Sarah Lane (13:22)

roll from the CISO series. It's cybersecurity headlines. These are the cybersecurity headlines.

Dr. Gerald Ozier (13:31)

All right, let's see how quick we can do it.

Sarah Lane (13:33)

2026. I'm Sarah Lane. Install Fix Attacks spread fake Claude Code sites. Researchers at Push Security uncovered a malvertising campaign dubbed Install Fix that spreads fake Claude code Installation pages through Google sponsored search results. Victims who copy and paste the malicious install command. Deploy Amatera stealer malware, which can steal developer credentials and provide access to enterprise development environments. The attack exploits the practice of copying terminal commands from websites, a standard installation method for many developer and AI coding tools.

Dr. Gerald Ozier (14:14)

Unc for all right, so there's two things here, and one, I. I mean, it's a blog post, of course, right? By a company that sells a. Essentially like cat, not casb, but it's like a CASB solution. Push I. I will say, like, I, I have. I have played with Push security and I liked it. So for what it's worth. But what are we talking about? There is an attack technique called Install Fix, which is a social engineering attack where threat actors clone the installation page of legitimate CI CLI tools and then present victims with malicious commands. Okay, so here's the deal. And this is actually a really interesting developing threat. Wait, hold on one second. What did I just click? What is that? Oh, apparently I have that feature now. If you're watching on live, I just put a lower third up. All right, here's the deal. Pop open a Shell, run some PowerShell command, or pop open a terminal, run PowerShell, pop open a command line and curl to this website. Run, git, install, clone, or whatever, right? So these kind of commands were usually reserved for IT people, right? If I told Carl in accounting, hey, Carl, how you doing? Like, great. Great job this weekend at the company barbecue. You're great at horseshoes, my man. Or you're great at curling if we're up in Minnesota, don't, you know. So by the way, why don't you install this new, you know, freaking keyboard emoji thing. All you got to do is pop open a shell and run, you know, Iex some powershell command or something like that, right? Like that. That would never happen. That would never Happen. However, in 2026 and with YouTube at the same time, you're getting things like this. This is Open Claw, which is, you know, in our echo chamber, blowing up, right? But look at right here on the front page of Open Claw, just below the fold. Drink is works everywhere, installs every thing. You're welcome. Click the copy button, blink copy. Run this one liner, you know, you know what I'm saying? If you want to get crazy NPM hackable Mac os, you have to install brew, of course. But my point is this is now becoming much more mainstream. Much more mainstream, because again, they're. They're making these pages or these tools essentially accessible to people who don't know what they're doing. Okay? So now Carlin Accounting is watching, you know, videos over the weekend on YouTube about X, Y and Z. Carl hates his job, right? No, no, no offense, Carl, but, like, Carl's watching a video about, oh, make $352 a day with this side hustle. Oh, check out this ghostwriter gig. You can get super easy. Have Open Claw do it. It's so easy. Go to Open Claw and run this one line. Look at me on YouTube doing it, right? So you're getting a massive reach for people who don't know what they're doing popping shells and running these things, okay? That sets the tone for the attack surface. Okay? Now what's happening is threat actors, obviously reading the tea leaves are like, oh, wow, there's a bunch of people who will literally pop a shell and run whatever we ask them to. Then let's create a fake OpenClaw AI web page. We'll just scrape this page. We'll call it Open Clause, right? Or we'll call it Open White Claw, right? It's the AI agent that likes to get tipsy on the weekend. Everybody in the club get tipsy, right? So now you. It looks just like this. It looks just like the website in the YouTube video that, you know, Carl watched. And the command is here. Now look at you. And I can read this IWR useb, right? So this is running, like, basically curl out to this website, pull down this powershell, and then it pipes it into iex, which is executed on the command line. Just execute it, right? So essentially, you're writing this file to your disk and then executing it. You and I can read this. Carl cannot read this. This just looks like gobbledygook magic. But it works on the YouTube video. All right, so again, I know I'm hammering this point, but my point is this is a real threat. They're now seeing quad code campaigns being stood up by threat actors. Look, here's an actual video demonstrating this here live on stream. Hold on one second. Install Claude code. And this is Claude, don't go to this website. But it's like claude-developers-com.com, right? Looks just like Anthropic's Claude page. And in reality, it's malicious. You're going to install malware on yourself. They're also pairing it with Google Ads. Again, you can't really see it very well, but essentially, when you type in Claude code, you're getting malicious results. Not all of them are malicious, but, you know, you're. You can get malicious results if the threat actors pay enough. Right? Here we go. Developers.squarespace.com Install Claude Code. CLAUDE code install. Here's another one. Right? First result. So what's the payload look like? I mean it doesn't even matter, honestly. Like we can look at the, the payloads, but it doesn't matter. And remember, it doesn't matter because the payload, it doesn't matter. If it's an info stealer, a ransomware, a pop up scareware, spyware, creepware, ransomware, malware, it doesn't matter. It literally doesn't matter. You're running a payload on the box. The point is don't get in front of that, right? Because they can swap the payloads out. So like, sure, we can look at what it's doing, but in the, to me it doesn't matter because tomorrow, next week, next month, they can change the payloads. The attack vector won't change, right? So tldr, educate your end users if you can. If you can get access to some of these like real time threat intelligence DNS blocker feeds, like I think FireEye has one called Wildfire, or Palo Alto has one called Wildfire. I can't remember who runs Wildfire, but, but basically there are capabilities out there where you can ingest known malicious websites and update your firewall or your DNS resolution in real time to sinkhole those things. So then when a victim in your organization, Google's claude code, because they're about to set up their side hustle and they click on the malicious landing page, it won't resolve. All right, hopefully that helps everybody. I hope that helps everybody. I feel like this is a real problem. It, it really is. It's, it's a perfect nexus of tons of people who don't know what they're doing just following friggin tutorials on YouTube, blindly executing code. It can even be worse than that though man, for real, because like you can give up API keys, you can give up session tokens, you can install malware, you can, you can compromise your entire infrastructure, right? If you have someone on your internal network that gets their endpoint compromised. Threat actors now are inside the house, right?

