Loading summary
A
All right. Good morning, everybody. Welcome to the party. Today is Thursday, March 26, 2026, episode 1097 of your Simply Cyber Daily Cyber Threat Brief podcast. I AM your host, Dr. Gerald Ozier, coming to you live from the Buffer Osier Flow Studio. Having slept in my own bed after a long day of travel yesterday, if you are looking for the answer to the question, how do I stay current on the top cyber news without it, or being boring without it, you know, grinding me, I know I'm supposed to do this, but how? How do I do it? Look no further, my friend, because you have found the answer. Open up the top of the crate. See the glowing light. Just immerse you. Simply Cyber's Daily Cyber Threat Brief. We're going to go through the eight top stories of the day. Of course, we'll cover the headline itself, but then I am going to take out a Minecraft pickaxe and. And just go ham on the story, getting into it, putting it on like a pair of pants, and letting you know way more on how you can use this information to better your cyber security program, to elevate and accelerate your own career development, and how you can be the absolute boss at work and in your career. We're going to do that. We're going to have some fun. Of course, I'll be joined by the entire Simply Cyber community, which, by virtue of you being here, you qualify. You don't have to identify as Simply Cyber Community member Team se, but you have the option. We're all about options here at Simply Cyber. Let's get going, get settled, get your coffee and let's get ready to cook. Yes. Good morning, everybody. Welcome to the party. I'm so excited to be back at the Buff Rosier Flow studio after being in San Francisco. Good time at RSA this year. I will say I had a better experience this year than I had last year. What's up, Marlon J. Good to see everybody. If you're regular in chat, do say hello. So many regulars in there. It was great to spend some time with Simply Cyber Communities. Sunshine, Quan, Phil, Nick, Nick and Nick. And The Apple podcast, 1.5 speed. So good. All right, guys. I absolutely love it. Hey, listen, Every single episode of the Daily Cyber Threat Brief, including this one, is worth half a cpe. So say what's up in chat. You will appear in the show. This is live chat right now, 8:03am Eastern Time, made March 26. You're here. Snark Dog. Snardong. Snardong. Hey.
B
Oh.
A
Say what's up in Chat, grab a screenshot for your own evidence file collection and once a year, count up those screenshots, divide by two. It is an hour showing one hour equals one cpe. But I'd like to not mince words or, you know, get into a, you know, argument with an auditor. We have a lot of fun on this show. So you could argue half of the show is not educational. Instructor Wed Webinar well, that's fine. We'll only take half a CP. We have so many CPEs for days that if you do it every day, you get 120 a year, which exceeds whatever you would possibly need. So from me to you, don't sweat it. Grab a screenshot, file it away. Thank you very much. Now, if you're here for the first time, you picked a good day because I was doing it from the room, I was doing it from the hotel room on a mobile studio with a whole new configuration last couple days and it's been a little, a little dodgy. But we're here live at the Buffer Osier Flow Studio. Retro synth waves on a big old tv. The lighting is crispy, the microphone is crispy, my fried chicken is crispy. So welcome to the party. For real though, if you are here for the first time, let us know that you are here. Just jump in chat hashtag, first timer. If you're LinkedIn or YouTube, you can drop a hashtag first timer. I'll call you out, recognize you, play a special sound effect and the Simply Cyber Squad members will make it rain. John McLean. That's right. Bruce Willis's phenomenal character John McLean from the Die Hard series properly welcoming you to the party. Such a, such a classic line. Oh, hold on, that was a misfire. I guess AI is in the chat, I suppose. All right guys, what do we got? We did our cps. We did our first timers. Oh, every single day of the week has a special segment, right? Because we like to keep it light and fun here and Thursdays has long been. What's your meme Thursday from Dan Reardon, AKA the Haircut Fish. Now you may only know Dan is that phenomenal speaker at Anti Siphon Sock Summit yesterday, but he is a multi talented, magic playing, meme making, karaoke singing boss. And every Thursday he makes a meme. So stay tuned for the mid roll. He's got a. He's got a good one. I don't censor it. I do like this leaks. I think it's fun. Now before we get into it, I do want to say, oh, there's no music, no sound effects. All right, well, that's a problem. I've been listening to music this whole time. Marcus Kyler. Let me see what's cracking here. All right, here we go, Marcus. Here we go. First timers, welcome to the party. Welcome to the party. All right, get back. All right, now we have music. Now we have sound effects. Thank you. Marcus Kyler. Marcus Kyler. Modding from. From chat. My man. All right, dude. Let me say shout out and love to the stream sponsors, those who enable me to bring bring the heat to you whether I'm on the road or here at the Buffer Ozier flow studio. Starting with anti siphon training. They're doing sock training today. If you like the sock summit series yesterday, you can get in on some stock training. I don't know if this is still open for registration, honestly, because the training typically, you know, there's like prerequisite information like, oh, get this, VM stood up, make sure you got things cleared out. But if you're looking to get some training, maybe your schedule changed, you were supposed to travel and it got canceled or whatever. There is live training today, all sorts of opportunities. This is the actual speaking summit schedule. So what's the actual training? Here's the training, guys. Cyber security, incident command, network forensics, securing the cloud. John Strand himself is doing sock core skills. Hayden Covington, sock detection, engineering. Guys, this, this lineup is like a slugger's ball of amazing opportunities and education. And by the way, like $575, like, if you're paying for that yourself, that can be a bit pricey. I definitely understand. But like, when you're talking about corporate training budgets. $575. Like a business. Can pencil whip that? Like, I'm just saying a lot of businesses, like, you don't even have to go get man like senior approval for that level. And anti Siphon knows that and does that on purpose so you can cut through the red tape and get that training. So if you're interested in getting some training, go toantisiphontraining.com. appreciate what they do. They definitely inspire me with simply cyber Academy. I also want to say holler to flare Flare Cyber threat intelligence platform is definitely high quality. And if you're interested in learning about the dark web and more importantly, like, what dark web threat actors are currently targeting your organization, like right now? What. What are threat actors talking about? Your organization. Do you have endpoints that have been compromised in your environment? Do you have an active incident that you don't know about? You can find out potentially with this tool which does dark web crawling, it's absolutely a bomb tool. You can get a two week free trial right now. Go to Simply Cyber IO Flare to check it out. Simply Cyber IO Flare. I just want. Here, hold on, I'm putting the link in chat. You can click on it. Here's my thing. With SimplyCiber IO Flare, you get a two week free trial. So it's absolutely cost $0. It doesn't install. Here's another thing, they don't install anything on your endpoints and you don't put any data into it. Right. As far as like uploading your own data. So as far as like governance, risk or policy violations for your business, there really isn't any unless you've got some really bizarre policies at your work. So you, you right now, you can go sign up for this after they validate that you're not a criminal or you know, cyber threat actor. Because the data in there is wicked valuable. Once they do that, you get in there and try it out. No po, no cost, no expense, no hard sales techniques, anything like that. You just get to see the value of the platform. I'm telling you, I've used it. I love the platform. I think it's incredibly powerful and very, very easy to use. All right, thank you very much. Flair. And then of course Threat Locker, as always, preferred partner. Been working with Threat Locker for years. Really like to see what their product's doing. I swear to God, I, I, I don't have any inside information on this, but I have to imagine that Threat Locker is going to IPO at some point and it's going to just be like, like turning on a fire hose. They've been securing the endpoint with application, you know, deny by default application. Now they just released the cloud option. Threat Lockers putting in the heat. Let's go ahead and read an ad roll when I come back. Gonna melt your face. Remember, first timers drop a hashtag. First timer in chat. Let's go. I want to give some love to the daily Cyber Threat brief sponsor. Threat Locker do zero day exploits and supply chain attacks. Keep you up at night, worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how ThreatLocker can help prevent ransomware and ensure compliance, visit threatlocker.com DailyCyber. All right, all right. Just going ahead and inviting your jawjacking host to the Restream studio. All right everybody do me a favor. I didn't see any first timers but if you get in here late, let us know. Net setup. I agree with you. Today is going to be great. Guys, do me a favor, sit back, relax. I've got my cup of coffee. Hope you have yours. And let's let the cool sounds of the hot news wash over all of us in an awesome way. We'll see you guys at the mid roll. Let's cook.
