Loading summary
A
All right, what's up, everybody? Welcome to the party. Today is Tuesday, March 24, 2026. This is episode 1095, question mark of Simply Cyber's Daily Cyber Threat Brief Podcast. I AM your host, Dr. Gerald Ozier, coming to you live from San Francisco. It is RSA week here at Simply Cyber, so getting it done. Shout out to all the left coast people. It is 5:00am Pacific Time right now. Getting up for the show. If you want to stay current on the top cyber news stories of the day while being entertained and educated, well, then, welcome to the party, pal, because that's what I'm here to do. I'm going to go through eight stories which I have not prepped for in any way possible because ain't nobody got time for that. And then I'm going to go beyond the headlines. I'm going to give you insights, things that you wouldn't learn in a classroom or boot camp or, you know, just reading the story by yourself. Based on my 20 plus years of experience and just life lessons. And the best part is, directly above me, you see this, this, this power group right here, these juggernauts above me, they are the Simply Cyber community and you are part of it. Welcome to the party. And I've got 20 plus years of experience, but directly above my head, it probably has about 3,875 years of experience. And they are weighing in with their thoughts on the same stories. What's up, Toasty Pops in the Kansas City contingent. Good to see you. Say what's up in chat if you're here. I want to say shout out to the Simply Cyber San Francisco meetup yesterday. Got to meet Nick. Nick is our lone Apple podcast listener. Good to see you, Nick. He's coming to Simply Cybercon. Guys, we got a great show for you. We're off and running. I'll explain the audio situation in a minute, but let's get going. All right, what's up, everybody? Thank you so very much. I'm super excited. Now, I do want to quickly. Oh, my God, You. You would be stunned. Like, how much real estate I don't have on my screen right now. All right, listen, we're doing it again. We're doing the thing. Phone into my DJI mic. I. I fixed this all yesterday. I swear to God, I fixed it all. And then I came in this morning and the thing is, you have to have everything plugged in and. And like, the computer has to see all the things for the software to work correctly. And I. I'm sorry, I chose to sleep past 4am this morning and casually Joseph hopped into the studio. The problem is the audio failed. So we're gonna just go with this. I do want to say shout out to, like, Kathy Chambers, Phil Stafford, other Simply Cyber Community members who told me yesterday that the. The show was not, you know, significantly impacted negatively for doing it this way. So I feel like this is an acceptable business continuity plan, so we're going to execute that, as it were. Now let me take this off my ugly face. I did put moisturizer on, but, like, it looks like Road Warrior Jerry is not holding up so great. So we'll. We'll put this as a smaller photo. Oh, George. Dream Logic is saying I look fresh. Thank you, Dream Logic, Ladies and gentlemen, Dream Logic, my hype woman. So, guys, what do we got here? Every single episode of Daily Cyber Threat Brief is worth half a cpe. So say what's in chat. You appear above me. Yes, you appear above me. And you're part of the show. Right? So all you got to do is say what's up? In chat, Grab a screenshot. You'll notice today's episode includes the title, you know, top Cyber Threat news. It says the date March 24th. It says the episode number 1095. So grab a screenshot, get your CPEs, and then once year count those CPEs up and you are going to be rocking and rolling up to 120cpes. Yeah. TJ says I sound more relaxed. I do. You know, I can get into this a little bit at the end of the show if you want, tj, but like I said, like, I. I want to execute. You get like, it's like 8 mile and I'm Eminem, right? You get like one shot to execute. Like when you're here on site and interviewing people, and there's a lot of coordination and scheduling and I do not want to be the reason that it fails. So I'm like hyper anxious, you know, and then once it's off and running, we're good to go. If you're here for the first time, welcome to the party, pal. If you're here for the second time, let me know in chat. Because if you came yesterday for the first time and you came back for more, I want to high five you like the crispiest of high fives. Because I appreciate you seeing beyond the audio issues and whatnot and seeing, like, what the Simply Cyber Community is all about. Busting Justin says you can't get the title and your comment on the same screenshot. Not on mobile. Well, Bustin Justin I guess what I would say in that case is take the screenshot with your name just because, like, every episode is the same, like, name. And then how would you do that? I don't know. If anyone has a thought, let me know. Because, I mean, if you take a screenshot of your phone, it's got the time on it, but that's still not the date. I don't know. We'll solve for that. All right, so we've got first timers in chat. Drop a hashtag. First timer. DJ B Sec was here yesterday and came back. DJ B Sec's been awfully supportive in mod chat, offering his thoughts. DJ B Sec with like, I'd say, what DJ? Like, 20 years, 20 plus years of experience network engineering, cyber security. And now he's kind of in that executive track. So let's get him an iPhone stat, ladies and gentlemen. All right, hey, this show, whether I'm doing it through the iPhone, into my chest lapel, or we've got the fancy Buffer Osier Flow Studio, I want you to know every single episode is brought to you by Simply Cybers Community sponsors or daily cyber threat brief sponsors, starting with anti siphon training. Guys, there's a QR code on the screen right now. You can scan it with your phone. Not a trick, not a quishing, not a quishing email or question thing. And you can go to the sock summit live. This is March 25th tomorrow from 10am to 6pm Eastern time. Look at this. 10 different professionals giving one hour or, you know, giving talks. Hold on one second. Hold on. It's hard to do this with my phone here, buddy. Okay, here's the sock summit, right? Get. Get up on this. Get on up. Do like your best James Brown impression. Get on up on this sock summit, guys. My favorite part about this personally, super selfish. But not only is there like amazing speakers, like a full day of amazing speakers, I just want to call your attention to this. You know, sluggers ball, Wade Wells, 11:30, Chad Wiggins, aka CheddarBob, 12. You take lunch. You better not eat a big lunch because you don't want to be sleepy when Dan Reardon brings the heat at 2:30. And then Hayden Covington, like a tag team like you, you know, like old school WWF where like, there'd be a tag team and like, the guy would drag you like the opponent to the corner and then tag his teammate. And then the two of them just double team that one guy. That's what Dan Rear and Hayden Covington are going to be doing upside your head tomorrow. Don't miss this opportunity. Free training. Amazing. Thank you so much. Anti Siphon. I'll drop a link in chat for you to go check that out. Hold on one second. I can do that with one hand. I'm literally holding my phone. I hope you guys can hear the music because I'm literally holding the phone exclusively. So you can hear music underneath me spitting. I mean, Jesus. DJ B Sec. DJ B sec wrote spitting in mod chat. And he just. Buffer overflowed my brain. Damn it. All right, I also want to say holler to Flare, guys. Flare's threat intelligence platform is super sick. But right now I want to tell you about Flare Academy, which is like basically a. A service that Flare does just because they have so much intelligence and so much experience on their staff that they put these monthly webinars together for two hours today. So right after the show ends Today, roughly at 10am, you can learn about bulletproof hosting. If all you know about bulletproof hosting is that bad guys use ISPs that law enforcement doesn't get after, there's so much more to it. And if you want to understand how bulletproof hosting works and kind of the economics and ecosystems of it, dude, two hours and you get basically a curated learning experience. This to me is a phenomenal, phenomenal opportunity. I wish I could go to this. I will be watching this on replay personally, but I would recommend you go register. You can talk to the instructor. They do like a Q and A panel afterwards, which is really nice. Go to Simply Cyber IO Flare. I'm putting it in chat right now. Go check that out right now. And of course, Threat Locker, longtime sponsor Threat Locker. I'm going to hear, we're going to hear from them really quickly. I also want to say really quickly. If you're a long timer of simply Cyber and you've seen me on the road, I normally have a microphone going into a mixing board. I'm mixing it up and starting to use a lapel mic. Dude, being able to like keep talking at a consistent volume level without while moving my arms around is just a game changer. I love it. I love it, I love it. All right, let's hear from Threat Locker really quickly and then be prepared for an absolute face melting experience. Let's go. I want to give some love to
B
the daily Cyber Threat brief sponsor Threat Locker. Do zero day exploits and supply chain attacks. Keep you up at night.
