B (10:30)

from the CISO series, it's cybersecurity headlines.

C (10:37)

These are the cyber security headlines for Tuesday, March 31, 2026. I'm Sarah Lane.

A (10:45)

Breaking news. All right, so listen, CISO series, we've been working with them for a number of years. They're the ones who produce the audio podcast that we kind of ride. We ride hard and put up wet. But there was breaking news overnight that is to me, in good God, very important and worth pointing out. And I'm sure we'll cover it on Thursday, you know, later this week of CISO series. But let me drop this on your head, okay? Overnight. Oh, by the way, I don't research or prep for this show. Ain't nobody got time for that. I don't Research or prep for the show. Okay? But I am. I am a cyber security professional. I am a, you know, lifelong learner. I am passionate. And I've said this before, to me, cyber security is a lifestyle. I'm not willing to fight anybody who would disagree with me. I'm just telling you, if you typically, if you have a very successful cyber security career, you typically align with it being a lifestyle. I read it, I eat it, I consume it, I talk about it, I think about it, I love it, I go get degrees in it. Cyber, cyber, cyber, all the things. Okay, so this morning, I'm sitting now with my coffee and who shows up in my feed? Hold on one second. Who? Hold on, let me. Give me a second. Who shows up in my feed? Get out. Not me. Get out of my face, Jerry. But none other than John Hammond. Sorry, I thought I was prepared to do this, but I'm not. John Hammond of John Hammond. Okay. God damn it, John, where are you? Hold on a second. This is breaking, okay? And I want to share all this with you, all right, Right here. John Hammond releases this video three hours ago. By the way, I had dinner with. I had dinner with John Hammond on Monday, Tuesday night, last week. And I'm like, john, how do you get. How do you like, are you human? Like, how do you get videos done the way you get them done? He's like, I don't know. I just, you know, I just hit live. It's not really overproduced. And then I'm like, john, he releases this video at 5:00am this morning, Eastern Time. 5:00am Fully produced, fully written up. Great article. I watched, you could see here. I watched about half of it before I had to come in the studio. John's going over a blog post that was not published at the time. That blog post has in fact been published at this time. I'm going to link to it and let me tell you what happened, okay? Because this is something that you need to be aware of. Oh, I believe it was overnight. Okay, Overnight. The haircut fish. Overnight. Was it overnight last night? Hold on one second. They have the. The kill chain in here. Yeah, overnight last night. So just a few hours ago, the Axios JavaScript npm library got compromised. Okay? Now this is a supply chain attack for sure. We've seen this many, many times of open source software getting compromised. The problem, not the problem, but the. The reason that this is major news is because the Axios NPM package is used in like, it has like a hundred million downloads. Hold on one second. Yeah, dude, 100 million weekly downloads. Not 100 million downloads. 100 million weekly downloads. Now of course this isn't new users every time, right? It's people who are downloading updates, downloading newest versions, fixes, etc, but, but dude, that level of, of like you know, transaction is massive. Okay, so what ended up happening is one of the main developers of the project had his account compromised. Now it's still unknown how he got compromised because according to the report he has MFA enabled and he's not making bad choices. But threat actor got in the NPM package has been, the malicious one has been pulled down and right now if you were to install it fresh you'd be fine. Also I would recommend updating again. Ah, you got a Patrick. So you get a clean bill of health. But for a couple hours there from like midnight to 3am Eastern time, there was a compromised version which leads to the installation of a remote access toolkit on the endpoint of compromised hosts. Now what's really, really interesting is it's very clean, it's an initial dropper. So like if you install this thing, the first thing it does is reach out and download second stage payloads. It works on Mac, Linux, Windows, it has anti analysis capabilities. It basically cleans itself up after it's infected you and you might like. My initial thought was well what the hell does it matter? Like this is a web server. Oh by the way, just so you know, the whole reason that this thing is installed all over the place is because it allows for, it's almost like AJAX type capability. And if you don't know what that is, the Internet, like the way the Internet really works is very static, right? You