Sarah Lane (22:22)

899Breaches crypto firm via trojanized file UNC4899A North Korean threat actor is suspected of stealing millions from an unnamed cryptocurrency firm in 2025 by compromising a developer's personal device. The attacker reportedly delivered a trojanized file via airdrop, which the developer then moved to their corporate workstation. The Malicious Python code executed a binary masquerading as a Kubernetes CLI tool, providing access to the cloud environment. UNC 4899 used living off the cloud techniques to escalate privileges, move laterally, extract database credentials, modify user accounts, and ultimately withdraw millions.

Dr. Gerald Ozier (23:10)

All right, well, I can't. I don't know what story this is because North Korea does crypto attacks all the time and they're using developer attacks. So I just typed in a keyword to see if I could find something that came up to capture my inner monologue on dealing with this. Let me just check and see if they've updated the blog yet, because I'm now I'm beginning to get unruly. Oh, there we go. Thanks, guys. All right, here we go. All right, Developer Airdrop Trojan trojanized file to work device. Okay, so they got the developer to put a malicious file on his, I would assume, Apple device, and it resulted in stealing millions of dollars. Okay, that sounds like quite the Rube Goldberg machine to get some. To get some money here. Let's see how this works. All right, so threat actors use social engineering to get the developer to download an archive file as part of an open source project, and then they switch, they transferred it to the company over airdrop. Okay, so first of all, really quickly, I want everyone to know, just because the developer transferred the file to a company device, that doesn't mean the company device was infected. Dude, I could have downloaded and I could download every piece of malware ever written and, and put it on my NAS under my desk right here. And I'm not infected. It's just static files. You have to execute it, you have to put it. You have to have. You have to put it in memory and let it run, baby. Give it, give it some processor cycles. Right? Like, just because you airdrop, it doesn't mean anything. Of course. You know the next step here, Use the AI assisted ide. They then interacted with it, the contents, and then executed the malicious payload. You see this keyword right here? Executing. That's when bad happens. Right. Again, not to be like, exactly one to one, but like if I walk into an armory and every gun's fully loaded, guess what? No one's getting shot. That doesn't happen. It's only when you start interacting with the weapons that things can happen. Right. All right, so as soon as this guy launches a Kubernetes CLI tool, it reaches out to C2 domain and. Oh, here we go. Hold on, hold on, hold on, hold on. All right, here we go. So they targeted a dev. They piggybacked on cloud victim host access and creds to the environment. Okay, so two things. One, basically this, this was a very targeted attack. Like this basically could have been like an opening music montage attack sequence from like a Mission Impossible movie. Really quickly. Oh, we got some first timers up in here. Mangwa Fresh. Welcome to the party. Thanks. Steve Young. Welcome to the party. All right, so here's the deal. This is absolutely a hyper targeted attack which you know, North Korea is very good at and also like not guaranteed to have worked. So threat actor finds a developer for a crypto firm and, and somehow convinces them to install some type of Kubernetes CLI tool. Now right away that developer had to have had some, some kubernetes needs, right? Like, like no one, no one's like oh, like I know we're not using kubernetes here at work, but I'm just going to download this tool and see if I can run micro services in our environment. No, no, no, no. Like they definitely were doing that. Now the, the thing is getting the developer to transfer it to a work machine. They needed the developer to do that. I will say chances are like this was, I don't want to say guaranteed but, but I would argue, and stay with me on this one, I would argue that the step where they transferred it to the work machine wasn't necessary. The developer just needed to access like the del. If the developer had run the malware on their own machine, threat actor would have owned their own machine. And, and then if developer remoted into the, into the corporate infrastructure with their own machine, it would have been the same result. Obviously this company, great job GRC people at this company, they only allow certain machines, approved machines allow only machines or you know, security posture checking machines, company assets basically to access the cloud infrastructure. So the developer wanting to use this tool moved it over to their machine. That right there by the way violates I guarantee you a policy at this company. If this company is doing posture checking on machines accessing their cloud infrastructure, I would imagine that they are also approving software to be used on machines. Furthermore, I don't know if Threat Locker would have stopped this or not, but this is an exact example of like, like what Threat Locker would do, right? Like that's an example where like a piece of random code is going to run on a corporate asset that's weird and unseen before it would, it would be stopped. Right? You know, that's the, that's the, the shtick with threat locker. All right, so once they get in, they get into the environment. And now, I mean, obviously I'm not a Kubernetes expert in any capacity, right? I know enough to be dangerous. I'm not an expert. But what Kubernetes allows you to do is stand up like microservices, scale up, scale down, kind of the, you know, the promise of cloud. But Kubernetes allows you to kind of manage these like little instances of microservices to do things like whatever. The thing is, whether it's write to a database or provide a front end application or do some processing on data, whatever. The thing is those microservices work and that's what Kubernetes kind of orchestrates. When your Kubernetes gets compromised, it's like basically the guy or the lady at the, you know, the panel at nuclear facilities where they have like a thousand buttons, right? It's like the, the bad guy gets to sit in that chair. Okay, Kubernetes is almost like. Again, someone correct me in chat if I'm wrong, but like Kubernetes kind of feels anogulous or analogous. Analogous analysis. What the hell is that word? What is that word? Hold on. Anagolis. Can I get a Analogous? Analogous. Yes, I see, I knew that word. I just. Okay, listen, there's a very similar. There's an analogous element. Where's the story to. Kubernetes is analogous to hypervisors, okay? It's like, it's like that, like a hypervisor can see all the VMs, Kubernetes can see all the, you know, microservices underneath it. Okay? Once you get access to that, they get the critical creds and now, you know, it's game over, right? Once they get the critical creds, they just start moving money out of the platform. Okay, final thing, I want to say this. And for those whose brain I hurt by saying analogous. Nagalus 20 times, I'm sorry. Hey, listen, This term living off the cloud, I haven't heard that before. Living off the land is the strategy of using native binaries like so, like the Windows native binaries, like every Windows operating system comes with this, you know, you know NTDLL and you know CMD exe, right? Like all these binaries. I've never heard of living off the cloud. I'm sure it's very similar. In fact, it annoys me that they would even come up with a new term. It's still living off the land. The land is just the cloud. But we don't call it living off the end point. So what are we doing here? All right. Anyways, be aware of this. This is good stuff.