A
Worry no more.
B
You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their Business operations Flying high Threat Locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and
A
learn more about about how Threat Locker
B
can help prevent ransomware and Ensure compliance. Visit threatlocker.com Daily Cyber.
A
All right, hold on. I had to get, I had to get more coffee. All right. Also guys, every day of the week has a special segment and Tuesdays is. Wait for it, tidbits. Tuesday I'm going to share a little bit about me, a little bit about, you know, know something. I don't know, something we can see if we can vibe on and have a laugh. Maybe, I don't know, it'll be good. I do want to say really quick, like just a quick shout out to the community. I see code brewing here. Kathy Chambers, great to see you. Saw Elliot Mati Sunshine, Sunshine's husband Nick and yeah, it was just, it was fun. It was a lot of fun last night. I, I really had a good time. So I appreciate all of you who were able to attend. All right, dudes, do me a favor, do me a favor. Philip Martin, Cyber Sit back tech grunt, relax and dream logic. Let's let the cool sounds of the hot news spicy wash over us all in an awesome wave. I will see you all at the mid roll.
C
From the CISO series. It's cyber security headlines.
A
All right, let me know if the audio is not good.
C
These are the cyber security headlines for Tuesday, March 24, 2026. I'm Sarah Lane, new.
A
Hey, one second. We got a first timer. Michael. Jeffrey Rivera, first timer here near Charleston. I'm the copier guy. What's up? Jeffrey, welcome. I mean, Jeffrey, welcome. Michael. Welcome to the party, pal. Hold on. Oh, I promised I was going to do welcome to the party pal memes too, since I was unable to do the sound effect. I mean, obviously I can manually do the sound effect, but I mean the visual, let's be, let's be real. The visual is part of the experience, right? So let me do this really quickly. And there we go. Michael, Jeffrey, welcome to the party, pal. All right, let's keep cooking.
C
Dark sword exploit hits GitHub, a newer version of the Dark Sword iPhone hacking toolkit, has been leaked on GitHub, making it easy for attackers to target devices running older iOS versions. Researchers say the exploits don't require much skill to deploy and can steal messages, contacts and passwords. Apple has issued Patches and says updated devices aren't at risk. But with roughly a quarter of iPhones still on outdated software, hundreds of millions of devices could still be vulnerable.
A
Okay, really quick, we, I have, we have another first timer in chat. Guys, I love saying what's up to first timers. I just appreciate them checking us out. Where was it? It was like, Josiah, I thought I just saw it in chat, Bruh. Josiah Marshall, 1152. Welcome to the party, pal. Josiah. There you go. There's your John McLean welcoming you to the party. All right, so guys, this, this Dark Sword hacking tool is pretty gnarly, I guess. It's been leaked and shared on GitHub. I mean, listen, these tools are powerful already, but when you, when you basically make it accessible to anyone on the Internet, obviously there's going to be an explosive utility of, of, of use of the tool. Right? We saw this with me, right? Botnet back in the day. So if you are running an Apple iOS 26 or, or, excuse me, before 26, like, I guess 25 dot, whatever, and lower, you are absolutely at risk. So, number one, like, even before we get into, like, what Dark Sword is and how cool a name it is and how it works or whatever, number one, you should tell your executives, right? Because let's be real, the executives are definitely running around on iPhones. I just, I just made the joke about DJ B Sec trading in his Android phone for an iPhone. Make sure they're up to date. Right. Again, I don't know how easy it is to deploy this tool. And just because there's a tool out there doesn't mean that anyone with an iPhone that isn't updated is going to get hacked. It just means that you're at risk. It's. It's exposure. Right? And that's what we deal with here in cyber security. Risk, exposure. So tell them to update their phone. Right. Also, if you can, depending on the size of the business, right? A smaller business, you might just walk over and say, let me update your phone, but then, like, set it to auto update. Pro tip. All right, so let's talk about Dark Sword as far as, like, how it actually works. All right, it says it's just HTML and JavaScript. That seems awfully simple for owning an iPhone. No iOS expertise required. People are saying it's trivial to use it. You can hack an iPad. Use an iOS 18. All right, so here's what I would say. Two things. One, you could just update to iOS 26. If for whatever reason, you're unable to update and you're Concerned about risk. Apple iPhones have this lockdown mode. You can certainly turn on lockdown mode. It does incredibly limit the functionality of the phone, my understanding. But here's what I would recommend people do. Number one, just update the iPhone, right? Simple, no problem. Cool, cool hacking tool, dude. But like it, it, you know your, your dark sword has no power here, right? Just simple. I update my stuff. You gotta patch it. You gotta patch it. Like just patch your stuff. Like I don't understand why we can't patch things. Why can't we have nice things, right? And then secondly, if, if, if. Okay, hear me out. If you are interested in making some content or having like a fun project or whatever, download this, it's free. And then, you know, do a demo of you exploiting an iPad or an iPhone. Now make sure it's your iPhone, your iPad, make sure it's a something you own. Don't just like go blast it at some victim and then record it, right? Also, I don't know how to like downgrade your device. Maybe if you did like a hardware reset, like a refresh on the device and reset it, maybe you'd be able to roll back the operating system. I'm not entirely sure. So, But I think it would be cool and it would be very quote unquote viral if you were to do a demonstration of this and like post it on LinkedIn or whatever. Obviously don't be a one trick pony, right? Like maybe bring out some ideas on IOCs. Like, oh hey, like this is what it looks like if your device gets owned. Like, like, you know, do something for the defenders, do something for the good, the good people out there trying to protect it. But for the most part, just patch your device and move on. This is really cool. However it works to me, doesn't really matter whether it exploits, you know, some type of like font rendering engine or you know what, it doesn't matter. It doesn't matter to me how it actually does its exploitation. Okay. Anyways, tldr, you don't want this.
C
Gemini AI agents hit the dark web.
A
Google launched Gemini AI agents like behave Gemini oh my.
C
In public preview to monitor the dark web, analyzing up to 10 million posts daily to identify threats relevant to specific organizations. The system builds a profile of a customer, scans dark web activity for data leaks, initial access broker activity and insider threats, and then generates prioritized alerts with context from human analysts tracking 627 threat groups. Accuracy is reported at 98%, reducing false positives that are common in traditional monitoring. Gemini agents can also Automate threat investigation and response within Google security operations.