B
From the CISO series, it's cybersecurity headlines.
C
These are the cyber security headlines for Thursday, March 26, 2026. I'm Sarah Lane. Torg Grabber targets Crypto wallets A new infos stealer called Torg Grabber is targeting more than 850 browser extensions including 728 cryptocurrency wallets along with password managers and two FA tools. Researchers at Gen Digital says it spreads via click fix attacks that trick users into running malicious PowerShell commands. There are hundreds of new samples and weekly C2 infrastructure updates and it now uses HTTPs via Cloudflare for data exfiltration to steal credentials, cookies, crypto wallet data and files while using evasion techniques like in memory execution, encryption bypasses and anti analysis protections.
A
I love it when the reporters like they're doing their job, they're reporting. Just funny how like sometimes the things that they choose to spell out as acronyms but you know it's coming across an HTTPs connection. All right, so the Torg grabber, if you are, you know, using crypto, crypto wallets, crypto all the things, this is something that is in an increased level of interest for you. That's what it's going for. Now this particular one is stealing data from 850 browser extensions. I don't know how many browser extensions there are in the Chrome store, but that's quite a big footprint. 850 with 700 of them being crypto wallets. Again, I don't know why there has to be so many crypto wallet apps. Like what? How are. I'll have to ask Jay. Crypto, like how are they innovating? Like why? All right, so click fix techniques as initial access. Worth noting. Click fix, very, very popular technique right now as far as compromising end users and victims. And please remember that your end users and victims in your organization are not technical. I actually had a question, a question. I had to talk with Andreon or Andrea. I. I wasn't quite sure how she said it. Andrea or Andrea. I saw her name tag. We had a conversation for a while, okay? But Adrian Bergeron over at Flare, and, you know, she pointed out, she's like, listen, like opening a command terminal, like just opening a command terminal, like Windows key R cmd enter, right? Or just Windows key terminal and hit enter. Like getting the black box that is considered technical to some people, right? Just popping a shell on your own box. So keep that in mind when we're thinking about, like, how obvious it is some of these things. Click fix technique, you know, victims, the entorthias of the world, they don't know what PowerShell is. They don't know what a Windows run dialog box looks like. All they know is what a captcha is. They know that they're supposed to move the puzzle piece around. They're supposed to click on the bicycles in the picture. And that's what they need to do in order to get to the thing that they're trying to do for their job, right? So if you tell your, you know, a direct report, hey, listen, I need you to complete this work by today, whatever this work is. And they're trying to get this work done and they have to go through a captcha. They're going to do it because they're trying to get their work done. All right? So definitely always keep that in mind. That's why we have to be empathetic to our end users and not judgmental. Please don't be like, oh my God, you are so dumb. You are really dumb. For real. You will be doing negative impact to your end users and your overall risk profile if you are passive aggressive, annoyed, irritated, mean belittling of your end users. So quick fix technique is one that you need to focus on for. For those who don't know, click fix is basically popping open. You know, when you go to a website, you get some type of captcha threat actor controlled, and it says, oh, hey, just to prove you're not a robot, go ahead and hit Windows key R control V. Now They've posted a PowerShell command to your clipboard already and you're basically executing PowerShell under your own permissions. Now, a lot of ways to prevent this or protect from this. Number one, educate the crap out of your end users, okay? Educate them. Show them what it looks like. Show them what not to do. Show them what Windows key R is. That's an administrative Control from a technical control. Disable the execution of PowerShell for non privileged users. Boom. Tough act. And 10 act. And you can go ahead and jam that into your environment 3. I mean, if you look for, look for PowerShell command executions in the logs, right? You see an endpoint running PowerShell. Maybe we should investigate at least a detection, maybe not shut it down. Okay, so let's assume that click fix happens even though you've done all of the training. Let's see. Torque Grabber has 334 unique samples compiled. Sure. All right, really quickly, David Bianco's Pyramid of Pyramid of Pain. This is another, this is another one that everybody should be aware of. If you don't know, I'm glad I'm the one who's teaching you. This is David Bianco's pyramid of campaign. Well recognized, quick little graphic in our industry. I know it's pixelated. And if you're listening on the audio podcast, just Google David Bianco Pyramid of Pain. The further up you go on the pyramid, the more frustrating or difficult it is for a threat actor to change this indicator of compromise. You'll notice the reason I bring this up is because the bottom value, the easiest thing trivial to change is the hash value. Now really quickly to back up a hash value is a one way mathematical functional output, right? So you do some math on a file and it pops out a unique fingerprint, all right, which is like a long 256 character hash. Okay. If I, if I take, you know, say I send you a file, okay, Right. Say I send you a notepad, right? Everybody's used notepad, right? Notepad Exe. If I run a hash on it, I'm going to get some unique value. And then if I send it to you and say, hey, this is the notepad app I'm using. You should run the, that if you run the hash function, the math function, you will get the same exact fingerprint. Exactly the same. That's how we confirm that the integrity of the file is still intact. And honestly, it's how security researchers can talk to each other too about doing work and make sure that you're analyzing the same file here. This is where I like to get my malware. Malware bazaar from abuse Ch. Oh my God. What was this one? Find which basket the ball is moving towards. Joe, this is a interesting cat. Come on, man. Is this real? See what I mean? No wonder people want to fall for Click fix Click on basketballs. All right, look it, I'm just looking at a regular piece of malware here. And you'll see right here on stream we have a shot 256/, a shot three 384, which is new to me. SHA1. MD5, the old school MD5. These are malware hashes. Okay, so going back to this, they're saying that the torque Grabber malware has 334 unique samples, which basically just means there's 334 different hashes. Again, because it's trivial to change the hash. All you have to do is modify the file in some way, add a space to it, add a comment, do anything, and it'll change the fingerprint. All right, so basically, signature based anti malware detection is not going to work. That's why we use behavior based malware detection. Right? Fall Riva. What's up, Jason? I like Fall River. Fall River's near my old stomping grounds. Not that I really went down there, but I always think of Fall river as like. Never mind. All right, dude, it steals data from 103 password managers and two factor auth tools. Gross. You do not want this on your machine. All right, let's look for indicators of compromise. Holy crap. It injects a DLL reflectively into the browser to access Chrome's Comm Elevation service. Not a trivial. Not a trivial thing. Here's the deal. DLL reflectively into the browser to access Chrome's. Chrome's Comm Elevation service. Okay, I mean, that sounds fancy and cool and it is, but remember, they don't like the. The user is down is executing initial infection. So, like doing all this. This is more so anti malware doesn't really detect it. Less about getting in there at this point. They already own your machine. All right, so there's got to be IOCs for all this stuff. Let's scroll down and find the IOCs. Of course, they don't have any. Awesome. All right, Torg Grabber IOCs. Okay, here we go. Give me some. Give me some IOCs, baby. All right, I guess we'll just. This is from the blog of the website that actually did it. I'm going to look for the term ioc. All right, here we go. IOC repo for. Oh, this is cool. Here, I'm going to drop a link to this. This is. This research the IOCs for all of the different malware that this group has studied. Awesome. I'll go down to T for torque grabber and. Wow, this is great. Yeah, look at all this. This is nice and clean, dude. You can. You could export this out quite easy. Well, not super easy, but who are these people? I haven't heard of these people before. Gen Digital Inc. Gen Digital Inc. Like, way to go, dude. You're fire. I love it here, I'll drop a link to this. You can go thread hunting in your environment. You can put in. Put this into your anti malware solutions or you know, configure your EDRs, maybe put it in your firewall, block those IOCs, but nice job, dude. You don't normally see it like this. This is like, to me, this is like, this is like Pirelli tires run flats, you know, just super clean. Really nice. I was listening to Big Time or still fly before we went on live. And I love tribe, right? So, you know, the Pirelli wet tires make it look wet. Okay.
C
Team PCP Backdoors Light LLM thread actor team PCP compromised two Python package light LLMs via a tainted Trivi dependency Injecting malware that steals credentials, spreads across Kubernetes,
A
clusters and installs kubernetes. Don't be shy. You can continue to talk, please.