Sarah Lane (31:56)

UK launches cyber fraud crackdown unit. The UK government is launching the online crime center in April to disrupt cyber fraud operations as part of a broader anti fraud strategy. The unit will coordinate law enforcement, intelligence agencies, banks, telecom providers, and tech companies to shut down scam infrastructure such as fraudulent accounts, websites and phone numbers. Cyber enabled fraud cost the UK around 14 billion pounds annually, and officials say the effort will also use AI tools to detect suspicious transactions and deploy scam baiting chatbots to gather intelligence on criminals.

Dr. Gerald Ozier (32:40)

US Living people are really enjoying this. Living off the LLM, probably real. Phil Stafford Jost X Living off the parents. That's so funny. Living off Chips Ahoy cookies. Oh my God. Hey, and to those who are having, you know, like, you're almost like, need to reboot after me saying anus analyst too many times. I. I feel you. Okay, you know what? I'll tell you about me saying it. You are so dumb. You are really dumb. For real. I will own that. Okay, guys, I gotta tell you, it's. It's. It's a day that ends in y and the UK is coming off the top rope. It's the British bulldog of news stories. Dude, the UK is out of control in like a very good way. They're like launching, like, I mean, obviously massive surveillance, but they're, they're doing like digital identities. They stood up like NSA equivalent out there. They are dropping elbows on, you know, threat actors. And now coming off the top rope or coming from the locker room running like the ultimate warrior, the UK comes hard into the paint with their new crackdown unit, tackling cyber fraud at the source. All right, so I love this man. Set to begin work in April. Can I get tickets to this event? Like in the most nerdy way possible. I want front row seats to this online crime center disrupting cybercriminal ops including overseas scam compounds. Like, dude, the UK would be awesome if they stood up a YouTube channel like a scam baiter you UK channel. And like, it would go gangbusters. Right? They could probably fund their own operation. They're going to identify the accounts, websites, and phone numbers cybercriminal gangs are using. All right, so this is a massive multi billion dollar fraud industry and the UK is taking it on. Now what does this mean for you and I? Nothing directly, but if a UK crack. Crackdown unit. Not crack unit. Oh, my God. Tyrone's billings These like, yeah, I'm moving to the uk. Listen, if this unit does their job well, you and I succeed because a, you know, Vietnam call center or an Indian based call center, Cambodian scam romance scam center, if they take it out, those scam call centers are not calling my good friend from college's parents who got taken for 15 grand last year. They're not calling my aunt or Thea and getting frustrated that she doesn't own a computer. They're not calling anyone or taking any phone calls about how your printer's broken. They're going to help you fix it, but first you got to install this 800 antivirus solution. You know what I'm saying? So like, dude, shout out to the uk, like, if I could donate to this, I would. And like I said, if I could watch their YouTube videos, I would. Now again, I don't know exactly how they're going to do this because the UK doesn't have jurisdiction in Cambodia last time I checked. So if, you know, these centers are working out of countries that don't have extradition, if they're, if, if the UK is unable to get, you know, local law enforcement buy in or, or cooperation, it could be problematic. Right? So this isn't as simple as, like, you're doing bad. So like the UK can just be the Batman world police and go do whatever they want. It is easy to find these things for sure. Especially if people can submit, like, oh, hey, like my grandfather or my sister just fell for a scam. Here's the phone number they called, here's the website they went to, et cetera, et cetera. Not to mention, like I said, there's a million, not a million, but there are a significant number of YouTubers like scammer payback and a couple other popular ones that probably have a laundry list that they could collaborate with the UK on.

Sarah Lane (36:51)

Unveils new cyber strategy. The US Administration released a national cybersecurity strategy outlining six policy pillars focused on strengthening US Digital defenses and countering foreign cyber threats. The plan emphasizes proactive measures including offensive cyber operations, closer public private partnerships, and investments in emerging technologies like AI and quantum computing. Other priorities include securing federal networks, protecting critical infrastructure and supply chains, streamlining regulations, and expanding the cybersecurity workforce.

Dr. Gerald Ozier (37:32)

All right, so there, hold on, let me back that up because I was, I was being petty in mod chat,

Sarah Lane (37:38)

like AI and quantum computing. Other priorities include securing federal networks, protecting critical infrastructure and supply chains, streamlining regulations, and expanding the cybersecurity workforce.

Dr. Gerald Ozier (37:53)

Okay, so I've been around for a very long time. As you know, I do moisturize, which. Which belies my catcher's mitt of a face. But let me tell you, as someone who's been around for a minute, and I know that there's a ton of people in chat who have been around, too, and will agree with me, but listen, if you didn't know this, let me be the first to tell you, okay? New, like, new cyber strategy. And by the way, we're apolitical here, all right? I'm not going to weigh in on Trump, you know, and move the pol. Listen, although I do have my own beliefs, which I think I'm not very. I'm. People are well aware of what I'm into and what I'm not into. But that aside, Trump's administration unveils new cyber strategy for America. Okay, check it out. The last few things they said, you know, skilling up the workforce, protecting critical infrastructure, securing federal networks. My guy, I'm not even going to bother and bore you guys with this, but, like, you can go back. President Obama. Obama, he. He's the one who defined critical infrastructure and put it on the map so we can protect those things. Go look at executive order 16363. All right, hold on, let me confirm that. There's a lot of sixes and threes on it. Let me see. Executive Order 16363. Yes. I'm not an idiot. Okay? February 12, 2013, Improving Critical Cyber security infrastructure. All right? So. And I can do that for all of these securing federal networks. President Biden, for better or worse, came out with a memo, like, in 2022, I think, or. Or no, no, no. When the heck was it? Yeah. 22. I think of, like, all federal networks have to be zero trust architecture and have multifactor in like, 90 days or something stupid. Right? It was like, ridiculous. Ask, but. But my point is, when you're coming at me with

Sarah Lane (40:01)

where's.