A
Okay, okay, hold on. Jesus. Like Gemini says, hold my beer and just like basically takes the dark web. All right, so this sounds pretty cool. Obviously these AI tools can ingest text very, very well. Phil Stafford I'm definitely speaking outside of my swim lane. Phil Stafford John V.R. resident AI experts in the Simply Cyber community. But I will tell you this, of the little I do know, AI like text ingestion is like where it really shines. And this is scanning the dark web for all sorts of trash that's there. And it says 98 accuracy. I don't know like what the 2% is. Like it's misanalyzing an event. Like if it's just ingesting data, I don't know. So like this doesn't really get me too hot and bothered. I will say that this is a very good, interesting use case of AI being able to go through just a ridiculous volume of data that cannot be consumed by a human analyst. I do think. Well, hold on. First of all, the fact that I can go through faster than a human analyst is wonderful. Having insights into Dark Web activity is wonderful. I mean this is like this is what flare threat intelligence platform does, except they make it accessible and readable for you. Because remember, like just because Google Gemini can scan the whole dark web and then understand what the hell is going. Excuse me, understand what the heck is going on. That doesn't mean that you at your business like say you're like head of cyber at Louisiana Tech, right? Like just to pick a university, like Gemini is not going to be like, hey, like it looks like there, there could be some creds from your end users in the Dark web. You know what I mean? This is like to me this is just analyzing Dark web like sentiment and maybe ongoing operations or Dark web marketplace type stuff. Let's see what else I can do. Plus, guys, I also want to point out again, I'm not a Dark web guru, but like there is a lot of Dark web threat actor activity is based on trust, right? So there's a lot of dark web places that you would have to get access to before you Gemini could read it and scrape it now. So like you'd either have to give Gemini your account that like your sock puppet account that you've curated, or you'd have to not have that information in there. So don't, don't think that this is exhaustive in my opinion. Don't think that this is exhaustively scanning every element of Dark web traffic. Foreign. Let's see. Okay, so this is what they're saying. They're saying that they confirmed that their business and Gemini built a customer profile and a couple minutes later they provide a deep understanding report on the environment, business ops, VIPs, the brand, all that based on open source stuff. This is interesting. I mean this is honestly, this is a lot like what Flare does. So I can't wait to hear how like the what, what the shortcomings are or what the differentiator are of a platform like Flare. How do you use this? By the. Okay, all right. So I mean, yeah, they're basically. This shouldn't come as a shock. They're using Gemini to scan a bunch of dark web and then deliver insights on it. My, my question is, how do you use this? Like where do I just like go to gemini.com and type in my business and be like, give me dark web insight. All right. They added AI agents to Google SecOps to automate threat Response. Automate Threat Response casually Joseph, your service, here's. Your services are no longer needed. Let's see. Customers can now build their own enterprise security agents with MCP server support. So Google's releasing a lot of stuff. Here's what I would say. It's RSA week. Okay? It's RSA week. This is, I'm like, I think Google's a good company and makes good product. First of all, I think Google Threat Intelligence Group is a great research arm for Google. Okay. So I'm not throwing shade at Google. All I will say is it's RSA week and this news story feels like a lot of sizzle, not a lot of steak.
C
Right?
A
If you want to use a term that my old boss Walter Rowe used to say, a lot of sizzle, not a lot of steak. Like it says like, basically this is like low key, like a press release. Like Google has a new tool that can scan the Internet and with like 98 efficacy and tell you everything you want to know. Plus we can automate all the things. Plus like security operations cost nothing and is, you know, faster than ever. Plus you can develop your own tools with infinite infrastructure. Like this is like Google saying like we've got all the, we have all the solutions, we have the answers to the test. We'll see you at the, the happy hour. So way to go. Like catch me, catch me outside Google when there's like more meat on this bone. So we can understand how do we use this and how does it, how does it fold into our like actual security operations, workflows and stuff. Like, I don't know, I guess I've just seen so many products come and go where it's like splash and then it like, it, it requires like another FTE to manage or, and let me share that. Like, again, I feel like I haven't done a good job of like delivering extra value to you guys today. Let me tell you something, okay? Anytime you are going to buy a product, okay? And if you're a CISO or director of IT or CTO in chat, like you're going to feel seen right now, okay? Anytime you buy a product or you roll out a product, okay, yes, it's going to cost $100,000. Yes, it's going to take three months to roll out. Yes, once you have it, you're going to have insert fantasy outcome here, right? You're going to have infinite visibility, you're going to have zero seconds, meantime detection, you're going to have whatever, okay? All your things are going to be patched instantly, right? Whatever dream scenario you want. Here's the reality. You should also ask, what kind of FTE commitment does this take? What kind of like, what human do I need to stick on the keyboard to manage, nurture and feed this thing? A firewall is a classic example. Firewall. You put it in place and it blocks package. You win. It's like, yeah, you know what, there's going to be a lot of people calling saying like, oh, like my app's not working or oh, like we have a vendor coming in, can you open something? Like, someone has to manage that thing. And so many people, so many people. Like, just like a lot of short sighted leaders, I should even call them a leader. Shortsighted managers, right? They'll just be like, oh, hey, Code Brew, you own the firewall too now. And this is what leads to like, you know, burnout or you know, unhappy employees. Because like you were busy doing your job full time and then your boss is like, you own this thing now. And they'll, they'll put, they'll put it in beautiful silk wrapping, they'll put a gorgeous bow on it. It won't take much time. All you gotta do is look at it once in a while. No big deal. The vendor said it pretty much runs itself. And then all of a sudden Code Brew is calling his wife, telling her, hey, why don't you just make me a hot plate because I got to work two hours extra because this tool I own now, all right, or you just abandoned it and then it becomes a tool. You're paying for that. You don't use that is reality. People trust me, always ask, what's it going to take to deploy? And what's the ongoing maintenance commitment from a human capital perspective? Sales guys won't tell you that. They'll just be like, oh, no, it solves all the problems. Like, what problem do you have? Yeah, it solves that. Like, just whatever your answer is, it solves that. And if you ask if they have a does it do this? You're gonna get two answers. Okay, I'm sorry, sales people, I'm blowing up your playbook here. You're gonna get two answers if you ask, does it do this? Okay, one, does it. Does it do the thing? Yes, it does do the thing, or it's coming out next quarter. You will never, ever hear. You will never hear. No, it's either next quarter, it's on the roadmap, or yes, it does that. All right, all right. Mod chat's hurting my feelings right now, so I guess I'm gonna. I'm gonna move on. I'm gonna move on. Here we go. Giving you guys value. Let's keep cooking.
C
Supply Chain Attack Expands Aqua Securities Trivi Supply Chain Attack has expanded with new compromised docker images. On March 19, Trivi version 0.69.4 was infected with credential stealing malware via GitHub Actions. Researchers from Socket found further compromised images uploaded on March 22 without official releases. The malware contained typo squatted C2 domains and exfiltration files linked to the Team PCP threat group, which has expanded operations to worms, ransomware, crypto mining and destructive attacks. Organization are advised to review recent activity though Aqua securities commercial products are said to remain unaffected.