C
Persistent backdoors. Researchers at Endor Labs and JFROG say the payload executes automatically, harvesting SSH keys, cloud secrets and crypto wallets, then exfiltrating data and deploying backdoors across infected systems. Maintainer Barry AI and the Python Packaging Authority warn users to treat affected environments as fully compromised and rotate all credentials. Researchers say the campaign may involve collaboration with Lapsus.
A
All right, a couple things here. Number one, I saw Tasha in chat about to go driving. What's up, Tasha? It's good to see her. She's a long time Simply Cyber Community member and I got to hang out with her at RSA last year, so. Very cool. There we go. Dude, this is kind of a big story, right? Like, this is. This is kind of crazy. All right, so I don't use Light LLM, okay. I don't know much about it. I know people kind of get like geeked up around, you know, I feel like it's very hipster, right? You get a fedora and like some type of bizarre, you know, you know, open fermented lager. And then, you know, and you, you twist your ironic mustache, right? Very hip. And then you're like, I don't use Opus 4 6. I use Light LLM. I use my own brew of LLM. So whatever. And Phil Stafford. I might be wrong. Phil Stafford. John V. Let me know maybe. Light LLM is quite popular and I'm just being an uninformed idiot, but here's the Deal doesn't matter that it's team pcp. It could be anyone. But the deal is this is a open source solution through GitHub that they were able to make commits to and compromise. And because of that full compromise, the if you're using this tool, you are screwed. Okay, now that doesn't mean you can't dig out of this. Okay, just so everybody knows you can dig out. It's just basically you're. You have an active incident going on right now. And by the way, threat intelligence is good doing the briefs are good. If, if you're finding out that you're compromised right now because of me telling you, I'm sorry, but you might want to pause the show and go take care of this because you, you have like an open gaping wound inside your environment that needs. Needs address. All right, so the good news is, Let's see, let me, let me give you some. What are you going to do with this? Okay, if you're running light LLM version 1827 or 1828. Hold on, wait a minute. Is this a con. This is a. Hold on. This is like a complicated downstream effect. So the Trivy. The story yesterday was that the Trivi scanner got compromised and allowed people to weaponize that. So maybe that threat actor is compromised. Endpoints through trivia. Now they're compromising developer workflows from other companies. Oh, perfect. Thanks Justin. So the payload's a three stage attack. There's a credential harvester sweeping SSH key so they can log into Linux boxes. Right. They can get cloud cred. So you know, if you're using AWS or whatever for your CICD pipeline, which is normal Kubernetes secrets. All right. And remember, with kubernetes too, I'm not a huge kubernetes person. I, I'm not really super well informed on kubernetes. But I will tell you that the workloads inside the kubernetes you don't typically have a lot of visibility. But like that's where services spin up, spin down, talk to each other, etc. So if you, they're in your kubernetes, it's not a good situation. Let's see. Man. All right, so here's the deal. I will say the following. If you are running Trivy scanner you, you absolutely need to stop that immediately and go figure out what your exposure is. If you're running light LLM version 1827 or 1828, you are, you have an, you have an incident, you have an exposure and very Likely have an exposure and you need to go get this sorted out. Now. It does say that the PyPy, the Python repository where this is hosted, has removed these versions, which is great. So the infection stopped. Now it's just about cleanup.
B
Per.
A
Per, I think PI PI or the Light LLM people, you're advised to do the following actions to contain the threat. Okay, Obviously find all the versions of 1-827-1828 within your environment and then revert to a clean version or just upgrade to the newest version. The fact that the backdoor, this right here where it says the backdoored versions have been removed, that means you can update to the newest version and you will get a clean version. Obviously, any version you find running on hosts, you must quarantine those hosts. Right? If you can. If it's like Carl's laptop, if it's Carl's laptop, just reimage the machine asap. Sorry, dude. Wipe it, Nuke it from low orbit. Now, if it's like a file server or something like that, you just isolate it until you can like, you know, get the data off or whatever. Look inside your kubernetes clusters like I said, within you have kubernetes in your environment. But if you look within kubernetes, like if you kind of double click into kubernetes, you'll have workloads, right in kubernetes, different namespaces. Look to see if there's anything unusual in those namespaces. The threat actors are spinning up new workloads inside the kubernetes in order to do whatever malicious stuff they're doing. Of course, they actually have very specific domain names that you should be looking at, specifically Models Light, LLM, Cloud and Checkmarks Zone. Look for any network traffic going to those two sites. That's very simple, guys. You could drop that into Splunk or into your SIM of choice, whatever it is, sentinel, anything, put it in any security onion, just put it in and see if any endpoint in your environment was talking to those two domains. Because if you. That's how they're exiling all this information, right? Remember, you could have a machine absolutely screwed and you could have malware collecting all the information, all the secrets, all the data, right? But if it doesn't exfill that sensitive information, you still don't have a real problem yet, right? It's all contained. It's like a burglar breaking into your house and filling their Santa Claus size sack full of your jewels and your Xbox and your, you know, magic. The gathering Collection. If they're still in your house when you get home, you can punch them in the nose and take the stuff back. There's no, you know, I mean there's still a breach, but like not really. I mean this data wasn't gone out, right? It was exposed to the individuals themselves. All right, obviously remove persistence mechanisms of that. Of course you want to do that. I don't know exactly what persistence mechanisms that they have, but. And then finally, and probably the most painful one, humble student. What's the name of the tool? It's. It's Torque. Hold on one second. It's Torg Grabber. T O R G. T O R G Torg bro, come on. T O R R G Torg Grabber. And then the Trivy scanner is the one that caused more of a problem here. I'm gonna drop a link to the Gen Guardian blog post. So Trivi Scanner and Torg grabber. Okay.
C
Adds AI powered security bug detection. GitHub is adding AI powered scanning to its code security tools to expand Vulnerability detection beyond CodeQL covering shell bash, docker files, terraform, php and other ecosystems. The hybrid model is entering public preview soon and flags issues like misconfigurations, weak cryptography and insecure SQL at the pull request level. With Copilot Autofix suggesting remedies. Internal test showed 170,000 findings over 30 days. 80% positive feedback and autofix cutting resolution time from 1.29 to 66 hours.
A
Cool. All right, so hey, really quickly if you were. Well, two things. One, for practitioners, they, you know, well, there's a lot here. So just like everything else, like if you went to RSA or if you've just been like awake for the last year, everything in cyber security is now AI powered. Now with AI inside AI. AI, AI. Okay, so GitHub getting AI, you know, okay, like, like here's my shock face. All right, Number two, there's a free limited version that everybody can use. So if you're an independent developer, you're doing a, you know, a project, a non profit, whatever, I mean there's no reason not to use it. It's going to find low hanging fruit for sure. If you are using GitHub professionally, you make money off of it, right? Or you, it's a non profit but you have some financial Support like Simply Cybercon. Go check the Simply Cybercon.org out for more information on our conference in November. Then get the paid version. And like there's no reason not to eliminate. There's no reason not to Eliminate any low hanging security vulnerabilities that can be found. It's simple. Do it. Okay. Third thing, and this is probably the most timely one in our industry, right in cyber. Having published CVE is associated with you is a huge flex. It is a massive mic drop, get your resume to the top of the pile kind of thing. There are a lot of CVEs that are tied to low hanging fruit.
B
Our
A
Tyler Ramsby has done multiple videos. Joe. Oh God. What's the mayor's name? The guy who. Joe. He, he used to be over at tcm. The mayor. Joe. Joe Hill. I can't even remember Joe's last name, which is too bad. But anyways, they've done multiple talks on finding CVEs in GitHub repos so you can get those published CVEs attached to you and you're good to go. This is going to eliminate that low hanging fruit. So if you've been wanting a cve, I would recommend you get it, prioritize it asap or you're going to have a tougher hill to climb.
C
Leak base admin arrested over stolen Joe Holly Joe Hall.
A
H O L L. Thank you, you can continue, please.
C
Computer marketplace. Russian authorities arrested the alleged administrator of the leak based cybercrime forum, a resident of.
A
No, not Joe Hudson. Although Joe Hudson's awesome. Joe Hell. Joe Helly. I mean he like literally. Hold on. Not Joe Heller. This guy. This guy right here. Oh my God. All right.