Dr. Gerald Ozier (40:01)

Where's the story, bruh? Oh, my God, this. So many tabs. Listen, when you're coming at me with new cyber strategy for America, don't get lost in the noise. A lot of this is not new. A lot of this is just rehash and continuing to do the same thing, because we're not good at doing the same thing, right? So we got to get the foundations. Now, the one thing that they did mention that's kind of baked in there and I, I would like to make you aware of is, number one, they talked about proactive security, right? So basically empowering private sector businesses to get after it that could lead to problems, you know, nationally. Speaking for you at work today, this isn't going to do anything for you. You're not gonna, you're not like holy crap, yesterday I was doing something. But hey, the new cyber strategy is out from Trump administration so I'm gonna pivot. You're not doing that. Anything different at work today. The second thing besides the proactive private sector bit is the deregulation around AI, which is a common Republican policy, deregulating and freeing up markets and stuff like that. So I'm not, I'm not going to hold like, oh, that's a Trump thing. So. So anyways, just for me, for my money I would be, I'm interested to see where this private sector, you know, basically arming private citizens. Okay, you know what, this is basically like. And then I'll just go to the mid roll. This is like giving everybody in town like a deputy badge. That, that's what it is. It's the Wild west. And instead of like you know, Doc Holliday and you know, Wyatt Earp walking around protecting all of us, if you want, you get a deputy badge and now you're, you know, part of it. So we'll, we'll see how this goes again, these strategies like, I don't know, we'll see how it goes.

Sarah Lane (42:03)

Huge thanks to our sponsor, drop zone AI. So it's 3am New threat intelligence drops an attack pattern targeting your industry. Your threat hunting team is four people, all Andesha and already behind on last week's hunts. By the time somebody gets to it, the window for early detection has closed. The attacker is already inside. Tomorrow we'll tell you what Drop Zone AI is bringing to RSAC to solve exactly this problem. If you don't want to wait, head to dropzone AI RSA2026AI Dash Diner.

Dr. Gerald Ozier (42:52)

Hey, what's up everybody? Thank you so much for being here. I gotta tell you, only having three sponsors in the month kind of frees up that mid roll I've been. If you've been watching on replay, I go after and cut the simple minds out. Guys, I want to say thank you to the stream sponsors. I genuinely mean this. This is not. I don't know if. Yeah, I don't, I don't know. I don't know if a lot of people just sign up and do whatever with whoever but like for me it matters, right? So threat locker, Zero trust world. You know, I talked to a lot of people who use their solution. They like it. I'm I'm happy. Like, I really enjoyed it. Anti siphon training, Black Hills. I've been friends with those guys for years. I won the. If you didn't know this, in 2023, I believe I won the first ever RITA Award. Okay. This is an award they give to one person a year for community service. Basically making an impact. I. I won that award. Right. Like, I love what they're doing. I just happen to have that accessible because I'm cleaning back here. And then flair again. I think Flare's solution is phenomenal. And I. I really like the people at flare. So anyways, very, very blessed to have sponsors that are awesome and support what we're doing over here. All right? Every single day of the week has a special segment. And Tuesdays is Tidbits Tuesday. I feel like I may have given everybody this Tidbits Tuesday already, but let me holler at you for a second. I'm big on audiobooks now, so, like, I guess the question is. Oh, don't even get me started. Roswell uk, that, that graphic file is not on that computer. I've deleted the file. Like, I need to, like, wipe this machine to get rid of this. Like, okay. Anyways, I don't know if you guys read or listen to audiobooks. I am. I am on book seven now of the Wheel of Time series. I know the Amazon show existed. I didn't like the Amazon show. In fact, it kind of ruined it for me because now when I hear the characters, I think of the actors, which I did not like also. But yeah, Wheel of Time, if you're looking for, like an epic high fantasy. Oh, my God, bro, what is up with you? I'm not going to click a button to continue. Anyways, Wheel of Time, wonderful books, wonderful series. If you haven't checked it out. Hey, Dream Logic. Definitely worth checking out. This is my second time through it. Incredible magic system, incredible cultures and world building. If you're into that. If you're into non fiction only, it's not going to be for you. But I will tell you, I've been listening to the audiobooks and it's just been very nice. So anyways, that's a little fun one. I. I didn't really have anything else. Final thing I will say is the weather's getting better here in the low country. I got to grill out yesterday and not wear a. A winter jacket while grilling. Gotta love that. All right, do me a favor, everyone. Marcus, Kyler, Alpha Sierra are our drum majors. If you can get ready to lead us off Everybody else, just feel it. Let it wash over you in an awesome wave. I didn't mention Magic the Gathering. Nobody mentioned that. All right, let's get our La la la.

Sarah Lane (46:41)

La.

Dr. Gerald Ozier (46:59)

All right. All right, cool. And hey Josiah, I hear you on Burning out on book six or seven. There is a little bit of a lull there, but I'm telling you, if you can power through it, the, the, the last couple books, especially the second to last book is like insane. All right, let's finish strong, everybody.

Sarah Lane (47:20)

FBI warns of Fishers impersonating US Officials the FBI is warning about phishing attacks where criminals impersonate city and county planning officials to target people and businesses applying for land use permits. Victims receive emails referencing real permit details and then are instructed to pay fake fees via wire transfer, peer to peer payments or cryptocurrency. The FBI advises verifying official domains and contacting local governments directly before making any payments and reporting incidents to the Internet Crime Complaint Center. Dark Trace.

Dr. Gerald Ozier (48:01)