A
Oh my God, the phone call. That sucks, dude. Okay, so check this out. This sucks. I like. Okay, so there is some Aqua security vulnerability scanner called Trivy. Okay, I. I guess I don't know if this is a. A paid product or open source, but it's a vulnerability scanner, right? Hold on one second. We got a first timer in chat. Who is this? Poned bike. So Pwned squad, if you can. Pwned. Oh, you guys are already on top of this. Poned. Welcome to the party, pal. I love it. I love it, I love it. Okay, so check it out. One second. This vulnerability scanner, a threat actor got into the pipeline. We've actually seen this category of attacks quite a bit. I mean, it's not as common as like a phishing email, obviously, but. But we like. Solarwinds was like a kind of a developer pipeline compromise. LastPass was a developer compromise. Not necessarily the source code, but this is another one. So really quickly, just back in my day, like, so for those who don't know, I was a software engineer before I, well I should say software developer engineers probably given me too much credit. But like I, I, I used to do software, right? And these CICD pipelines, continuous integration, continuous deployment, they're incredibly complicated. They're, it's a lot of automation. Like you know, it does the unit test and then it pushes it through and it goes. If you work at a company that has developers and CICD pipelines, it would benefit you. Thank you dj. B SEC Trivia is open source. Okay. It would benefit you to sit with those developers for a minute or take like a 45 minute webinar on how CICD pipelines work. Just, just, just to understand what they are. Also, if you want, for the two people in chat who like this is definitely going to serve, Naomi Buckwalter did a talk at Wild West Hack Infest Deadwood like maybe three years ago on what Infosec people need to know about developers. I sat in on that talk. It's a, it's a great talk. Like if you, if you want to do the thing I just told you, like you could just watch Naomi's talk on YouTube or whatever and it would be very nice. So these guys, these guys, right, they basically injected malware into the GitHub pipeline, into the, into one of the Docker containers, which means you deploy it and you're running it and unbeknownst to you, it's stealing credentials. Very classic threat actor attack. It's pretty straightforward. Like it's, this is, honestly guys, this is a classic case of a Trojan, right? They say supply chain attack, but all this is, is trojanized software. You have a vulnerability scanner, it's going to continue to run, but in reality it's also doing info stealer. That, that's a Trojan. So for those new to industry, maybe you heard the term trojan and you're like, what? Well there's other things called trojans, you know what I mean? But like, like this is a perfect example of it. Now they mentioned worms and malware and all these other things. Once you own a machine, like once you detonate malware and you've got payloads running, you can do whatever you want. You could run info stealers, persistence mechanisms. Oh my God, ransomware, right? Whatever you want. So here's the TLDR number one. If you are running this Aqua securities trivial vulnerability scanner, you, you might be compromised. Okay? Now it's a GitHub repo, so you'd have to be maintaining it. I don't know when the infection occurred. So like when the threat actors put the negative malware or the malware into the source code so you can go check. This is one of the cool things about GitHub is that there are check ins of code commits. So you could actually go see what version started being the malicious version to see if you're at risk. Maybe it'll be the one time that you're not penalized for. Oh, you got to patch it. Well, I didn't. Well, I'm not infected now, so TLDR now. Knowing's half the battle, right, GI Joe? So you, Duke, Flint and Lady Jane, go update your version of Trivia to a non malicious version. I would assume that Aqua Security has modified and removed that trojanized malware. Secondly, see, if you're actually infected, there's probably IOCs for y' all to understand whether or not you were running a malicious version. Actually, you really don't even need IOCs. Look at the version you have and see if it was updated. An updated version since the malware payload was committed to the source code. And if yes, then it sounds like it's an info stealer. So guess what, you better pack a lunch and get ready or order pizzas into the office because you're going to have to update and change a lot of passwords. Of course. Of course Multi factor authentication is going to help stem the bleeding on this one. Multi factor authentication is not bulletproof vest. It's not you. Oh, who cares if they have my password? They don't have Multi factor. All it's going to do is buy you time from a threat actor getting in. Right? The final thing I'll say on this one is Trivia. Vulnerability Scanner 06.9.3 is a known clean release and 0694 is when the initial infection occurred. Okay? So yeah, I mean, here's the thing, dude. Like, like we're not going to stop using sort software or SaaS products or any of these other things. So just be mindful of it, fix it and keep moving. All right? All right. I'm looking at chat too.
C
Is the new phishing email. Mandian reports a rise in voice based phishing attacks where hackers impersonate employees.
A
How's this News
C
accounting for 11% of incidents in 2025? Traditional email phishing dropped to 6%. Exploited software vulnerabilities remain at the top entry Point at 32%. Tech, finance and healthcare were the most targeted sectors. With, with attackers increasingly combining social engineering and zero day exploits.
A
All right, hold on one second. Okay, so like, I feel like I'm a pretty chill guy. Maybe not chill, but like, I feel like I'm pretty like inclusive and understanding and like I'm willing. Like my guy, like vishing is the new fit. Like, I don't know, 20 like these like, dude, social engineering village at DEFCON's been doing this for years. Like, what are we talking about? I will say, what's up? Demandiant, right? Like they released the, they release great intelligence. Remember, the M Trends report is Mandiant report. M Trends is. It's a good report. Like, I always forget about it, frankly. But like IBM X Force Report, Verizon Data breach Incident response Report. Mtrends is another like solid report kind of an. Usually it's like an annual aggregated report based on Mandiant. And if you don't know who Mandian is, let me tell you, Mandian is owned by Google now. But like, as far as I can tell, Google just like bought Mandian and then like let them continue to cook. So Mandiant is essentially like the incident response firm for Fortune 500 companies. Like when you see Delta, like, whatever, just to make one up, Delta Airlines hacked like Mandiant will be in the same story as like, who's on the ground hooking it up as far as incident response goes. So that's them. So all. That's a long way to say that this report is legit. They're saying that based on their information, 11 of all incidents. Hold on one second. Oh, they're saying that. Wow. Okay. So they're saying that 11 of all incidents were committed by the comm. The comm is like a gang of different threat actor groups that are like young, like let's just say like 22 plus or minus three years. The most notably scattered spider lapsis and shiny hunters. And they do a lot of phone calling to help desk and get password resets or just threaten the help desk person. 11 is a lot, dude. Like, Mandian, Mandiant responded to a lot of incidents last year. So for one out of every 10 to be these guys, that's, that's something I, I again, for this level of, for this level of attack, this frequency and this impact, you would think that law enforcement is working on something to get these guys. That's the thing. Like, again, I'm not, I'm not suggesting anyone here commit crime. Please don't commit crime. But like, I feel like cybercrime has like a High, well, certainly a high return on investment and a like, low barrier to get arrested. But like, it's, it's when like I feel like cyber threat actors are Icarus, right? Not to be confused with Kid Icarus, arguably one of the greatest Nintendo games of all time, but just Icarus and like everyone that flies too close to the sun, everyone that becomes like the top dog, whether it's lock bit, dark side, like, you know, insert Phobos, right? Like, like law enforcement get you. You know what I mean? They get after you. But like, has. Has anyone seen like, I don't know, like 8 base was a threat actor, group of some. Some success. Has Anyone heard about 8 base getting taken down? No. You know what I mean? Like, like just, dude, greed, bruh. All right. Voice based phishing. Basically vishing is a phone call, right, instead of an email or something like that. And they call. Tyler Ramsby uses this to great effect. He'll call help desk and help desk will be like, hey, this is Cheddar, or this is Wade. Like, can I help you? And then he hangs up. And then he calls someone in the business and says, hey, this is Wade from the help desk. I wanted to like, you know, help you do whatever. And it works. It works over and over again. Educate your end users, educate your workforce. Okay? It's really hard to stop someone from taking a phone call, right? Tell them to be suspicious of anyone calling them or call back, okay? This is evidence to support that. Like this. The likelihood of this attack is coming in. It's going to be increasing. So holler at you. Honestly, you should already have been thinking about vishing and managing the risk of fishing, but let's use this as an opportunity. All right, let's keep going here.
C
Huge thanks to our sponsor Thread Locker.
A
We're gonna have to speed run the back after the show to be so
C
sophisticated if it's allowed to execute. A growing number of security teams are shifting focus from detecting ransomware to preventing execution in the first place. Controlling applications, scripts and installers so unauthorized code never gets the chance to run. Learn more@threatlocker.com oh, wait, it's Tuesday.
A
I thought it was way back Wednesday. All right, hey, really quick, let's do this. I know we're running out of time. I'm going to speed run the back half of the show. I do want to say quick, bro. Hold on one second. Dude, me and Elliot Matice yesterday talking about how our eyes are crap. Here we go. All right. Yo, holler, all you. Thank you first timers. Thank you second timers and thank you long timers. I hope you're having a great show. Coming to you live from Bush Street. Coming to you live from Flatbush, San Francisco, RSA week. Thank you to the Stream sponsors, Threat Locker, Anti Siphon and Flare. Genuinely appreciate that. Shout out to Flair. I'll be having dinner with them later, so. Looking forward to that. I appreciate them inviting me. Guys, every day of the week has a special segment. Tuesdays is tidbits. Tuesday. I don't really have one because I'm kind of dealing with all this here. But what's a good tidbits? I, I guess I don't know guys. What's a fun tidbits? I don't know, I guess I'll just say, you know I, I travel to the west coast periodically. I, I, I, I stay on east coast time. Not because I want to, just because like I do. So like I Woke up at 3:30 this morning which is about 6:30 Eastern Time, which is typically when I wake up normally. So like and it doesn't, I don't know about you guys but like it doesn't matter if I go to bed at like 10:30pm or midnight or 2:00am I still wake up at 6:30am like, like I have a built in alarm clock so it can be tough on the west coast but I'm usually here like grinding and, and you know, working and stuff like that. So yeah, I guess here's the tidbits. Tuesday. As much as I hate sour cream, I don't, I don't like, I love running. I don't think I would like living in San Francisco. The hills here are basically ladders. Like dude, you walk up a hill, it's like walking up a step ladder here. I don't know how you San Francisco people do it. Your, your calves, Phil Stafford, I'd like to see your calves later today. Your calves are probably look like Popeye's arms after he eats a double fist of spinach. All right, we got another first timer here. Hi John the Conqueror. All right, what's up? Welcome to the party. Hi John the Conqueror. All right, let's do the La Las really quickly. Shout out to Alpha Sierra, let's go. And then speed running the back half. All right, here we
D
go.