C
Tag and rog for running a marketplace that traded stolen personal and corporate data. Since 2021, the platform hosted hundreds of millions of credentials, financial information and documents. With more than 147,000 registered users. Law enforcement seized equipment and preserved forum data for evidence. US Authorities called Leakbase one of the world's largest hubs for buying and selling stolen data and cybercrime tools.
A
All right, yes. Leak based admin arrested. Good regulators. Awesome dude. So in the criminal, cyber, criminal ecosystem, for those who don't know, like, initial access is one of the harder like pieces, like once you get access to the box, like deploying your malware payloads is easy, right? You've already got access. There's malware as a service sites, there's criminal underground sharing wares and whatever. So like, you know, initial access is big business and this league base, like they said in the story, is like one of the biggest marketplaces on the planet. Now they've arrested the main person behind it, which is great. Two things have to happen here. One, they have to take down the infrastructure, right? Or Else, number two. Right. Who does number two work for? Number two. Admin is just going to take over and continue operations. But. But getting the head of the snake, arresting the actual human is great. And of course, if you threaten to throw this person in jail for the rest of their life, they're probably interested in comp. Not compromising. They're interested in. Oh, my God, what's it called when you, like, work with the police? They're willing to collaborate or whatever with law enforcement to, like, basically rat out other criminals in order to reduce their own. Their own sentencing. Okay, dude, Hundreds of millions of user accounts, bank details, usernames, passwords, corporate docs. 100. Yeah. 147,000 registered users on this one. This one is crazy. Oh, leak base was dismantled. Oh, yeah. Okay, so this is wonderful. Okay, hold on. Double win. Regulators. I probably should have said this at the beginning. I don't research or prep for the shows. Ain't nobody got time for that. So I don't know exactly what's happening, but. So law enforcement took down the site and arrested the guy. That is what's up. Like, this is how you do it. I love it. Okay, so this isn't going to stop cyber crime, but this is a massive hit to everybody. When I see stories like this, you know what I like to think? I like to think that, like, you know, it's in between first and second period, like the. Or you know, it's intermission. If you watch hockey, like, I'm just like. We get to like, sit. We get to sit down, go to the locker room, take our pads off, dab our brow for a second, because we get a little bit of relief that one of the largest online marketplaces of selling creds has been taken down. Way to go, team. We can take a little bit of a. A breather. Also, really quickly, this is when I'm talking about flare and, like, the value of flare. This is kind of what I'm talking about. Like, assuming that this database isn't taken down. Like, flare, like, gets access to these lists and makes it so you can query them and see if your accounts or your users in your environment are showing up in these online marketplaces that that's what flare does to kind of put a fine point on it. Anyways, way to go, law enforcement. I know it's not easy and hopefully, you know, the next cyber criminal who's thinking about getting it done looks at something like this and is like, ugh, I. I don't know the word. It's not liaison or Snitch. I mean, you guys are all informant. You guys are all doing it, right? But yeah,
C
huge thanks.
A
Oh, cooperate. Cooperate with law enforcement. Yes, sir.
C
Our sponsor, threat locker detection based security assumes you'll catch an attack in time. Control based security assumes you won't. That mindset shift is driving more organizations to focus on preventative controls, stopping unknown execution and unauthorized privilege elevation instead of relying solely on alerts after the fact. Learn a lot more@threatlocker.com
A
all right, here we go. I can't do the thing. I'll do this. All right, come on now. All right, guys. Hey, we're at the mid roll. Someone called out the Montel Jordan. This is how we do it. Yes, this is how we do it. Take down the head of the snake and the infrastructure underneath. Complete scorched earth. Way to go. Hey, quick shout out, we're at the mid roll. Shout out to the stream sponsors, thread locker, anti semi siphon and flare. Definitely appreciate you guys and what you do every single day of the week has a special segment. And Thursdays is what's your meme Thursday. And this guy, Dan Reardon makes up a custom meme. For those who don't know, I'm a big GRC dork. I love my grc. Dan has taken that into account and I present you with today's simply cyber meme of the week. Ladies and gentlemen, I present to you the Audit Warrior. Very similar to the Mel Gibson Road Warrior post apocalyptic character. This is the Audit Warrior. This is what it looks like when I'm on. On client side doing my audits or if you do internal on. This is what it might look like when you get done with a particularly difficult internal audit. Feel like you're lone wolf fighting it. So anyways, thank you very much, Dan. Love it, love it, love it. All right, let's keep contin. Let's continue on get there. We got jawjacking coming up at the end of the show. Stay tuned for that.
C
Ransomware disrupts Spanish fishing port. A ransomware attack hit Spain's port of Vigo, disrupting digital systems that manage cargo operations and forcing staff to revert to manual processes. The attack was detected Tuesday and locked servers along with a ransom demand. Authorities isolated affected networks. Physical port operations continue, but digital logistics are offline, pending security verification. No group has claimed responsibility, but an investigation is ongoing.
A
Bubble. All right, I mean, this is quite interesting. So ransomware threat actors, remember they target crimes of opportunity, right? Like did you get into an environment? Did you do this thing? And that's fine. And if you, if your doors are locked or if you're a difficult target, they might just move on to the next victim. This is how cyber criminal, financially motivated threat actors operate. Now, not all organizations are created equal. Manufacturing and healthcare have elevated risk of being targeted simply because if you disrupt manufacturing, manufacturing, at least in the United States, runs pretty lean margins already. And there is a direct correlation between not being up or operational and losing money. Like manufacturing can calculate how much money they make per hour of the, of the facility being operational. Same with health care, right? If you knock down health care, you could have patient safety concerns. There have been multiple examples of incidents where people have died because of cybercriminal attacks. They can't get to the hospital. Like, they get rerouted and they're having a stroke. You know, people are having operations and like, you know, the hardware kind of cuts out or whatever. So there have been multiple. Now this one, I'm kind of surprised it doesn't happen more if you work in transportation or logistics, which I know some of us in the chat do, right? We've got Ben, well, dj, B, sec, but then also, oh, my God, I'm blanking on it. But there's a bunch of different people who work in it. This is very similar to manufacturing where, you know, the boats come up to the port, they take the mill crates off the boat and put them on the trucks. The trucks drive away. What mill crate goes on what truck? What truck is allowed to drive away? Where's the truck going? All of this logistics information is vitally important. And if you muck up the works, it can cause massive problems. And because we're talking about fish fishing and fishes, that is an expiring asset, right? That is something that needs to be kept on ice. You can't just have fish sitting on the dock for three or four days, right? That, that's like big money that's just expiring. So honestly, I'm not. I'm surprised that more kind of logistics groups are not targeted. And in this instance, you can see straight up, they got hit with ransomware and their network is in cargo. Operations are being done manually, which means it's still operating, but very much at a limited capacity. Right. So to me, there isn't much here in the way of like a news story that you can do something with. It's interesting. What I will say is, if you do work in logistics, this is a very valuable story to take advantage of. I like, just as another example. Hold on. If you work in logistics, use this story, okay? I Just want to point out really quickly, as I mentioned on stream yesterday, we, there was a story about AstraZeneca, the pharmaceutical company that got hit with a cyber attack and was impacted. I told you guys, I have a good friend who works in pharma who has a bit, you know, a bit of a challenge of conveying to the leadership there about the value and the importance of cyber security. And I sent him that news article and, you know, a couple talking points. He doesn't need my talking points. He's quite capable. But he was able to leverage that story yesterday to great effect at his organization yesterday and begin to affect change at his organization. So don't sleep, don't sleep on something like this. Don't be like, oh, it's just a story. No, this is an example of, you know, trying to, you know, making it real. And the final thing I'll say about this, imagine if you will, you're trying to tell your, your, your spouse, right? Like, hey, we should really invest in a home security system or we should put better door locks on the house. And the spouse is like, why? Like, we live in a safe neighborhood, everything's fine, okay? And then your neighbor's house gets burglarized, right? Not you. You haven't had any impact. But the neighbor's house gets burglarized. Well, now all of a sudden it feels more visceral, it feels more personal and it feels more emotionally attached. And that's how, again, I'm not trying to use fear, uncertainty and doubt to manufacture a scarecrow ARGU scare straw man argument on why it's you're doing it. It's just, dude, if it happens to someone in your industry, take advantage of it. There's no reason. Find the true tj Be well bud.