All right, okay, so two things. One, this is very actionable. Specifically want to call out small, small mid sized business. If you listen, if you are a practitioner, okay, and you have access to the cfo, right? So like if you're a multi billion dollar company, chances are like, and I don't mean this disrespectfully, just on my, in my own experience, like the CFO is not accessible to you. Like maybe you are in the elevator with the CFO at the same time, but for the most part you're not getting the CFO's time if you work at a small midsize business, right? So I worked at a business that was like 750 million annual revenue and I had direct access to the CFO. Guy was busy, right? So you don't, you know, like hey, can we talk about pickleball? But like if you have something that's important, they want to know. And trust me, CFOs are all about the Benjamins, right? They want to know these things. This is a great opportunity. Basically threat actors are impersonating state, local people and saying hey, like you've got a, you got to renew your business license or you know, there's a fine, a fee, whatever it is, 400 bucks, 600 bucks. An amount of money that a CFO or some type of finance person is just going to pencil whip. But small mid sized businesses are likely to not have the checks in place and the requirements of the hurdles to go through to be able to make these payments and fall victim to this. So what I would say is take this as an opportunity to go to your CFO if you do meet the qualifications, I'm throwing out there like small mid sized business and say, hey, listen, I just want to let you know that criminals are doing this. Essentially you can give them an example of a malicious message around, you know, something to do with permits, something to do with fees and just say, hey, listen, the threat actors are going if they want you to pay in crypto wire transfer or I forget what the other one was. It was like another one that was not like an obvious one. Oh, peer to peer payment, like Venmo me. Just be aware that you know, this is likely fraud. In fact, my GRC brain just activated. I would argue that you even consider having a policy that with unless there's an exception, right? Because if you get ransomware and maybe you do need to use crypto, but like as a policy, pending exception, payments out of your business are not authorized via crypto or peer to peer payments. I don't know, I mean every business has to have their own policies. You can't just use templated blanket policy because, you know, it matters for the organization. Wire transfer, that's not going to be too good because wire transfers happen all the time. But I, I, to me, I would, I would, you know, let them know about this. Okay, dude, an ounce of prevention. And one other thing I want to share with you too is like these businesses business. This is effectively like a form of business email compromise. Okay, it's not, it's not the traditional version, but it's a form of it. I've worked at businesses where they hired me to come in and build an information security program from scratch. And one of the first, you know, maybe like the first three days I had a meeting with the CFO to understand how, you know, operations work from the finance office. And I was like, oh, you know, you should be aware of business email compromise. Here's what it is. He's like, I'll stop you right there. He's like, I know what it is. Like we fell for it twice last year. I paid 68,000, 73,000 in, in both instances. And just like went about his business. And I'm like, Jesus, dude, that's like my salary or like more than my salary. And you're just so flippant about it. Why don't we like get this under control? So it's very personal. A lot of these businesses have suffered these attacks and just keep on rolling and aren't reporting it. So just be aware, like this is a great opportunity to build those relationships with the CFO office by delivering value to them.

Sarah Lane (52:10)

Names third chief in 18 months the Financial Times sources say Darktrace has appointed Ed Jennings as its third permanent CEO in 18 months, following Jill Popelka's 16 month tenure and interim CEO Charles Goodman. The UK cybersecurity firm is owned by Thoma Bravo and plans to invest over $200 million in the US in 2026 to grow US sales to half of total revenue and compete with Palo Alto Networks and CrowdStrike. Jennings. US based experience at Quickbase and Mimecast is expected to help drive that growth.

Dr. Gerald Ozier (52:50)

Great

Sarah Lane (52:53)

Ransomware Hits electq customer data Stolen Chinese EV charger maker really quick this

Dr. Gerald Ozier (53:00)

this is why is this story here? Okay. If anything I would just say Dark Trace was like one of these unicorn darlings. They have like an AI before AI was cool EDR thing and they have three chiefs in in 18 months. That's not a good look. Like that is instability. Okay. This means nothing to any of us. I mean maybe, I don't know like as an investor, I guess. I don't know why this story is here. I don't understand the selection process over there.

Sarah Lane (53:34)

Elecq suffered a ransomware attack on its AWS cloud systems on March 7, which encrypted and copied customer data. Exposed information includes names, emails, phone numbers and home addresses, but no financial data or charger functionality was affected. The company took servers offline, restored systems from backups and tightened remote access. Regulators in the UK and Germany have been notified and customers are advised to monitor accounts and reset passwords.

Dr. Gerald Ozier (54:09)

Okay, so I mean a company hosted in AWS gets gets got. Okay so threat actor encrypted and copied user data. The old double extortion technique. Sounds like this might be one of the olds as like EXIL is like kind of the hotness right now that

Eric Taylor (54:38)

Hansel so hot right now.

Dr. Gerald Ozier (54:39)

Like a lot of threat actors aren't encrypting your data anymore. They're just doing data exo because it's faster, easier in a lot of organizations are going to have the backup. So it's like there's no reason and kind of tip in their hand. Although these people did it right. So Chinese outfit that builds EV charging gear. Okay. Your name, your email, your phone number, your home address compromised. No financial data but just you know where you live, what your name is. Okay. I love this. The company says it kicked off IR processes as soon as the suspicious activity was spotted. Your servers are being encrypted. Like it doesn't get much, much more Suspicious than that. And you can see here they already started restoration. So business continuity and backups are always good to go. All right. They brought in a third party cyber to carry out forensics investigation. So that's another common thing. Just hey, so you know, let me give you value, by the way. I love giving value. That's my, my whole shtick. Say you're an analyst or you know, a one person shop, right? Say you're ad tech, right? Using ad tech as our, as our team solo person, right? If you suffer a cyber attack at your organization, you're not expected to be like all of a sudden a digital forensics expert going deep into the, you know, into the incident to figure out, you know, it's very common to have number one, an insurance policy. Number two, that insurance company almost always has a retainer in place with some third party digital forensics firm and they get brought in again, it's partly for liability reasons, it's partly for plausible deniability reasons. There's a lot of like shenanigans and politics involved with having a third party come in instead of just hiring someone to do it. Even if team solo ad tech had all the skills in the world to do the digital forensics deep dive investigation, a, a law firm is still going to want an external party to do it. Okay, so anyways, just be aware if like, I guess as an, as a preparation, if, if right now, if you suffered an in, like let ask yourself this, if you suffered an incident today, like a really massive like oh my God, I'm glad I wore my brown pants to work today kind of incident, what would happen? Like do you have a law firm? Do you have an insurance provider? Do you have, do you know the third party people? Do you know what criteria would be required to qualify going from like ah, just reimag the machine to all right, let's, let's pull the, you know, the plug or let's, let's call the, the insurance provider and get them involved. Because like once you involve lawyers and insurance, it, it really, it turns into quite the big ball of, you know, Christmas lights that, that are all knotted up. So obviously you have to have some type of decision tree to decide when to execute on that.

Sarah Lane (58:07)

Red Actor uses Elastic Cloud for stolen data Researchers at Huntress uncovered a campaign where attackers exploited multiple enterprise software vulnerabilities, including SolarWinds Web Help Desk, to steal system data and store it in a free trial. Elastic Cloud SIEM instance, the threat actor used encoded PowerShell scripts to collect host active directory and patch Data then managed it via the SIEMS Kibana interface, affecting at least 216 hosts across 34 domains. Victims spanned government, education, finance, manufacturing and IT sectors. Elastic and law enforcement coordinated to take down the cloud instance and, and notify affected orgs.

