem. I don't know. You know, when you start dealing with the larger organizations, they get a little funny with things. So I'm trying to see how. I don't think it'll come down to that. But again, when you're dealing with other folks, the power dynamic of some people, some organizations, definitely it gets interesting sometimes. But yeah, we are I would say however though the number one thing you should do. So I'm. If you can't tell there, there's a lot of gray in that beard, ladies and gentlemen, a lot of gray. And my hair is crazy because I'm always like oh, what is this? But anyway, the back, back in the olden days, I'm not sure I assume because this is standard practice for so long that I assume even modern day restaurants have this. But if you ever worked fast food or pizza delivery or whatever back there, that manager's office, there's like a sheet up on the wall if electrical approved vendor, you know, plumbing approved vendors, like there's a whole sheet, it's a big one. Pager if this call this, these are approved vendors for certain situations. Go through a scenario like hey if we, you know there's all of up and down the east coast there's been a bunch of snow, bunch of problems. Good scenario. Hey if our electricity cut out today like mark tape at 9:18am Snow's already pretty much passed. But as the, you know, if you've been in a high impact area a lot of stuff, snow drops, you know, maybe some underground cabling is weak or whatever. So as a bunch of moisture is getting in there, maybe some of the generate the what they call dog boxes, the big boxes. Those might sink and cause some problems. You may even still have power outages. Now it's like okay, we have a generator but what if that generator breaks? It doesn't kick on. Who do we call? Okay, we have fuel for 48 hours and at what time do we say okay we have a third or fourth of fuel left. And this our projection looks like we're not going to get out of this in certain time. Who's our approved diesel distributor or if it's a propane dinner, who, right. Who's our approved propane? You. You kind of hopefully start getting the point. Start building out that list of approved people and for these services that are impacting your business. You know even to you know I've had a real recently especially on the east coast and in North Carolina, South Carolina and Georgia like they are standing up literally configuration changes for their firewall to implement Starlink in a failover and we've actually been brought in. It's like to again these are, you know diff. These are long term people, not just ad hoc but you know where we are like okay, we're seeing the storm coming up just like last week or the last two weeks over the weekends seeing that. So Thursday we're on a call we're doing the cutovers from their primaries to Starlink because Starlink has a weird issue with and I don't know if it's a model number or whatever but they have a weird issue with the flooding DHCP even in bridge mode in some networks. I don't know but we're going through those exercises and stuff like that. So yeah going through this and practicing it. Right. So cut. Create those cut sheets. That's the biggest, biggest thing I can always recommend you. You need to have that cut sheet during an incident is not the time to be considered trying to do that. I still appreciate the support barricade Cyber Solution gave to that GoFundMe campaign. A couple months ago. I can't remember who it was for. Oh, yeah, hold on, hold on, hold on, hold on. I'll tell you, but you are welcome. Absolutely. I think it was like Becky's fund. Yeah. Oh, close. I had to search it up in the email. So it was for simply Cyber at the Wild Wild Hacking Fest when we were in den. Colorado or South Dakota. Sorry. And it was for Becky Lee Women's Support Fund. And those folks are, you know, they're taking in women and children or women and women with children that are looking for support. You know, they're trying to get out of a bad situation. They need a safe haven to get out of abusive relationships or whatever the case may be. And they need that safe haven. Right. So those type of organizations. Yeah, absolutely. You stop Restream. Thank you. Sorry. I was trying to. So my workflow for those who don't know is like a lot of times when I help co host, I put I rest. We star it so that way you know what's coming up next. My workflow is a little backwards. So I start when I have already answered it. So when I'm going back through stuff. So. And for some reason, every once in a while, Restream likes to be like, oh, well, you want to reply to this guy, you want to ban him, you want to block him? I'm like, please stop. Let's see. I already answered that. Answer that again. We are. We're here for a few more minutes, so if you have a question, please, please, please ask it. I think. Think I've got all the questions. Everybody's. Is everybody cold inside of a. In a coma state with all the snow? Just out of curiosity, See what everybody's talking about. I feel a little off kilter. There's not many questions. I see you pretending to be Yoda part to everybody. Am I?