A
Shout out to the people serving coffee today I'm gonna get to know you. Let's go. LA la. All right. Solid. Solid. Hey, really quick Tech grunt. Tech grunt said, talk about your experience at rsa. I'll just, I'll just say this because I said it last night to the Simply Cyber Meetup Group. To me, RSA is like, it's where people. It's like, to me, it's like the money conference of cyber security. And I don't mean like much like, oh, like money. Like, oh yeah, this is so Gucci. Like, this is money. I feel like it's the money one where like VCs and investors from Silicon Valley congregate and all sorts of people who have like startups in stealth mode or they're looking for seed funding or they're trying to, you know, shake hands and, and like, whatever, make network connections for investment. I feel like that's what RSA is. Yes, there's tons of expos and vendor halls and stuff like that, but I feel like my vibe of RSA is that that's what it is. There's a lot of like, deals going down and a lot of like, networking going on. All right, so that's my hot take on that. All right, let's, let's finish strong. I don't want to do you guys dirty.
C
Initial access handoff shrinks. Mandiant, along with Google Threat Intelligence Group also reports that cyber attacks are accelerating with the time between initial access and handoff to secondary attackers dropping to just 22 seconds in 2025. That's than eight hours in 2022, indicating tighter coordination and automation. Median dwell time rose to 14 days and 40% of incidents involved data theft. High tech firms were the most targeted and researchers identified 714 new malware families. Okay, Russia linked.
A
All right, so here's another, you know, hot takes from the M Trends report with our, our classic, hey, Google, draw me a picture of two sock analysts staring at a bank of monitors. This is crazy though, dudes. So listen, as practitioners, we, this is why we're supposed to stay current on industry because as things change as, you know, you know, threat actors evolve, etc, we have to be mindful of this. This is insane, dude. Initial access a to hand off to a secondary threat group has decreased from hours to seconds over the past few years. This is essentially like, here's what you need to know. The lone wolf hacker, like Acid Burn and crash override from 1995. Movie hackers. Like, that's not what's going on anymore. It's very much like specialized. Like, just like I'm a big GRC dork, right? I specialize in grc. Wade, well, specializes in detection engineering,
C
you
A
know, et cetera, et cetera. Phil Stafford specializes in AI security. Like the threat actors are doing the same thing. And initial access brokers is a whole thing. So, like, it, there's, there's, there's, there's a, there's a market, frankly, for threat actors to break in and then sell access to other individuals. And honestly, once you get the access, that's kind of. According to Hayden Covington, that's like, that's like a, you know, kind of the big lift, right? Because once you have access, you can deploy whatever malware you want as post exploitation. So for it to go from hours to seconds is wild. This has to be automation, right? There's no way that like, threat actor is like, I'm in. And then like immediately is like, oh, I've sold access like that. That makes no sense. So it must be automated in some capacity. Obviously you could see closer collaboration. Yeah, dude, it's, it's like anything else. It's. I don't want to call it like a CICD pipeline, but there's, there's clearly like, instead of buying individual creds, I bet you it's much more like purchasing access to like, like, like repos of like. As creds come in, it's like, right? Like, you don't, you don't buy like, individual shows on Netflix. Like, you just watch Netflix and when they release a new show or when a new endpoint gets compromised, it just appears in the feed and then you take it on like that. So I think they're doing a little bit of creative accounting here with the 22 seconds, but whatever. Most common initial infection vectors, 32% of the time was exploits, followed by 11% phishing. That is interesting. Email phishing only accounted for 6% total. This questions my assumptions, guys. I would have assumed that email was the largest attack, initial attack vector. They're saying it's exploitation. One out of every three attacks is a technical exploitation. Listen, I'm, I'm not gonna like, Mandian's legit. Okay, so this report is legit. I would want, as a, as a, as a healthy, like, healthy question of this. I would want to see the date on this one. They're saying 32. One out of every three attacks in 2025 started with a technical exploit. That seems, like, not accurate. Like, I guess I'll just say it the way it is, right? Like, I get that, like move it software and change health, like all of those attacks are technical exploits, but like, phishing happens all the time. All the time. And they're saying email phishing was only 6% of the total. So I guess either a, we're doing A great job on email phishing protection, or threat actors are not doing it, but, okay, casually Joseph is suggesting that click fix is a technical exploitation. So Click Fix is not email phishing, but it is to me. Click fix is social engineering. You're telling an end user to run PowerShell like that, that you're not exploiting the vulnerability. I don't know. Like, sorry, guys, I. I just like this. This report, for some odd reason, triggers me, and I want to, like, fight the report. Okay. Hey, what's up? Graphic. Oh, by the way, by the way, just as a. A bonus for everybody, last night, Elliot and Matice showed me an infographic that Tesla Motors is worth more than, like, you know, it's the number one valuable automotive company. But then, like, two through five combined does not equal Tesla. And it was like an infographic. It was pretty hot. I'm just saying, you know. All right, so this one's like, okay, I do like blue, but this is dwell time. Just so everybody knows, dwell time is a term that means how long a threat actor is in the environment before detection. So another phrase of this, and correct me if I'm wrong, chat. Maybe I'm. Maybe I'm getting mixed up. Like, meantime to detection is also kind of the same thing. How long are they in there before they get detected? I don't know why we have two terms for it, but meantime detection is a common metric used to assert how good a product is or how good the information security program is. I'd recommend you guys read the M Trends report. Let's see if I can find a link to it. All right, hold on one second. Mandiant. M Trends report. There we go. Of course, they make it behind a paywall, but, you know, there you go. Great. You can see my personal email. There we go. Just go ahead and Men in Black thingy yourself. So you don't see my personal email. That'd be. That'll be fine. Thank you. All right. Hey, everybody be cool. Zach Hill's here. Everybody be cool. Zach Hill's here.
C
Malware operation collapses. Russia linked Android spyware operation Clay Rat appears to have collapsed months after its October launch, following security flaws and the arrest of its suspected developer in Krasnodar. Clay Rat was designed for espionage and remote device control, targeting Russian users via phishing sites and fake apps, mimicking WhatsApp, TikTok, and Google Photos. Researchers at Solar said the malware's failure was driven by technical errors, weak obfuscation, and predictable distribution. At its Peak, over 600 samples were in circulation, but By December, all command servers were offline. Law enforcement is now pursuing its operators.