Dr. Gerald Ozier (58:55)

Okay, hold on, this is complicated. So if you didn't know. Okay, Elastic cloud, which is like, they don't like it when you say the term elk, but that's like what a lot, a lot of olds call it is the ELK stack. So this is the Elastic Cloud sim. Um, it's kind of like you can do it without security onion, but a security onion instance will have this stack built on it. And the cabana is kind of like the query engine interface for it. Now they do offer free trials and remember if. I mean, obviously I assume a lot of information, but a SIM is a security information and event management platform. Essentially you just push all the logs and telemetry and network traffic like as. As much as you want. You know that you can handle into a sim and it allows a aggregation correlation and it allows you to query into your environment to see what's going on. Because all the logs are correlated with timestamps and stuff. You're able to pivot around and move and see what's going on and you can even see a compromise and then follow it laterally, figure out what happened. You see if other endpoints in your environment fell victim to the same payloads and stuff. Okay, so sims are basically the, the right and left hand of any security operations center. Now, a threat actor weaponized it, which is crazy, right? So Huntress found this shout out to John Hammond over at Huntress and Matt Kiley who work there. I don't know if they were involved with this story, but let's see. Instead of using C2, the attacker exiled victim data into an elastic cloud instance and turned security monitoring into a repo. Oh my God. Okay, so the attacker deployed an encoded powershell command on compromised systems that gathered detailed information and then. Hold on one second, I don't even understand. Like, I mean this is super complicated, but basically what they did was they, they essentially use the SIM is like the C2 panel effectively. Right? So they compromised a bunch of machines and then they had the, the machines send their data to the sim, which is a centralized data management repo tool effectively, and it allowed them to look at all the systems. Essentially they use the SIM to organize and review their data. Pretty clever. I know for a fact, without knowing any more about the story, Elastic Cloud is definitely not super into this, and obviously it's kind of an ill look for them that they were compromise this way. Now it says vulnerability somewhere in here. Threat actor exploits flaws. There's no flaw in the elastic cloud instance. Okay? The, the cabana instance was not vulnerable. They didn't weaponize it that way. They basically just used the tool the way it's designed. The endpoints got compromised and we're sending their data to it. Right? So I mean, if you were doing security at any of these victim organizations and you see data going to an elastic cloud instance and you're not running that sim, obviously that would be concerning. Shout out to Huntress for finding this one. Shout out to the threat actors. Again, I don't condone or promote cyber criminal behavior, but I do want you to know that I do respect and recognize innovation. And when they do stuff like this, like hat tip. You know what I mean? Like, well done, well done. Okay, again, I. I wish they didn't do it, but I'm not gonna be so ignorant to say it's dumb. All right, so there we go. All right, y', all, we made it. We made it to the end. Guys, holla atcha. Shout out to all of you again, thank you to the sponsors, Threat Locker, Anti siphon and Flare guys. It was Tuesday, March 10, 2026 Episode 1085. You guys crushed it. I want to thank you all for being here. You know, again, it takes a village. I see you guys in chat, Bruising hacks, Roswell uk, tj, Dream Logic. You know, so many of you, Mod chat. I see BSEC and casually Joseph Eric Taylor's in the mod chat there, sharing tips, tricks, and kind of making the show run right. You guys are the grease that make the machine run. So thank you very much. I genuinely appreciate it. I'm Jerry from Simply Cyber. Don't go anywhere because we are going to be doing jawjacking. Jawjacking is a. It's a service that we do here at Simply Cyber for the community. It's a 30 minute, ish, I guess 25 minute today. Ask me anything. We have rotating guest hosts. We're going to be adding more rotating guest hosts. I'm in talks with some folks and figuring out something, so stay tuned for that. We're going to get an entire stable of hosts to do jawjacking. That'll rotate in and out across the weeks. Very exciting. Bringing you guys different perspectives, different disciplines within industry to help you level up and be the best you can be. So don't go anywhere. I'll handle the transition. I'll be back tomorrow at actually. Oh, hold on. I will be back later today. My, my, my. Check this out. 1pm today. I forgot to tell everybody this. 1pm today. We're running a one hour workshop. AWS privilege escalation, attack and defenses. If you are at all responsible for defending or attacking AWS cloud infrastructure, this is a must attend. Christoph Lampelaire has done this professionally. The guy is a stud as far as education goes. Come on, hang out. I'll be there, you know, hosting Kristoff and like helping you guys get the most value from the stream. So let me drop that W link here. AWS workshop, There you go. 1:00pm Eastern time. And I'm sorry for those international folks, that's the middle of the night. I. I understand it can be difficult. It will be available on replay now for real. I'm out of here. Until next time. Stay secure. Ever wonder what it takes to break into cybersecurity? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered and totally free. Let's level up together. It's time for some Jawjacking.

Eric Taylor (66:21)

Good morning, good afternoon, good evening. Welcome to Jawjacking Tuesday edition. Thank you all so much for tuning in. My name is Eric Taylor. I am here to answer some of your questions that you may have. If you're new here, don't be shy. Put a Q colon mark in the chat so that way I can quickly find your question and be able to answer them. See a lot of people leaving out the heading off to. All right, Tim 4. See some people heading out. Y' all have a wonderful, wonderful day. Wish you could have stuck around but I understand work does call. And James McQuigan with the dolphins. I do have something that I want to talk about. Let's do the dolphin because are getting prompted for several people. All right, so this one is going to get interesting. Okay but let me actually take that down. My apologies. I don't know how to address this one gently. But if you've got little ones, especially daughters. So let's. Let's talk about this.

Dr. Gerald Ozier (67:48)

Okay?

Eric Taylor (67:51)

So here in our backyard, me and Dr. Gerald Ozer's backyard, there has been five high school girls victimized by AI generated images. Right now granted this is still an ongoing investigation. Apparently two boys were are suspected to be behind the situation. This is something that is still early in development because there's miners. There's not a lot of details coming out and to be honest with you, I did not see this even on my radar. Like, when you look out, like, what are the possible threats coming out in the next three years? I'm like, for some reason, my tinfoil hat never saw this as a possibility. And I spent the last day trying to figure out, okay, I have a daughter. Yeah. I'm trying to protect her. I got grandbabies. I'm trying to make sure they're protected, things of that nature. How do you protect your children from something like this?