C
AI App Builder abused for Microsoft credentials Kaspersky Researchers report that threat actors are abusing bubble to host phishing apps that steal Microsoft 365 credentials while evading detection. Because the apps are served from trusted bubble IO domains, email security tools often fail to flag them, letting victims get redirected to fake Microsoft login pages. The AI generated apps reportedly use complex JavaScript and shadow DOM structures that are difficult for both humans and automated tools to analyze, helping conceal malicious behavior. Puerto Rico Government okay, yeah.
A
Shall we play a game? This is a real problem, guys. This is a real problem. Okay, so there's two problems here. One is macro and one is micro. And the macro one is the one that we should really be focused on. Let me just give you a little value right now. But then let me, you know, I guess expand your mind on the macro problem. Okay, so Bubble AI app builder, right? Like, you know, we talk about Vibe coding apps and many of us are technical, so we can basically use Claude code or one of these platforms to just interface with it, explain the app we want and get it going the bubble website. And I feel like I've looked at bubble before, it's like a website app builder, vibe coding platform. They basically have abstracted some of the technical elements to make it more accessible to non technical audiences. So you describe a website like, oh hey, like I want a personal blog, like just to make it simple and it builds you a little personal blog and then you say hosted here. It's very similar in my opinion to like WordPress in that you can describe it with WordPress, you can like spin up your own website and then it's like, you know, whatever. Dan reardon.WordPress.com right? With this particular one, you do all the things you want and then it's at Bubble IO, right? And then if you get your own custom domain, I'm sure for a fee you can change that or for a fee you can get other, you know, functionality or whatever. But that means that threat actors can use that same platform to create malicious phishing websites and they're using it to make lookalike websites. So here's the, here's the thing, like you have to make a decision, okay, are you going to block Bubble IO? There's probably legitimate websites, legitimate tools, legitimate things that are using Bubble IO. But because there are threat actors using it as well, it's very difficult to parse out what is malicious and what is not. I, I almost like to kind of use a, an analogy. It's like you have clean drinking water, okay? You have clean drinking water. And then threat actors put some like red food coloring dye, drip, drip, drip into the, into the water. Okay? Now without mixing it, you can kind of see like, oh, if I stick my face over here, I can drink clean water still because that red food coloring dye is over here. But then if you mix it up, it's mixed and you have pink water and like you can't discern even though there's only like two drops of red food coloring in a gallon of water, you can't discern what is tainted and what is not tainted. And you're going to have to make a choice like block Bubble IO or not block it. Also, I want to point out you should be doing, do the best you can with identity and access management so phishing landing page steals your creds. Okay, that sucks. But if you're using multi factor authentication, if you're not allowing reuse of passwords, if you have a password vault, right? So you have multiple creds for different things, conditional access in your environment, right. So you're only allowed to log in between 9am and 5pm from the United States, right. There are some certain additional controls you can put in place to help limit the successful impact. Like so if your creds get got, you know you have been compromised, right? But you can reduce the impact of those creds getting compromised by these additional controls that I'm talking about. Now the, the macro level issue is it's you. If we're talking about blocking bubble IO that's fine today, but tomorrow it's fubar IO and whizbang IO and who's he WhatsApp IO like, like the, the, the paradigm of this is problematic. So don't, don't wrap your head around bubble IO. Like it's, it's going to change. Like this is a macro issue. Finally, the other macro issue I want to point out is, listen, if these websites are being kind of flagged as good websites because it's Bubble IO or Google Sites or whatever, you and I might be able to talk about it. Roswell UK and Code Brew might be able to look at the site and say that doesn't seem legit, this seems dodgy. Okay. Open claw AI agents, your non human identities, they are not going to see those websites and, and do like a sniff test on them, you know what I'm saying? So I feel like, you know, there's a bigger, I guess exposure here of these fishing as a website, sir, or phishing services, Phishing websites that are built on legitimate platforms. So there isn't a lot of technical identif. Like there's no technical elements that allow you to tell an AI that this is malicious. Which means that the AI could compromise creds and then you don't even have visibility into it because you gave the non human identity agenic AI its own credentials. Right, and how does conditional access work on that? Because I just want to remind everybody there isn't normal working hours for Agentic AI. It works 247 which is why CEOs are walking around. You know, I'm not going to make an inappropriate joke, but they love it. So there's a macro issue here in my opinion.
C
Agency cancels driver's license appointments. Puerto Rico's Department of Transportation canceled all driver's license and vehicle service appointments after a cyber attack forced officials to shut down systems to contain the incident. The Puerto Rico Innovation and Technology Service said the attack was detected on Monday. Response protocols were activated, and there is no evidence of data theft. So far, services remain offline while systems are tested and restored, marking the latest in a series of cyber incidents affecting the territory's government agencies.
A
This sucks, man. Puerto Rico's already having a tough time. They. They didn't really need this. Okay, so state and local municipalities continue to get hit again, remember, state and local municipalities are nonprofits. Right. They get funded by taxpayer dollars. So if you want to increase the level of investment that these agencies have in cybersecurity, you have to raise taxes, which upsets a lot of citizens. Right? So they're trying to make a dollar out of 15 cents. And if you live in Puerto Rico and you wanted to get your driver's license or permit renewed, you can't. I would say that this is inconvenient, but maybe not devastating. I left S. FedEx is FedEx. No, FedEx is in Puerto Rico. Is. He's Dominican. I'm not sure. Anybody who's Puerto Rican or has family in Puerto Rico, please let us know in chat. Like, what do you. What would you think the level of impact this is to me? I. I don't think it's super impactful. Right. He's from Colombia. Oh, thank you. I don't even know. Like, it's funny because in chat, it looks like I typed that thank you and sorry, FedEx. I just couldn't remember. All right. So they had to disconnect. So this is kind of cool. I want to bring this up to everybody. You need to. Not need to. But I would strongly encourage you to do tabletop exercises and say, hey, this thing's compromised. What are we going to do? And if disconnecting a system from the network or quarantining a system, which is effectively taking it off the network, is part of your playbook, not only make the decision and get management approval for doing that under certain situations, but also figure out what breaks when you unplug stuff. And if you can, maybe during a maintenance window. This is a little extreme, but maybe during a maintenance window, say on a Saturday night or whatever, actually unplug the thing, you might find that there's some entanglements that you hadn't considered that will crop up when you do this. And trust me, you want. You want to discover these things when it's not, like, go time, right? So, anyways, they'll recover from backups and be up and running and back again, but kind of sucks, man tricks urges
C
admins to patch Net scalar flaws Citrix patched two vulnerabilities affecting netscaler, ADC and Gateway devices, including a critical flaw that could let attackers steal session tokens via a memory overread similar to past Citrix bleed exploits. A second bug could allow session mix ups through a race condition. Citrix is urging immediate patching, with more than 30,000 exposed netscaler instances being tracked. Researchers warn attackers will likely reverse engineer the fixes with the flaw, closely mirroring previously exploited zero days, making remediation critical
A