request data from a website and it supplies it back and that's the transmission. Well when we have these like very dynamic interactive applications, it's because instead of submitting a request to the server, things like Axios is, is actually in real time using JavaScript to push and pull and push and pull and push and pull data. That's why when you're typing into a Google search and you type in SIM and then it pre drops simply cyber or whatever you're wanting. It's because data's flowing back and forth from the server and that kind of dynamic interactive experience is capable because of something like Axios. Okay so this is why it's so you know, ubiquitous on the Internet for those three hours these things got compromised. So my, my initial thought this morning was like I don't get why it's such a big deal. This is used on web servers and Web applications, I suppose, but, but the first infection, the first infection showed up and I'm not even exaggerating. 89 seconds after the library was compromised. And this is Huntress's EDR solution, detecting the compromise 89 seconds later. So when we're talking about speed of infection, dude, threat actor uploads a minute and a half later like you're still using the bathroom, right? Like you're like, oh, just update the packages and then go hit the head. You're still, you know, whatever flushing or washing your hands or you're walking back from the fridge or whatever and you're already infected. Okay? Now why is this so important? Because developers, workstations were getting compromised. And do you know what? Developers have all the tokens, all the keys, all the sensitive files. The. They are effectively very much power users when it comes to software and software development. CICD pipelines and you know, code bases. Look at solar winds attack by Russia. They got into a developer and did massive damage. Look at last pass, they got into a developer and did massive damage. So it's, it's a supply chain attack, it's a developer workstation kind of attack. They don't know who did this. But what I will tell you is the following. Number one, I'm going to link to this story below. Okay, so, okay, this is John's blog post. And if you don't know who John Hammond is, this is John Hammond, okay? The guy is a national treasure. Like, thank God he's a good guy. A lot of bad guys have used his code and proof of, proof of concept exploits to commit crime. And I know that John wrestles with that. But he's a good guy and we're very, very fortunate to have him. The blog post by John is very, very thorough. If you want to get all the nitty gritty details and the technical stuff, go for it. It's all in here. Great work by the Huntress team. But what I want to tell you right now is the easiest way to figure out if you have been compromised is. Come on. Well, first of all, figure out if you installed the, the, the malicious ones you can see right here determine if you're affected. This is basically a straight up walkthrough on figuring out if you're infected. Here, here's the actual source code itself of the problem. This is how to tell if you've been compromised by this attack, which happened eight hours ago. Okay, this is like literally breaking news. We need a breaking news sounder. Have you been affected by NPM or Axios There you go. Go look at that. But the final thing is immediate remediation. Okay. Npm install Axios114.0 or 031. So it depends if you're on the 0 branch or the 1 branch. Like the version numbers but just get on those and get over the hump. All right, so this is very much, this is very much where you need to stop the stream or send an email to the developers right now. I, I will tell you personally my sister in law is a, she's a senior developer at a software company. I immediately sent this to her and she said thank you. Like obviously we're using this like everybody else. I will get on this right now. This is, this is not a dink around kind of thing. Like see if this shows up in my feeds later. Like get this sorted out. This is everywhere. Thank you to John, thank you to Huntress. Also shout out to DJ B who says having an S bomb or software bill of materials S bomb it's referred to comes into play. Okay. It was talked about Friday at the Jawjacking segment by DJ B. But yeah, if you can do an S bomb you can know immediately that you have this in your environment. Okay, hold on. I don't even know if they'll be able to hear this, honestly. Okay. That's way loud in my ear. All right. Hey, we will have a breaking news sounder soon. DJ B. Sec. I'll have to figure out how to put this on my soundboard. It's like freaking level thousand volume. But thank you. I know you didn't know that. All right, let's keep going. Let's go on with more news. I put it in air quotes because this is like incendiary hot.