A
Yeah, hello. Like, listen, I say this all the time. I'm not pro cybercrime, okay? I mean, it does pay the bills, right? We get to show up and have a job because of that. But if you're gonna do it, right, if you're going to become a cyber criminal, you've decided to, you know, listen to Emperor Palpatine and do it. Do it. All right, hold on. That's gonna happen right now, right? Like. Like, you're like, I don't know. I don't know. And then you're like, yeah, you know, I do know. Do it. Hold on. There it is. Like, if this is your inner monologue, do it right. If this is your monologue, you know, maybe simply cyber isn't the right community for you, but let me just give you a word of advice before you leave and, and, you know, turn to the dark side. If you make this decision, you've got to, A, have amazing operational security, B, live in an Eastern European country and not travel anymore, and, and three, get good in laundering. Cryptocurrency, right? This dude just like I, you know, like the. The meme of the kid stepping from step one to like, step nine. Like, it. It's always like, oh, I want to work in cyber security, but not do the f fundamentals. That's what this one did. This guy's like, oh, I'm going all in on getting paid with my malware. And then just horrible opsec infrastructure exposed. I don't know if the guy actually was targeting Russian citizens or Russia's got a. A kind of a quirky element where, like, if you attack Western governments, it's okay, but if you attack Russian ones, you get. You get your door kicked in pretty quickly. So here you go. This is a case study. You know what? It's a win for us. Also, regulators moan up. So if you were worried about Clay, Rat or Android malware, you can rest easy tonight. It's all set. Law enforcement's got it Tech subsidiary hit
C
by ransomware Semiconductor services firm Trio Tech reported that a subsidiary in Singapore which encrypted files on its network suffered a ransomware attack on March 11. That subsidiary took systems offline, launched an investigation with third party cybersecurity experts and notified law enforcement. While it was first deemed non material, leaked stolen data led management to classify it as a potentially material cyber security event. The Gunra ransomware group claimed responsibility. Trio Tech is working with its cyber insurance provider while investigating the full Scope Mazda.
A
Yeah, legrad. I agree. I was saying quirky as tongue in cheek. The fact that a government would like, like low key look the other way of criminals operating in their, in their jurisdiction is ridiculous. All right, two things here. Gunra, ransomware. That's a threat actor group I've never heard of, but they're, they're out and about and they're attacking people. This semiconductor company got hit. This is classic, right? They got hit. The threat actors let them know that they were hit because they encrypted the files. Probably having some operational impact. They'll recover, I'm sure. Like in 2026 if you're not running backups like I, that's like gross negligence, frankly. They've brought in third party incident responders. Another classic one for everybody in chat, right? Like I don't care if you're like a smaller business or a Fortune 500 or whatever. Like you absolutely should have number one, a cyber insurance policy. But with that insurance policy, likely they're going to have retainers with incident response firms. If your business has general counsel, which a lot of them do, or you know, chief legal office or whatever, they're the ones you're gonna have to coordinate with around when do you call in the insurance and when do you, you know, like basically if you're dealing with an active incident, like you're not like, oh, I'm gonna call the insurance company now. Like normally you deal with that after things get cleaned up, but in situations like this, you want to get the insurance people involved ASAP because that will execute the rider to get that third party incident response team to deploy to your business. Don't, don't, don't do it alone, right? If you're not a trained incident responder or digital forensics person and you're just like muddling about, you could cause more damage than good. This is what these people do all day, every day. One other thing to point out. Oh yeah, look at this again, I don't research or prep for the show, so I don't know what's going to be in the story. But the subsidiary is working closely with cyber insurance provider to support the investigation. This is exactly what I'm saying. Like if you don't have cyber, cyber insurance isn't just a claim to get you made whole financially after you, you know, had a, your, your face kicked in, right? It's supposed to help you through the incident as well as recover after the fact. So really in that respond and recover phases of the NIST cybersecurity framework. I do find it slightly comical that this company released a report saying that there was no material data released and then after the threat actors leaked data that would suggest otherwise, they then said there's potentially material information released. Like way to hedge your bets, you know, lawyers or whatever they do. Anyways. Okay, let's keep cooking. Oh Jesus.
C
Discloses security breach Mazda Motor Corporation disclosed a security breach detected in December that exposed 692.
A
We're going to speed run the rest of the partner stories because of the
C
attackers exploited a vulnerability in a warehouse management system for parts from Thailand which contained no customer data but exposed information including user IDs, names, emails, company names and partner IDs. Mazda says it strengthened security, applied patches and increased monitoring and no misuse has been reported. No ransomware group has claimed responsibility.
A
All right, all right, hold on one second. It looks like Mazda third party risk is supply chain vendor got compromised and now Mazda. Here's another sucky thing, right? It looks like Mazda did nothing wrong. Yet the story is Mazda discloses security breach when it's like a third party who had Mazda data. This doesn't impact Mazda as like the manufacturing and producing of cars. Shout out to Mazda had one of the most like they had like this marketing campaign back in the 90s with the kid said zoom, zoom. Like that thing stuck with me forever. Also I had no idea that Mazda was the largest auto like Japan. One of the largest in Japan, dude. Nissan, Toyota and then Mazda's just kicking in at $24 billion. Like way to go Mazda. I don't like their cars. Personally I wouldn't drive a Mazda. I mean I'd also not walk. I would drive a Mazda before I walked somewhere. But given the option between a Mazda and like a Buick, I drive a Mazda. Actually here's a tidbits Tuesday for no reason I hate Buicks. All right, Some Mazda got punched in the mouth. They'll be fine unless they have like a Land Rover Jaguar type situation. But for the most part it seems like they're just working through the process of incident response and moving on. Okay, let's go
C
in. AI powered security at RSAC Security leaders from companies including Google Cloud, Vodafone and PayPal said that traditional human AI oversight does not scale for modern cyber defense. Instead, they favor automated AI driven systems with humans on the loop for guidance and risk evaluation. Execs emphasize that AI is already widely used for tasks like fraud detection and workflow automation. But data security, prompt injection and governance are new risks. The consensus AI security needs strong Data controls, clear risk frameworks, and industry collaboration with humans, shifting from direct control to oversight.
A
Okay, so first of all, she said human. Human on the loop. Phil Stafford, can you chime in on this one? I have not heard human on the loop. I've heard human in the loop. We are getting. Okay, I. I've said this in the past. I. I will also point out that nobody. Nobody at the Simply Cyber meetup asked me for my. My take on AI, So I didn't have to disclose that. Catch me at Black Hat if you want. So we've gone from human in the loop to human on the loop. So that's a term I'm going to. You could have. I could have written this playbook. I could have written this story, like, two years ago. It's all about straight cash, homie. This is all about money, right? Labor is the number one expense, right? Like, when businesses are struggling, they fire people, right? It doesn't mean that you're bad at your job. It means that they're trying to save 100 grand per head. It's simple. Honestly, it's actually simple for business leaders to, like. They're told, like, hey, you have to save $1 million off your budget. The easiest thing is to look at labor and be like, well, we're just. We'll just give all of this responsibility to this person. Now. AI can do it. And they. They even scare people by saying, your competitors are moving faster with AI Than you are. You're going to be left behind. So, you know, what choice do you have? Get in there and start dinking around. The problem is doing it recklessly, not knowing what you're doing, non human identities and. And all that. Like, I'm doing. I'm going to be releasing a lot of content on Simply Cyber because I'm interviewing a bunch of people with Cisco. But obviously, AI is a. Is a. Is a conversation in there. In fact, I have a video that I dropped. It dropped at 8am I think it dropped an hour ago. I did. I. I'm Ron Burgundy. Hold on one second. Yeah, look at this right here. I just. This guy right here. Oh, you can't see what I'm doing. Hold on one second. Look at this. This guy right here. Manager. This dude's a senior vice president and general manager over security at Splunk. All right. Like, I got to ask this guy about agentic AI and community based agents and all this other stuff. So, like, the. The conversations are going on, unfortunately. It's a slippery slope, guys. Like, we could have a much Bigger discussion. I actually asked Phil Stafford last night if he would come on Simply Cyber Firesides to talk about AI for us, since he and John are our resident experts. So we're going to do that. But, you know, for the sake of time, I'm going to go because I'm. I'm screwing Eric Taylor over right now by eating into his Jawjacking time. So give me a second. All right, guys, I hope you had a great show. We will be doing this again tomorrow live from the. From the, you know, San Francisco Overflow Studio. I want to thank you all so very much for being here. If you are at rsa, come find me. High five. I'll be on the expo floor this morning or later today or whatever. And then, yeah, have a great day. I leave you in the capable hands of Eric Taylor for Jawjacking. If you have questions, get answers. I'm Jerry from Simply Cyber. Thank you all so very much. And until next time, stay secure. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered, and totally free. Let's level up together. It's time for some Jawjacking.