when all right, really quick, just to go back eves byte403 asked a question in chat and James McQuigan I I've asked you a question in Discord and in private chat on Restream. Can you respond to any of those, please? Eve's bite had asked Tabletop exercises are usually reserved for a company or business. I I don't want to make any assumptions that people know what tabletop exercises are. A tabletop exercise is basically a controlled work, you know, experience where you are pretending that some, you know, some incident, some negative impact, something has happened. You know, a simple one is like oh, we have ransomware that is detonated in our environment and what do we do? Right? And you can do it a bunch of different ways. Everybody Eve bites. You can have just the IT team there, you can have just the executive team there. Obviously you tailor the tabletop exercise for the group that is there and for what the outcomes you are trying to get for. Then you could do things called like injects, right? Where you're like oh, like oh hey, all of a sudden the threat actor emailed us and they're leaking files. Or hey, a reporter's on the phone and they want a statement. Whatever. They are typically done for businesses, for a business to understand what is it, what's going to happen if they have to respond to an incident? You can do it as an individual, but un. Unrealistic, right? Like okay, like I guess you could do it as an individual. Like a table here. A tabletop exercise for an individual would be like I got laid off today. Like just hypothetically, like pretend for a second you got laid off today, you no longer work at your current job. What's next? What do you do? Do you have money to pay your bills? How long do you have money to pay your bills? Who is the first three people in your network you're contacting? Like what you know, are you Going to sign the, the, the form from your employer that says you won't do all these things, right? Like it's a serious, it's a serious thing. And typically when you get hit with a layoff, you're emotionally engaged, you're not thinking clearly, you're upset, you're nervous. Survival instincts kick on. So you could do a tabletop exercise for yourself, pretending that you just got fired. That's one example. But typically when we say tabletop exercises, we're talking about in a business incident. Okay. Hey, listen, if you're running netscaler, Citrix netscaler in your environment, gotta patch it, period. Full stop. Ah, you gotta patch it. Okay. By the way, Citrix Bleed was around for a while. If you're running Citrix gateways, if you have netscaler in your environment, there is no question that you know that you have that in your environment. You don't, you don't dabble with Citrix Net scalers, you don't dabble with Citrix in your environment, period. Okay, so I'll just do a quick little look at this. You, you will have. Obviously you'll have to coordinate with your IT team and a maintenance downtime because you're going to impact operations by bringing down Citrix. For patching this one, you have a 200ths of a percentage of a chance according to EPSS of getting exploited in the next 30 days. Even though if you do get exploited, it's pretty serious. What I would say is maybe coordinate it for the maintenance window this weekend if that's what you're doing. Okay. Citrix gateways can be found quite easily because they're Internet facing and they have a fingerprint. So don't sleep on that. All right, I gotta go. You can see here, we're looking at the number of Citrix netscaler gateways. Right now there's 30,000 Internet facing, 13,000 in Europe, 11,000 in North America. So that's one of you. You know, I would prioritize patching it. You can also use Shodan IO Shodan IO to look at your Internet facing IP range or IP space and find out if you have a one that is exposed. All right guys, that's going to do it. All right guys, I want to thank you all for being here. 320/simply cyber community members getting the daily threat brief. I'm super pumped to be back in the Buffer Osier Flow studio. Don't go anywhere because the show's not over yet. If you want, we do another show called Jawjacking Jawjacking brings industry professionals to bear for you with the exclusive intent of answering as many questions in 30 minutes to help you level up as a professional, get the insights you need, know what conferences to go to and what your crap, and so much more. Very pumped. We've got a great host for you. 1. James McQuigan at 35,000ft will be your jawjacking host. He's going to get into the rotation here pretty soon, pretty consistently. So enjoy that. I'm Jerry from Simply Cyber. I'm gonna go teach the cadets at the Citadel Military College. Till next time, stay secure. Enjoy. James. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered, and totally free. Let's level up the together. It's time for some jawjacking.
B
All right. Well, good morning, everybody. Hopefully, everybody can hear me. They can see me. I'm kind of solo here today. Usually I get to sit with Jerry or I'm sitting with DJ B or FedEx or any of the other great folks that are out there. So today, Jerry's just kind of thrown me into the deep end. So we're gonna. We're gonna see how this goes. I'm real excited to be here. I'm guessing I'm looking at the chat that everybody can hear me. I do have a new setup that I'm gonna hopefully try out because I've got some new toys and features, but unfortunately, I don't use obs. I don't have all the fancy graphics and everything else that everybody else is. That everybody else has. I will work into that, and I will certainly get there. Anything. But, yes, this is the ama. This is where you can ask me questions if you're really good. I might drop in a dad joke or two as we go along, because tomorrow, if you're coming back, you know that on Fridays is dad Joke Friday. But it's my thing, so maybe, you know, we'll see if we can drop one in as we go along. Usually for me, it's kind of a spur of the moment. Somebody will say something, and it's like, oh, I know a joke that goes with that. So glad to hear that everybody can hear me. Cool. So, yeah, let's drop in those questions if you've got them. Why was Elite Egg late for school? Well, Carrie, he. Carrie, always gives me some good jokes, drops them into my LinkedIn chat. I always appreciate him, but why was the egg late for school? He didn't study for the exam. That one is exceptional. I will certainly say that. So, yeah, there you go. And of course I need to have. I need to get a way to rig in so I can drop in the. The AHAs and all the other sound effects. But I'm not quite there on setups yet. But we're getting there. Not a question. Oh, yeah. Okay, there we go. That was there. Too many jokes. They won't be back tomorrow. Well, yet, no. Everybody's always coming back for more dad jokes. We won't give them. We'll always, always want them leaving, leaving them more. So your setup's fantastic. Oh, thanks. Bruising hacks. Next beer's on me.
A
Cool.
B
All right, well, while I wait to see if any. Yes, all my dad jokes are in my database. FedEx. Yes, very good. So next week I will be at cyphercon. I'm real excited for that. Going up to Millywake, up to Milwaukee, Wisconsin and gonna be excited to get up there and gonna see our good friend, friend of. Of Simply Cyber Team Cyber, Simply Cyber Michelle Khan. He is the keynote up there. So excited to get up there and see him. It's been, I think the last time I saw him was, I think back in black hat actually. But we've been, we've been chatting and conversing. So excited about that. All right, let's see. The chat does go by pretty quick. So let's see. Any debt? What is Beethoven's favorite fruit? Banana. Yeah, exactly. How are those hot irons in the coals? Oh, that's a good question. The hot irons are still glowing. I'm still working through interviews and discussions. So nothing has been official yet. So once that does happen, don't worry folks. You guys are like the, I think fifth people to know because I got to tell my wife and my family and. But you guys are going to be one of the first folks to know that once I am back employed. You will be the first to know. Of course.
A
The.
B
The kicker is I've been. I teach full time, part time, kind of like Jerry. I teach at a university, a private university here in central Florida called Full Sail. And I teach cyber threat intelligence, which is always a lot of fun. So I. That still, I'm still employed if you think about it technically, but essentially looking for that more full time role. Next group. So Carrie's got a question. Now that I have my sec plus, I need a place to put a profile. What is a lab? Throw this up here. Now that I have my A plus And Sec plus, way to go, Carrie. Congrats. Good to see that. I know I need a place to put a profile. What is a lab that I can put together, get noticed? I have to get the software for VMs. Yeah. So one of the things, and I've been saying for telling folks for years, depending on what your budget is, depending on what kind of setup you've got, will depend on, you know, how far you can go with your setup. You can get little intel nooks for a couple hundred bucks. You can get your virtual machines, of course. And whether you're going to use, you're going to use virtual machine VirtualBox, you're gonna, if you're on a Mac, you can use parallels there and there's a whole slew of other type of VMs that are out there. But the lab that you want to set up is going to depend on what you know, what your goal, what you want to accomplish with that lab. Are you looking to do pen testing? Are you looking to do web exploits? Pen testing against hardware? Pen testing against, you know, web applications? And there's a variety of free VMs that are out there that are vulnerable. Whether you can get an old Windows set up or you can get the, you can get Metasploitable and there's, I know there's some web based ones as well, the names are escaping me, but those are out there that you can set up. If you can get yourself set up a VM and a software firewall, then that way you can really also be able to protect those VMS and not having them directly connected to the Internet as well. Getting noticed, well, that's all up to you, but certainly putting that, you know, whatever lab you create, document as much of it as you can. Document it, talk about it, share it, you know, what's working, what's not working, you know, whether you do that in LinkedIn and you share those stories or we've seen with what DJ B SEC has done and I've done it with my, my website for apparent security is I'm hosting it in GitHub and it's just a great place to be able to have those files there. And it just makes life a lot easier to be able to, you know, edit any files and, and adjust as you need to. And it's a good repository and it's a great way to use GitHub. Sierra, how is your time at sea level? Sea level was good. I had a nice four days zipping on down to Cozumel and back. It was nice and relaxing and then back to the grind here this week. Can't help but sing it. Yeah, I can't see them. Oh, okay. I know that you're an ocean guru. What training do you recommend for Threat Intelligence? Flare Academy has been great, by the way. That's awesome. I haven't had a chance to check out Flair. I need to. And I know Jerry's got that special coupon that's available for us or discount that we can go try it. We've got to verify who we are and that's fine. I have no problem doing that for me. Shoot. When it comes to ocean, there's a lot of great resources out there. I'm looking over my shoulder because my bookshelf is behind me and that's where I've got a lot of all my books that, that I've read over the years and use for my resources. But for me, you know, Michael Basil, we cannot talk OSINT without Michelle Kahn. He's got tons of resources. There's. There's an OSINT Academy, there's conferences like Osmosis, but definitely, yeah, I mean, flare. If you're already leveraging them, that's great. There's tons of free resources. For me, when it comes to osint, it's a matter of doing. You've got to go through and try these tools out and get comfortable with it. You know, we know OSINT Open Source Intelligence. It's all about, you know, finding information that's already out there, leveraging, you know, a variety of different tools, variety different services that are out there. But essentially we need to make sure that whatever tools we use that we go through and try them and get hands on and get that experience because that's going to help you overall as you become more comfortable doing osint. But there's tons of free videos out there. There's tons of free tools. Just get out there and start playing with them. Let's see, scrolling through. Oh, the wrecking ball. Did you hear about the death near. Oh, the death had a near Chuck Ignorance experience, Rest in peace track. Ah, that was, that was rough to hear about that. Have you had experience in your career with. Oh, this one looks like fun. Coming in from Jared Rodriguez. 