Dr. Gerald Ozier (69:07)

Sure.

Eric Taylor (69:07)

I mean, I don't know how you can, to be completely honest with you, with things like, you know, banana and Grok and, you know, all these other ones that are able to do image manipulation really easily. Like, even if you took, like, even if you went uber extreme and said, you're off of social media, you can't post your images, then I was like, oh, what about a yearbook image? You know, a lot of times your picture is captured when you're at school events. You know, the schools are sending out newsletters. Oh, look at this baseball game that was just happened and all the people there. I don't know how you can get your kids off of that. Yes. It can also happen with boys. Absolutely. Right. I would say my personal opinion on this is I. I would suspect women are a lot more susceptible to this than men are. Will it happen to men? Absolutely. But if I was to put a ratio, probably a 2 to 1, 3 to 1. Again, my personal thoughts, I, you know, metrics would have to be determined on that. Right. I don't know. I don't know if there is a way to legitimately protect your kids. So, you know, this is going to be something, you know, if you have kids and you're thinking about having kids or you got grandkids, you know, you know, sitting down and talking and figuring out, like, this is inevitable to potentially happen. Right. So how do you address it? When it happens is really the only thing we can do. And I'm still trying to figure that out myself. Right. Short of taking someone out back and beating them up a little bit. But you can't really do that with minors. Right. It's definitely an interesting time, especially when you try to protect your little ones. All right, so I did see a couple cues coming in here, but definitely let me know what you think about what I think on that one. Right. It's a burnt. Literally a burning question that I am trying to figure out. Right. And I don't have a good answer. I don't have a right answer in that particular situation. So, you know, as Jerry said, We are a collective, you know, almost like the Borg from Star Trek. If y' all have ever watched that. Let's let our hive mind work together and figure out, you know, I don't. Again, I don't think there's a way to prevent it from happening. However, what do you do when it does happen? How can we combat it? That's what I really want to know. So let me know what you think about what I think. All right. What's new with a ransom ransom Isac? Nothing. You know, we're still working in the background. You know, it's. I know the. I've been talking with the creator a lot lately in Signal. There's a lot of stuff coming out. There's some memberships coming out, some. The. The individual who wants to remain nameless for security and privacy reasons. There's a lot of stuff on the horizon, so it'll be interesting to see. You know, we'll still be helping them out with some reports. There's another one coming out with another. Another users putting together a EDR Killer report out. So definitely take. Stay tuned with those. But that ISAC is definitely growing. Right. I just got my Lockstar award from them for the EDR killer that I put out, so it's pretty cool. Question from Mariah Green. Are OGEC certs worth getting if you're looking to get into GRC more? I agree. I am. Honestly. I'm not a GRC person. I'm honestly not. That's not my forte. But please save your question. In fact, I'll even. What I'll try to do. And if Jerry remembers it, then you may honestly have to mention it again tomorrow because Jerry's a very busy person. But I just copied and pasted over into Mod Chat. I'll ping Jerry on it, and if he can remember, then he'll try to bring it up. If not, again, do ask a question of tomorrow's jawjacking, because I don't want to give you bad advice and it's not my forte. Right. But hypothetically, you know what, Lynn? Let's take a stab at it. What is. Because I don't know what it is, and we only got a couple questions, so I can't spend a moment on this. Let's look at this together, ladies and gentlemen. What do you say? So let's go over to the Googles. What is o c e g cert? I mean, right away. GRC certification suite. GRC Professional. Let me blow this up so everybody can read our certitude. Our industry recognized Credentials on the Open Compliance and Ethics. Okay, yeah. Again, on the surface this looks like a very credible certificate. Yeah. The only thing I don't know in full transparency, like I said, I'm not a huge GRC person. I don't. But does this certificate, is it well received, is it well valued in the industry that I don't know, like EC councils, you know, certified ethical hacker, you know, is that well received? I don't know if it is right anymore, you know, so definitely talk to Jerry about that, see what he thinks about it and get a better at. But on the surface it looks like a very credible certificate. Certification that you should consider and maybe people in the chat it's already answered this, you know, maybe because there are a lot of GRC people in chat that could be able to also weigh in on this one. All right, question from Papa Bear. Which private sector field in cyber security do you think offers the most work life balance?

Dr. Gerald Ozier (75:59)

Huh?

Eric Taylor (76:03)

That is, That is a really good question. You know, off the cuff this may require more thought, but off the cuff I'm going to say potentially a GRC analyst or not a CTI or a sock analyst. Probably a sock analyst because most of the time if you're a sock analyst, you're working with an organization that has many SOC analysts for a 24 hour, seven day a week, 365 rotation. So I would say potentially a SOC analyst would be that, that position. However, one caveat to note, if you're working for a smaller firm like Barricade or anybody else that is smaller, I would say that I don't know if there's going to be much work life balance because we don't have the staff to properly segment a full, full work life balance scenario. Right. So working for a larger organization will definitely give you a lot of that work life balance that you're looking for. So again, off the cuff, that's my thoughts. Taiwan Gang, how can I be a master hacker like you? Taiwan Gong, you have a misconception about me. Good person. I am no way shape or form a master hacker by any means. I get really lucky a lot, but I don't do a whole lot of hacking this as much anymore. Again, so my workflow, I mean those who don't know, I do digital forensics and internal response where differ or DFIR depending on who you talk to. So our job is to hunt evil. Now a lot of times when a CVE is posted, yes, we are trying to replay that cve. We're trying to figure out, you know, how does it exploit? What are the signatures for it? Things of that nature. I, I mean, yeah, we've had. I had a lot of success as a couple years ago getting on Team Viewers hall of Fame and just doing a lot of cool stuff. But I would never, ever classify myself as a master hacker by any stretch of the imagination. There are a lot of people who are a lot smarter than I am. And even in my own space in dfir, I am no master at my tradecraft. Am I an expert? Sure, I know a lot of information, but I am no master. I am always, always freaking learning something. And there's always things that, you know, one thing I always tout or I always try to make sure I emphasize on these jawjacking sessions and when I'm talking to people is how do we. Or how do you always make sure that you are learning and it's really going back through the same courses that you've done. Let's say hypothetically, you went through ceh. I know, I think it's still mostly self paced. I don't know if there's any online course, but let's just say hypothetically, you know, it's an online course. Or take Black Hills, the perfect example. Okay. He. You may have John Strand teaching a course. I think he does what, the introduction of soc analysts or something like that? He does several of them.