D
Good morning, good afternoon, good evening, wherever the world you are. Welcome to Jawjacking. As Jerry said, name is Eric Taylor. I'm here to answer your questions. What if you're new here, quick question or quick in chat, let me know. I. I was having a little bit of audio issue with my microphone. Everybody hear me? Let me know in chat if Jerry's still in the background, if he can give me a. A. Yep, I know it's a little bit of delay. It looks like it's working, but anyway, I'll carry on. So if you're new here, don't know how to ask a question, simply put a Q, colon mark in there because I do A control F, and I type those in to find your questions. In the meantime, if you're an old beard like me, you may remember rechargeable batteries. Right there were the huge. The huge rage way back in the day. You would. You would go and put them in his big machine and it'll recharge your batteries and all that stuff. Well, I found something recently that is very, very interesting. And I'm not sure how long this has been around, but this is a rechargeable battery. And if I can get it to zoom in, do you see that little hole right there? That is a USB port. So literally, you can have a Little small dongle and it plugs right into the side of it. And the trip AAA's are a little funky because if you can see, I'm not sure if it's gonna show up, but it kind of. It kind of goes in at a tilt there that might actually show a little bit better. So I thought I was messing them up because they weren't going straight in. They go at like a. Almost like a 30 to 40 degrees angle to the side of it. And I was like, man, the double A's work well, you know. So I went and got some the other day and they're just an Amazon special. I don't know, Carnea. So, you know, I got two, two packs of double A's, two packs of AAAs because like my front door use those double A's. And we got a bunch of stuff that's around the house that used combination of double and AAA's and stuff. And I thought this was really cool because I can't tell you, like, for those who know, every once in a while I'll power this thing up, my Xbox and play like two rounds of Zombies. Because that's really the only thing I have time for if I actually get a chance to play. I think I haven't turned it on in like two months. So, you know, it's kind of like a plant thing. I know Jerry was talking about it, you know, powering up your Xbox, your PlayStation, let it run its updates in the morning so that way you'd be able to play at night. Because otherwise you're watching the update screen go for a long, long time. And. Sorry, I got a lot of notifications going on right now. But anyway, the. So that, that's something cool. I see ER Net 100 talking about USBC 9 volt. That's pretty cool. Like I said, this thing may have been around for a while, you know, and I'm just now getting up to the. To the tech of that particular thing. This goes to show you, even some of us old beers, we're very, very advance in certain things. But there's a lot of stuff we just don't know. Right? And I do see a couple questions coming in here and I also need to open up Discord. All right, cool. So mods, if you're watching, I am in Discord. Let me. My computer has been so funky today. So, so funky. Now I know for a fact I could have swore I just saw A couple questions. Why. Why is my search not working? Why. Why do I gotta go old school? I thought I saw questions. Do I have the wrong chat up? No, because Roswell UK was right there. What is going on with Restream? If I had a rant, if I had a ransomware, I'd name it Slammer. Yeah, that's pretty good. Let me close my chat window out. Let me reopen. Well, I do see one pin. I'm not sure if. I guess Jerry did that in the background. If you're there. Thank you for that. Maybe that's why I couldn't find it. Do you think Shiny Hunter targeted Crunch Roll or do you think they hit Telus which took what they. And took what they could take. So that one's an interesting one. So Shiny Hunter has, I don't know, There's like, I gotta be careful the way I say this. I gotta be real careful the way I say this because there's a lot of tltp, TLP red stuff. But from our understanding, they are, you know, lapses, scattered lapses. Shiny Hunters, Shiny Hunter, Lapsis Hunter. Like all those variations are the same people or person. They are known for buying access through or gaining access through social engineering or phishing. If what we know is true, Again, this is pure speculation, but if we what we know is true, then they targeted Crunch Crunchyroll because you know, they are doing it for the ls. They're doing it for max damage, max impact, things of that nature. Now if we were talking about Clop or something like that, then we will be saying that would be because of a mft. Sorry, a Managed File Transfer Application cop is very, very known for that. But we do think there are some people in the CTI community that do believe that Shiny Hunter, Scattered lapses, Shiny Hunter, whatever you freaking want to call or they're going to go by this week. And literally they keep changing their names in Telegram and going by different names and stuff like that, claiming to be the same people. You know, we don't know if this is just a bunch of op tech stuff or what, but they, they definitely have the same communication styles. So it's going to be. Long story short, I do think they targeted Crunchyroll is my suspicion. Jerry in the background. Thank you so much for pinning these, but I do greatly appreciate you. From Love and Peace 33. Is it a security risk to run a second router in a home network through the first? Any suggestions to mitigate the threat in. In a simple setup like that? Okay, so no, there's no apparent security risks in that aspect. Man, I'm really digging this. Shopify Music however So what we have done in some situations in home networks, we will put a 40 gate Apollo out at the edge and it'll be in what's called transport mode. So it's going to scan everything before it hits the secondary router, your primary router inside of your, your network. So let's just say hypothetically a lot of organization or a lot of people will have remote users, but they have a, you know, a TP link or a Cisco or Netgear, a Cisco Netgear router or something like that. And they're really worried about the security on those things. So they will put in a router or a firewall in front of it and put it in what's called again transport mode. It would still inspect, it will still do the blocking and everything like that. But you have a greater visibility from a security standpoint. For those remote users. It is not feasible to do it on all of it because we have a lot of organizations that have over 200 remote users. But for the executive team, for the remote places, things of that nature, it does become a thing. But in terms of security, when you're putting in a transport mode, typically you have 2, 2 static IP addresses from your ISP, if they allow that. If not your bottom, find a block of five, you're routing those in. So your edge device, your Palo Alto, your Forte gate, your Cisco, whatever is on that edge that's in transport will take up one IP address. Your secondary one that's going to be internal, is going to be your second take up your secondary IP address and both of them are essentially exposed. Both of them are potentially vulnerable to any potential 0 days configuration errors, things of that nature. So an argument can be made that you are able to expand the threat landscape of the environment inside of there. Right. So instead of worrying about one specific device, you're now worried about two devices. Hopefully that helps. If you need further information. Definitely. Let me know. Okay, sorry, from Ellipsis. What do you think gets missed when reporting cyber risk to leadership and vulnerability management perspective? Business, real business impact. So being able to articulately say this vulnerability, if exploited, will bring down and lost productivity and revenue by three times. Yeah. So being able to understand, okay, this is real world conversations that I have or is a business more concerned about their data or their production? And literally, you know, you can say, oh well, we're a, a professional services company, we, we do accounting or we do this better one, we do graphic design for, let's just say AutoCAD or SolidWorks or something that'd be a good one. So data is important for those type of companies, but also being able to do their product, AKA you know, deliverable of a CAD file for production, whether internally or going off to somebody else, you know what is more important for them or is it both? And being able to figure out what the business is worried about in terms of data restoration and what is an overall hourly cost to run the business? Well, let's say Hypothetically you lose 100k a day in resulted downtime. Divide that up by hourly and by the minute whether you want to do it for a 24 hour cycle, 8, 2012, whatever the case is. And it's like okay, that is your number of expected or a downtime in terms of an organizational impact. Now knowing that information going through the vulnerability management, not all vulnerabilities are considered the same. And you know, I created the EPSS lookup tool site. I didn't create the algorithm, but definitely the site and expanding it as much as I can if I've got another release coming up that I finally worked on the bug. But you know, let's just say hypothetically there is a PHP or Java vulnerability, right? It's a 10 out of 10 must patch. Now okay, let's just say PHP for the first instance the you don't have any PHP that is running publicly, okay, it is a 10, 10.0 on the CBSS score. It does need to be patched, but it's not on the top of your priority list because it's not publicly exposed. So being able to pivot