550. Have you had any experience in your career with ICS, OT departments and I T departments having to work together? If you have. Do you have any advice for communicating between teams? So, Jared, I spent 18 years working for a little German company called Siemens and I was part of their energy division and I did everything there from building computers to networking network security, compliance, product security information, sorry, incident response, security, phishing assessments. Did a lot with. And it's where I got my, where I got really interested into cyber security as well. I have had many interactions over the years when it comes to ICS and OT departments and IT departments, you know, trying to get them to communicate. You know, the, the interesting thing between both of them, it is focused on the corporate networks and security systems and the ICS and OT folks are focused on the scada, the process network, the manufacturing, the, the, the business maker. You know, that's the, you know, the control systems, industrial control systems, operation technology that's, you know, making widgets, manufacturing or it's, you know, power plants, water treatment, chemist, chemical, you know, just critical infrastructure. Essentially both of them focus on their networks and making sure that they're secure, secure and they're protected. However, one big difference between an I T network and an OT network is when we talk about, in cyber security, we always talk about confidentiality integrity and availability. The CIA triad in IT availability, confidentiality, integrity is kind of how their thought process works when it comes to the priorities of the. The system always has to be, sorry, it's more confidential, confidential into and then integrity than availability. On the okay side, it's all about availability. Bottom line, if you're not, if the power plant's not generating power, lights go out. If you're not treating water, then you're, you know, water doesn't go out. Availability systems, the availability of those systems is key. That is huge because they can't shut down the systems and lose visibility the second Tuesday of every month because Microsoft's got new updates. They are so focused on availability. So understanding what the difference is between the two organizations is where you start. You're both there about securing it, you're both there about keeping them operational. So for me, a lot of the time the conversation came down to, look, you know, we know you want us to patch all these NT systems. It was nt back then, but NT systems and Windows 2000s, you know, whatever, you know, older systems. And we don't do the updates as much. But we also take more steps to mitigate the risk for those systems as well. We put more protections. We control who accesses them. Doors are locked into those rooms. You know, we're securing those environments. We can look at a window where we can take them, you know, whether there's an outage with the plant or with the organization. If they do have any type of outages, that's a good time. But to basically bring the people together over coffee and donuts is usually, you know, as an, as an OT person, I'd be bringing coffee and donuts. I go to lunch with the IT guys and just talk it through. It's like, yes, we know about cybersecurity, we know the whole CIA and everything else, but we also know that we have to keep these systems up and running. So it can't be just, no, you can't do that. It's yes, but what do we need to be able to do going forward? So hopefully that answers your question. For me, a lot of it is seeing both sides, bringing them to the table, having those discussions, going, go talk to them, and hopefully they will, you know, work with you rather than against you. They, we know they have their objectives as OT people. We have ours as well. Kimu. Yeah. KE Q U Q E M U also. Thanks, Kishan Posek. That's a good one. Time to Update your Broadcom VMs if you haven't already. Yeah. Now the Broadcom has got, I have virtual, I have VMware's Fusion running on my Macs and I've got VMware running on my Windows machines. The more you work together, the faster you can fix issues. OT manager is usually old school. Very protective. Yes, they are. You can take a long time to build that trust, but it's worth it. And it's a matter of having those conversations. If you're the IT going to OT again, it's having an understanding of what mitigations risk mitigations can we put in place? It's like, okay, if we're going to have that vulnerable system sitting on the SCADA network, then we really need to limit and limit the systems and limit who can access it and make sure that we've got like MFA two factor authentication going through to gain access into those remote systems to talk to it. Let's see. I'm right there with you, Carrie. I'm still trying to figure out what I want to be when I grow up, but I kind of have an idea. But we'll see. We'll see what goes there from there. I agree. Bruising hacks. I saw that. I was looking at that as well. The, the, the volume hub repo on GitHub is really, really good as well. Docker containers to hone in on specific vulnerabilities. Yeah. That way you've got things to be able to test and, and verify and check. How do you get to be. How do you get a more stable Internet connection when working remotely? Move your router to the barn.
A
Ah.
B
Way to go, Crystal. Well, you know, I don't know if anybody knows, but there is a woman out there who is the most secure woman in the world. Yep, there is the most secure woman in the world. Her name is Emma mfa. Mfa, yeah. Okay, Michael. Sean says he's got several Michael Basil resources. Those are good, but definitely check out. Oh, Cynthia Harrington Hetherington is really good as well. The Ocean Academy. Yep. Very much on due diligence. That's one of the things that a lot of folks don't realize when it comes to Ocean. Yeah, it's fun finding the information, but we got to verify that it's accurate. There have been so many times that we've seen, especially going back to the Boston Marathon bombing, where. And that's kind of where osin. Well, Ocean's been around for so long, but it kind of came to the forefront because people were looking up of images and then using the Internet like PIM Eyes or Google Images or other image searching tools and looking for people and unfortunately did not verify and did not check the that they had the right person. They were like, oh, that's the person. Yep, that's it. Here's their address, here's their name and their phone number. And now we're gonna go get them. And it was the wrong person and wrong people were arrested. So it's important that when you're going through and doing your OSINT work, that you're verifying it, that you're doing your due diligence. That's the key to it more than, you know, actually discovering it as well. Mara wants to know, do I have any CISSP study tips? Wow. You know, for me, it's been 17 years, I think, since I took my CISSP here in Central Florida. I'm going to do a cheesy plug. But here in Central Florida next month, we're doing the chapter. We're doing the ISE2 Central Florida chapter, where I was past president for eight years. Got a great team of folks involved in that. FedEx is the vice president now, but we're doing a CISSP study group Next. Next month, April 11, all day. So if you're here in the Central Florida area, definitely check that out. I dropped the link in, but I don't have it, so. But you can just Google it and find it or reach out to me on LinkedIn. Anyway, CISSP tips the tip that there's several and kind of these are the ones off the top of my head. Real quick for you, Mara, when it comes to the cissp. One thing to consider is this is a managerial theoretical exam. We may have real world, practical, hands on, tons of experience knowledge, but when it comes to the exam and what you're being tested on is that managerial theoretical, it's an inch deep and a mile wide of information that you've got to go through. Understanding that the way that I studied, besides doing a boot camp, I had three books back then. It was the Sean Harris book. So I had the big thick. Yeah, I have it behind me. I have the big thick CISSP book. That was the Sean Harris. That was the really, really big one that had everything in it. Now I at that point was familiar with networking and, and security with regards to that and telecommunications. And I knew a little bit about risk management at that point. What I also then had were two other books. And one was a book that was about 200 pages. And I literally read that cover to cover like six times. And I highlighted the heck out of it and put sticky notes. That was almost like my study guide for studying for the cissp. And I read that and I knew that cover to cover. As I would go through reading that book, if I didn't understand something, I'd go over to the Sean Harris, the big CISSP book. If I wanted a second opinion or I wanted another perspective on it, I had, don't laugh, but I had a CISSP for Dummies book and you can use whatever books you had. So right now, and I'm going to go to the, the over to my library here. And yes, I'm wearing shorts because it's warm in my office.
A
Why?