Dr. Gerald Ozier (80:15)

Right.

Eric Taylor (80:17)

So you get John Strand's perspective on some things. The one thing I found that I really enjoy is taking that class again next year because I try to take it every couple years in any of the certifications that I have, but I always make sure I get a different instructor because sometimes they teach it in a different way. Sometimes a lot. You notice when you go through any of the courses, through any of the trainings, you know, sometimes they get to talking about real world experiences and stuff like that and learning their perception of how they see stuff will put off a light bulb in your head, like, oh, I never thought of thinking of X, Y and or Z in that fashion. And it opens up a whole new world of intrigue for you and being able to really go down that whole thing. Right. So definitely, definitely do that is my personal recommendation. But again, please don't confuse me with a master of anything. I appreciate the, the voted confidence. James.

Sarah Lane (81:30)

Dude.

Dr. Gerald Ozier (81:30)

James.

Eric Taylor (81:31)

If I can show you my calendar, like literally those, the. The hiring process. So you know, we've got a hiring process or going through a hiring process to try to get a Falcon administrator in. I had an o and like 48 hours on LinkedIn, over 7, 000 people applied. I am still working through that. My calendar is back to back. Like, I'm going to be ending the stream here in a few minutes. I'm prepping for four interviews today, plus all my other work, so. I'm not ignoring you, James. I promise you that. But you'll see the stream at the. The. My camera. It kind of fades in and out a little bit. But, yeah, you are on my radar to get something scheduled. It's just trying to find the time. And while I've been on here, I've already had two calls from two different legal folks looking for updates. So it's a very busy time for me. All right, we are coming up to the bottom of the half hour, so let me. If there's any last minute. Yeah, but I love it. James McQuiggin. Yeah, he's calling me out. I know it, but I love it. Oh, here's a question that for some reason I overlooked. Oh, it just came in. Okay. What starting point would you recommend someone who wants to be a hacker? I would say go to bug bounty. Does cb, cbt, Nuggets still have. I. I don't even know. Cb. CBT or whatever. Nuggets is still a thing. Give me a second.

Dr. Gerald Ozier (83:08)

I'm.

Eric Taylor (83:08)

I'm on my other screen. I know, I'm. Was it cbt? Yeah, Nuggets hacker course. Okay, so here, I'll switch screens here. So, yeah, White hat. Cbt, Nuggets online training. I know. Black Hills. Just trying to make sure we always. I'm always mentioning multiple people, but CBT, Nuggets looks like they have something. It's old from 2018, but they do have a course and they. It's not bad. It's 59 bucks. I know another one you should definitely look at if you're not Tyler Ramsey. Right? Look at his stuff. He's talking about it all the time. Nahamsek on YouTube. Check out his stuff. Check out Black Hills. They've got some courses. And start doing bug bounties. Those are platforms you're legally allowed to, quote, unquote, hack on and get real world practice. It's not a simulation. These are real servers responding in real time. So me personally, that's what I would recommend. So. All right, ladies and gentlemen, again, we are coming up to the bottom of the hour. I do greatly appreciate any last questions coming in real quick. Yeah, yeah, yeah, yeah. All right, I think we've got all the questions answered. Thank you all so much. I do know that there are some changes coming up with jawjacking. I'm not sure how that's going to play out, but I will be enjoying at least the next couple of weeks with you guys on a standard Tuesday standing jawjacking session. I do enjoy these, so we'll see how things pan out in April. And coming up, I do know that, you know, bringing some fresh blood in here to different perspective is good. You know, it's. You always don't want to hear my rantings by any means, so I'm very eager to see how that plays out as well, seeing some other folks coming up here and giving their perspective. So I will try to start pivoting over to the panels on Friday if my jawjackings are not there. So that way I can at least rant for a moment or two. That's always good. But again, thank you all so much for tuning in. I do greatly appreciate it. I will. If you haven't seen it, where to catch us next? We myself, Brandon Pearson and Katya K. We're all know we got CTI stuff and everything. We're actually talking on a thing called Breakfast Club. Tomorrow I'll be posting a thing about it on LinkedIn for you to go over there and register. It's free to register if I if I remember correctly. So if you're wanting to hear more CTI related stuff and what we're seeing in the space, definitely go over there and check that out. Like I said, I'll be posting something on LinkedIn here a little bit probably in the next hour or so. So definitely follow me over there and if you're on audio, I see you try to save and we'll see y' all next time. Until then, stay curious my friends.

Dr. Gerald Ozier (86:59)

Hey everybody, I hope you enjoyed that content. Keep the cyber security train going by connecting with the other Simply Cyber community resources. We have the Discord server that's lively and always keeps the conversation going. You can connect with me directly on LinkedIn and also every single weekday morning on the Simply Cyber channel, we're doing live daily cyber threat briefings, 8:00am Eastern time as well as Thursday at 4:30pm we're doing live stream interviews with industry experts and we produce videos that we push out every Wednesday morning. I'm Jerry from Simply Cyber. I hope you enjoyed the content and we'll see you in the next one.

Eric Taylor (87:37)

So real quick, the Sea Shanty please. I don't know, there's been a lot of changes on the platform. I don't know if I'm allowed to play it I know you're not the first person to ask me about it. If you go over to my YouTube channel, you it's right there. You can be able to listen to it anytime you want to. I just don't know if we're if I'm currently allowed to play that anymore. So I will talk to Jerry. I've been meaning to. Just like James McQuiggin, I've been meaning to get with him. I'll try to shoot a message to Jerry and get clarification to see if I am allowed to play it. I just don't want to do something I'm not allowed to do. So I'll get clarification on that. But again, you're not the first person to have asked that. But anyway, thank you. Thanks again. And we'll see you all next week. Take care.

Dr. Gerald Ozier (88:27)

All.