[83:20]
A
Yeah.
[83:21]
B
Becky's fun. And really I did that. So again, I'm not. I'm not here to toot my own horn by any means. And I'll talk about this because there's literally no. No questions going on. So I'll take delivery of talking about this a little bit. The. The one thing I try to do and quite honest, I mean, yes, we wanted to donate to it, but I. I was really, really hoping that if I did that going, granted it helps them, but it would hopefully spark other businesses that were watching to do the same and really drive momentum. Like if I could be a small tooth in that big cog of like say 10 people, 10 organizations also donated 5k or 10k or 15k or whatever it was. You know, think of that full rotation that could have happened. I don't know if they did or not, but that's what I hope for, especially when I do things like that. Like, I'm doing it. Yes, I want to, but I wanted to drive other people to do the same thing. And all of us as a collective make an impact. We stopped cold and less conceited. You thought it out there, Jake Canfield. Oh, I missed those days. Oh, okay, here we go. It's renewal time for our security ea, our open source, a legit alternative to save money. Yeah, so the let's encrypt. Yeah, but that really is a business choice. I mean, there's, there's, technically there's arguments for both sides, really. Like, no, we only want to use trusted CAs because we have a brand to recognize. But, you know, let's Encrypt is a very legitimate application, too secure. And as long as you make sure you put your cron job in or whatever, you know, tool you're going to use to make sure let's Encrypt is automatically renewing a certificate, you're fine. I mean, it's like back in the day, you know, if you were hit with ransomware, everybody did the point and shame, laughed at you. And back in the day, let's encrypt like, oh, you're not a real business because you're not a fly supporting, you know, a real ca. And I may be just, again, I may be extremely disconnected in some of the stuff, but I think nowadays nobody really looks at your ca or what, what are you signing your site with, what are you signing your application with? Or whatever. I could be wrong. Please. If I'm wrong, please correct me in the chat, but at least in my bubble, I don't know if anybody really cares anymore. All right, last question. And if you, if I didn't, if I miss your question and, or you still have a different question. We're allowed to say this now, but go to askbarricade.com we're coming up with another series because this is only going to be 30 minutes moving forward, so very limited time. So if I didn't ask your question, or you have a very specific question that I did, that you were too scared. Ask it. Go to asparagate.com and I will answer it. We're doing a video series and blah, blah, blah. Anyway, what, what, what data would be important for executives to review from their MDR service each quarter? You know, I the number of thread stops seems bland. And business executives don't care. You know what I would say? Spit it on its head a little bit. Over the last quarter we learned about these threats and these TTPs and these things that we were able to incorporate it into our mdr. And because of us learning and using this MDR tool, we were able to get a front of and stop these potential and making us become a victim. That's the way I would position it. All right, I do see some questions. Sorry again. We are at 30 minutes coming up unfortunately. So I do appreciate everybody sticking around. I will be back next Tuesday. Sorry I was tardy, but we will get things going again next week. Again, thank you all so much. I do greatly appreciate each and every one of y' all trying to make sure I find the proper video intro. Okay, that's wrong. That's it. Okay, again, thank y' all so much. I do greatly appreciate it. See y' all next Thursday again. If you have any other additional questions, askbk.com and we'll see you over there. All right, see y' all next week. Bye y'.
[88:54]
C
All.
[88:55]
A
Hey everybody. I hope you enjoyed that content. Keep the cyber security train going by connecting with the other Simply Cyber community resources. We have the Discord server that's lively and always keeps the conversation going. You can connect with me directly on LinkedIn and also every single weekday morning on the Simply Cyber channel. We're doing live daily cyber threat briefings, 8am Eastern Eastern Time, as well as Thursday at 4:30pM we're doing live stream interviews with industry experts and we produce videos that we push out every Wednesday morning. I'm Jerry from Simply Cyber. I hope you enjoyed the content and we'll see you in the next one.