and say okay, these are the ones that are publicly exposed that need to have a higher severity internally in terms of patching and then taking what we did for the exercise like okay, if this was brought down, this is you know, number three in the, the process of being able to get work done. Let's just say hypothetically the PHP server was for, you know, a website that was taking bid requests in and submit, doing the submittal process. You know, if you ever work with Gov contracts and stuff and you're filling out your information, your, your, your requirements and then step three, your submit, your uploading, your submittals, you know, PDFs, things that nature, if that phase was broke, that's going to break down everything, right? You see where I'm going hopefully and being able to have those type of conversations and a meaningful impact of, you know, this vulnerability will cause this problem if exploited and result in this much per hour of downtime in case there was an exploit or brought that system down, right? It's a much more nuanced conversation than just saying, hey, we need to patch all this crap. You do. But there is a lot bigger conversation and being able to articulate that to the executive team does require those type of insights. Hopefully that helped you. Let me help you out there, Jeremy. Doing your CPE check. All right, let's see. All right, I'm not seeing any other questions coming in. Is there anything you guys want to talk about? I mean, we have a few minutes left and I would run over if I did not literally have so many calls right after this. Just going through check chat here. I'm not seeing anything. All right, ladies and gentlemen, well, if y' all don't have anything to discuss, I guess we can bow early and let everybody get their their day back. I do appreciate those the hung out and chatted a little bit. Hopefully I answer your questions in a meaningful manner. I will tell you though. Oh, I do see something from Haircut Fish. Let me find that one. Oh, they're getting put over the pin. That's why I can't find them. Thank you. Do you think Sock or GRC is more entry level friendly? Oh, my gosh. To be honest with you, I don't know much about DRC except I hate doing documentation. So again, you know, hats off to people who do grc. You make my life easier because I can just do mind dumps on you and you can help me create the policies that I need to create because I hate doing it. And that's why I give Jerry so much hard time because he loves GRC and I hate documentation. If you're new here and always wondered why I gave Jerry trash, that's kind of why. But I honestly, I think either one of those fields, honestly, have plenty of room for entry level. Right? Because I mean, soc, you're not going to be able to go into. I mean, there's entry level SOC Analyst 1 and you have internships and I know, I've seen GRC internships. I know for a fact I've seen those. So I honestly think either one is just which path do you want to go down? You know, do you want to be, you know, hands on threat hunting? Is that your vibe or are you more of like a Jerry and some of the other people that are in, in the chat. Do you love creating policy? Do you love doing that document documentation stuff? You know, that's where the real decision comes in. Again, I know there's been entry level positions I've seen for some reason, you know, posting stuff on LinkedIn for hiring. LinkedIn will be like oh well you've got, you'll be excellent for this role. I'm like we're hiring. Why am I trying to look for job LinkedIn. Get out of here with that mess. But anyway, I digress. The I, I know I've seen GRC in level one and Internship so I think either one is fine. It's just again it. I honestly think from what I know of grc, if you are more of a hands on threat hunter and you want to go down that path and you get into grc, I mean you could try it if you want to but I, I'm. I'll fear that you may not like it and vice versa the same way. Right. You know, you know if you really are a documentation, you like creating policy, you like, you know, you know, being the man to enforce it type of thing. Right. You know, but you're over there hunting evil in Sockland. I don't know if you'll, you'll really enjoy it. So that's be the first question. If I woke up in your shoes I would do is I would figure out which one I was more in lined with. Any experience with UAS or UAV ransoms? Are you listening to my conversations recently? Seriously dude, not ransom, but we are getting into drone and autonomous, some autonomous system forensics. We've been. I can't say too much but there's a lot of maritime things going on. As you could probably know in the news there's a lot of fear of unmanned drone surveillance, things of that nature. And you know I've shown on we do work in coordination with certain three letter agencies from of time. Now this would be another collaboration. I'm not being hired by three letter agencies just to put make that clear but there is some collaboration going on with some three letter agencies in the maritime space that we are being asked to come in with one other very large firm and help do a lot of potential forensics for aerial devices that have been recovered and to see what's going on. So I do think on our barricade channel we will be diving into some like dg, DGI forensics, things of that nature to help showcase because I do think it is a interesting land to be in and interesting forensic information. The real problem I have right now is that you can't get DJI shipped to the US and I don't want to take my existing DJI's and do forensics on them. You know they're play toys. Right. So I am exploring ways to overcome that hurdle. I have some very interesting ones that we may be doing. So. That's all. That's all I'll say about that. All right, ladies and gentlemen, thank y' all so much for tuning in. We are at the bottom an hour. I do greatly appreciate it. And stay tuned. I know I'm gonna run over for a second, but I know Jerry has teased this out a little bit. Me and Jerry have done some basic talking in the background and stuff like that, but looks like there's some new people coming to jawjacking here soon. Great. I don't know who. I think that's still in the works, but I am very, very excited to see who may be coming soon. You know, I do love hanging out with each and every last one of y' all and giving y' all my perspective of things. But, you know, sometimes it's good to have different blood. It's good to have different perspectives, right? The one thing I want everybody to know and always think about whether it's just jawjacking or anything. And this is what I'll leave you with. No matter what your personal belief is on, pick any subject in life, always try to listen to the other side. You may be able to pick a perspective that you didn't think about before and may change your viewpoint on any set topic. And that's not a political thing. It's just a life thing. Let's just say, hypothetically, you think your Centipede grass is the best thing on since sliced bread, but your neighbor thinks St. Augustine is the same thing. Best thing since sliced bread. Try to learn a little bit more about it. You may find maybe they are right or maybe they'll find that you're right. But go out there, make conversations, learn different people's perspectives, and advance yourself. That's the biggest way you can do it. And that goes to answering your question, going out and asking questions as well. Anyway, I'm running over. I'm yammering like nobody's business. I do greatly appreciate it. Hopefully. I know we're gonna be on at least one more week. I'm not sure how much longer into April until it kicks in, but I am excited for it. Definitely looking forward to. To the. The changes that are coming to the channel. But until next week, y' all stay curious, my friends. Catch y' all there.
B
Hey, everybody.
A
I hope you enjoyed that content.
B
Keep the cyber security train going by connecting with the other Simply Cyber community resources. We have the Discord server that's lively and always keeps the conversation going. You can connect with me directly on LinkedIn. And also every single week weekday morning on the Simply Cyber channel, we're doing live daily cyber threat briefings 8:00am Eastern time, as well as Thursday at 4:30pm we're doing live stream interviews with industry experts and we produce videos that we push out every Wednesday morning. I'm Jerry from Simply Cyber. I hope you enjoyed the content and we'll see you in the next one.
Date: March 24, 2026
Host: Dr. Gerald Auger, PhD
Podcast: Simply Cyber Media Group
This episode, broadcast live from San Francisco during RSA Conference Week, delivers an engaging breakdown of the top cyber security news stories shaping the industry on March 24, 2026. With actionable advice, technical insights, and real-world context, Dr. Gerald Auger dives into each headline while engaging the Simply Cyber community. The tone is upbeat, candid, occasionally irreverent, and loaded with practical wisdom for security professionals and aspiring cyber practitioners.
[13:16]
[18:53]
[29:22]
[36:28]
[46:35]
[53:31]
[56:16]
[60:01]
[61:57]
[66:29+]
This episode blends expert news analysis with relatable humor and authentic community camaraderie. Hot takes are balanced with practical, experience-based guidance. The key threads: Stay patched, stay skeptical of security product hype, watch evolving threat actors and attack patterns, and keep building your network and knowledge—especially during conference weeks like RSAC.
Useful Links Mentioned
This summary reflects the conversational, insightful, and engaging tone of the Daily Cyber Threat Brief, episode 1095. It captures news takeaways, strategic advice, and the energy of the Simply Cyber community for anyone who couldn’t listen live.