B
Too much stuff. All right, so there you got a nice view. So here is my all in one CISSP book. And you know, that was the reference guide, the other one. And I think, yeah, this is. I ended up having to buy another one because I lent my copy to a friend of mine and I never got it back. So I ended up buying a used one. That's why this one's not as used up. But I had this one. This is the Mike Myers CISSP passport book. This is what I used. And this thing was like 350 pages. But I, it was easy to read and I read through that kind of COVID to cover all the time. And so for me it was having multiple sources have one that I could read constantly and work with. And then the other aspect, what really triggered it for me was once I was comfortable with the information, I was then helping other groups and helping them study as well. And that was, that was Huge for me, that was letting me know that, oh, this is finally sinking in. You know, being in study groups goes a long way as well. Well, if you can find a study group or a group of people that you can study with or bounce ideas off, I'm sure there's. Nowadays, because we didn't have it back then. Back in my day, Discord, I mean, I got to imagine there's great ways to be able to chat with people on Discord, Slack and so forth. Thank you very much, Isaiah. Appreciate it. I love it. This is. I'm just gonna. Tomorrow might just be a whole collection of dad jokes from today, but if someone's born in 33 and was 45 in 78, is that some kind of record? Yeah, that's a good one. That's a good groaner. That's a face palm right there. Yeah. Definitely give the three thumbs up. Oh, here we go. What's this one? Are we doing on time? Because. Time. So I got four minutes left. Holy cow. Time flies. All right, let's see. I'm trying to get into cyber security. I'm debating getting a bachelor in cyber security in online university while working on getting certifications. Not sure whether it's really worth it. You miss Wolverine 99, you are asking the toughest question to ask and get an answer for right now. Yes, it is challenging, but you can get in. I've met students that have. That have gone to Valencia, gone to college, community colleges. They've gone to university. They've gotten their degrees, they've gotten their certifications, and they've, you know, gone out into the world looking for work. Some have been successful, some that have been not. Now I know the next question is what? You know, how. What did the people that were successful, what did they do? And a lot of that. And I've interviewed them, and I've asked them because I was really curious. I said, what did you do that helped you make stand out? Some of it came down to networking. Other. Other times it came down to, you know, they had a lot of great resources or it happened through an internship. But essentially with our industry, yeah, having the knowledge is important. Get the bachelor's degree, get the certifications that go along with it. Some universities, they'll pay for your certs as well. One, to look at, you know, especially on the entry level, you've got your comptias. You've got, you know, your. Your security plus your network plus you've got ISE2. They've got a CC1 as well. So you've Got a lot of different resources, but for me the biggest thing is getting out there and networking. Get out there and meet people, whether it's going to one day conferences like a B sides or a local meetup. But get out there and start meeting people. Let them know what you're doing. Because you never know, you might meet somebody that's going to help you get that, that job that you know next time down the road. But you could meet them and you know, they, they, it could be somebody looking for an internship and it's like, oh, great, I'll take that. And they get in on that. In. You get in on that internship and then you're off to the races. PF sense for my VMs. Yep. I do the same thing as well. So many great conversations without the sales. It really felt scrolling through here with the last couple minutes. Okay, all right, Roswell, we'll give you this one. So walking home last night, I passed a slice of apple pie, an ice cream sundae, and a lemon cheesecake. I said to myself, the street, these streets seem strangely deserted. Yeah. Okay. Thank you. You're welcome. Jared started using UTM and I'm three. Yeah, UTM's really good as well right now. For my VMs, I'm, I'm happy. I got parallels, which has been okay, but VMware Fusion's been playing nice as well, so that's, that's doing good. Say hello.
A
Yep.
B
Today's. Oh, and there's today's headlines in the chat. I wish I could throw the chat up here. Well, here, fun story is, you know, this morning, literally, Jerry Pingman goes, hey, you ready to be on Jawjacking today? I'm like, yeah, sure, fine. What do I do? He goes, oh, you'll figure it out. No, I'm teasing about that. I've been real excited to get here on JobJack and do this and chat with all of you. And I look forward to doing some more of these in the future. Biggest tip going to. As a manager, engineer, I got really behind on the chat because I got chatting, because I got talking because it's one of the fun things I love to do with presenting. Like I'm doing at CypherCon next week and everything else you can get in to with Google Professional Support Certificate. That's one network. Network. Network, exactly. You have to check the boxes for applications. So I think I'm there at the end there. Okay, good.
A
Cool.
B
Alrighty. Well, with the last kind of 30 seconds that we've got here, I want to thank you all for coming here this morning, throwing me your questions. Great stuff I'm gonna kind of work on and try to, you know, I won't say be cool like the other ones because I like doing my own thing, but I'll figure out what I can do to maybe put the chat up. But you guys already have the chat. Maybe I'll find something else fun to do. I want to figure out how to get. I can get the aha sound effect in here, but I didn't want to go start doing things in production. I got to get into a test environment and play around with it because, you know, what better way to implement all the updates and patches than to do it on a Friday afternoon and test it it in production, Right? So there you go. So cool. Thank you again to everybody. I appreciate you coming out, sticking around for Jaw Jackson Jawjacking after we had that nerd, Dr. Geraldozer. Good friend, and real excited to, you know, look forward to doing more of these with all of you. So enjoy your day, have fun out there, and we'll see y'. All. And actually, thanks for stopping by. We'll see y' all later.
Host: Dr. Gerald Auger (Simply Cyber Media Group)
Date: March 26, 2026
Episode Theme: The top 8 cybersecurity news stories of the day, explained with actionable insights for practitioners, career tips, and interactive community engagement.
Dr. Gerald Auger ("Jerry") delivers and deep-dives into eight pivotal cybersecurity news stories relevant to professionals, analysts, and business leaders. Each story is paired with practical advice for leveraging news to bolster your security posture and professional development—all in a fun, energetic, and community-focused format.
Summary:
A new info-stealer called Torg Grabber is actively targeting over 850 browser extensions (notably 728 crypto wallets, plus password managers and 2FA tools). It's distributed through "click fix" attacks that trick users into running malicious PowerShell. Gen Digital researchers note rapid evolution: hundreds of new samples, frequent C2 changes, and HTTPS over Cloudflare for exfiltration.
Host Insights & Actionable Steps:
Summary:
Threat actor “Team PCP” compromised the Light LLM Python package via a tainted Trivy dependency, introducing a backdoor affecting SSH keys, cloud creds, and Kubernetes clusters. This attack harvests credentials and establishes persistence, impacting any organization pulling the infected package.
Host Insights & Actionable Steps:
Summary:
GitHub broadens its code scanning toolkit with AI-powered vulnerability detection—covering new file types (shell, bash, Dockerfile, Terraform, PHP, etc.). AI highlights misconfigs, weak crypto, and SQLi risks. Copilot Autofix suggests rapid remediation.
Host Insights:
Summary:
Russian authorities arrested Leakbase’s admin—a massive marketplace for stolen data—seizing servers and forum data. The site hosted 147,000+ users and hundreds of millions of stolen credentials.
Host Insights:
Notable Quote:
“Get the head of the snake and the infrastructure—complete scorched earth. Way to go!” (40:25)
Summary:
Ransomware struck Spain’s Port of Vigo, disrupting digital cargo management systems but not halting physical port operations. Staff switched to manual processes as authorities isolated affected networks.
Host Insights:
Summary:
Threat actors leverage Bubble (a low-code app builder) to host phishing pages on trusted Bubble.io domains, evading detection. These sites use advanced JavaScript and shadow DOMs, making analysis tough. Result: effective phishing targeting Microsoft 365 users.
Host Insights:
Summary:
Puerto Rico’s DOT canceled all license/vehicle service appointments after a cybersecurity incident forced systems offline. The government responded quickly; so far, there’s no evidence of data theft.
Host Insights:
Summary:
Two NetScaler (ADC/Gateway) vulnerabilities patched; one mirrors past Citrix Bleed exploits and allows session token theft via memory overread. Over 30,000 exposed NetScaler instances make this a high-value target.
Host Insights:
Community Q&A highlights:
Dad Jokes & Community Banter:
Sprinkled throughout (“He didn’t study for the exam!” “Her name is Emma MFA, the most secure woman in the world!”), bringing humor and inclusiveness to the show.
“Stay secure, enjoy, and level up together!” – Dr. Gerald Auger