C (22:02)

MacOS terminal gets click fix attacks. Apple added a new macOS Tahoe 26.4 security feature that warns users and delays execution when pasting potentially dangerous commands into terminal targeting click fix social engineering attacks that trick users into running malicious codes. The system alerts users that execution was blocked and explains the risks though they can still proceed if they want to. The feature isn't fully documented and may not trigger consistently, so users are still advised not to run unfamiliar commands as attackers continue to exploit user initiated actions to bypass traditional protections.

A (22:51)

All right. Yes sir. Yes sir. In my, in my, in my best Tyler Ramsby impression. And if you've ever watched Tyler Ramsby, this mannerism is perfect. It's not perfect. I, it's, it's him. I, I don't know if I'll execute it perfectly. An SNL skit of Tyler Ramsey would absolutely do this. This popup from Mac OS preventing you or not preventing you, like absolutely warning you. Bro, bro. This looks like a click fix attack. Do not install malware on your own box. Ready? This is Tyler Ramsey's responses. That is so him. Listen, this is awesome. I wish Windows would do this. This would probably cut down on a lot of infection. Also I want to note out, very subtle but if you don't read this and you just hit enter, you don't paste it. So the default response is to not paste. A lot of people, a lot of people don't read the friggin pop up. They just click through because they're trying to get their job done right. They're just like click, click, click, clack, click. So this one way to go by the way. This is a fairly straightforward. Like control to put in place. It doesn't stop anything. It doesn't stop anything. You can still do what you need to do. But most, you know, aunt Dorotheas of the world, most Carls, they're gonna be like whoa, this thing looks scary. It's red. Everything says red. Possible malware like all these things, right? That's great. They could do this on Windows anyways, right? Like if you, if the command says powershell obfuscated code bracket IEX or pipe iex, then guess what? It's probably malware. Come on Microsoft, get, get going. How do we, how do we make, How do they, how do you get this? I guess that's the next question, right? Like this is great, but if your version of Mac OS doesn't run it, what good is it? Apple didn't specifically mention it in the Mac os Tahoe 26 for release notes. All right, well hey, this is one of those opportunities where you can get your end users to update their stuff. This is macOS Tahoe 26.4 release notes, which is like the newest version running now. This is notes about the SDK which that isn't going to help us. Listen, you can't convince end users to upgrade their machine because of security functionality being introduced or you know, malicious infrastructure capabilities being depre or not malicious but like insecure protocols being deprecated. That doesn't work. You need something like you, you get cool new emote tray or you get a cool new background or it comes with like an update to GarageBand or something like that. Whatever it is, make sure you're updating your Mac os. Ah, you gotta patch it. I'm telling you guys, Click fix is. Click fix is like a blight okay, so if you can get this extra feature, this extra functionality, way to go. Also, also, I might say I would even send out, again, it's me. This is me. I'm hyper communicative. I would send out. If you're. If your organization uses Max, send this out. If your organization's mostly Windows, you're going to confuse people. But if you have a distribution list that goes just to the executive team, because let's be real, they're all frigging using Max, send them a link. Hey, if you see this, like you are being tricked. You are being actively attacked. If you see this, you're being actively attacked. If you see this, please call me. If you see this, I will get on the phone with you or I'll come down to your office or I will do a remote session or anything. If you see this, like the dude, a picture's worth a thousand words. The reason that I lose my cool, or not my cool, my mind, the reason I get all weak kneed and, and with infographs is because you can communicate an ass. Sorry, you can communicate a boatload of information in a graphic and it has stickiness with a human. So if I say, hey, by the way, if you see a pop up in your Mac OS terminal, shell it, say, impossible malware. Don't click it. It could be a problem. Do you know how ephemeral that is? Do you know how people won't remember that? But if you say, hey, if you see this, you're probably running malware on your workstation, which I. You and I know that they're not running malware, but they're about to. Okay, holler to the executives.

C (28:04)

Russian court sentences Flint over card fraud.

A (28:09)

Oh, what?

C (28:09)

A Russian military court sentenced 26 members of the Flint 24 cybercrime group, including alleged leader Alexei Stroganov, to up to 15 years in prison for running large scale payment card fraud operation. Authorities say the group stole stolen card data through dozens of online shops, enabling global fraud that targeted victims across Russia, the EU and the U.S. u.S. Investigators have also charged Stroganov in a separate case involving the theft of hundreds of millions of card records and more than $35 million in losses. Though extradition is unlikely.

A (28:53)

Okay, first of all, this guy right here, this picture alone makes me want to punch him. I know it's not fair. I know it's not fair, and it's probably because he's a criminal, but just. Okay, by the. His name is Alexi Stroganov. Let's make the. The token you know James McCrecken at 35, 000 joke. This guy had to use multi factor authentication because his password wasn't Stroganov. Okay, so regulators. All right, so the Russians are sending him to Russian prison for up to 15 years. Up to. He must have. He must have done something wrong because, by the way, just normally Russian threat actors don't get held accountable by Russian authorities unless they're doing something to Russian government or Russian businesses or they refuse to play nicely. Let's see. Now, of course they're not going to extradite them, despite what you might think, looking at the world stage of how like Putin and Trump, like high five each other in the Oval Office, there's a very much a bricks contingent and then like a Western philosophy contingent going on in the globe also. I mean, I. I don't know if it's been reported or not, but, you know, like Russia helping Iran with drones and, you know, military approaches and stuff. Like. So anyways, Russia's not sending this dude over. I guess it's the TLDR from that Again, this is a cyber show. I'm not looped into this. They didn't open a bridge between me, Putin and Trump to talk about extradition of beef stroganoff here. I'm just saying. I'm reading the mainstream news and seeing what I'm seeing. Okay, all right, so this guy Flint, he was basically stealing credit cards, getting the CVV CVC codes, which I've never heard. Cvc, Just cvv. Here's what I'll tell you. Yeah. Russian prison is not a cakewalk. That's what I've heard too. I played Call of Duty Warfare, or I. What? It's been a minute. What's it. Whatever. There's a gulag that you get to go in at some point. Maybe battlefield, I don't know. This guy had $400,000 in cash. Okay, this is a large operation, guys. 11 regions, 60 locations. How many members? 90 online stores set up by members of the group. Basically, these guys are running scam websites to steal your credit card information. I want to point out, guys, I've said this before, but, like, update your threat model. Ransomware is still the number one threat that we need to think of. But pre2017, financial crime and carding, skimming, these techniques were. Were prolific. Fin7 threat actor was like dominating the scene. And then once ransomware came on, people realized they could get more money doing less work. And trust me, if you're a criminal, that's music to your ears. You're like this work. Sign me up, baby. So, you know, carding and skimming kind of went the way of the dodo, but now it's back in full effect, and, you know, that's what we're seeing with this dude right here. So this is a win for us. Meaning there's less bad guys out on the Internet. Yeah. Resulted in $35 million of losses for financial institutions in total. Not necessarily a. A little bit. You know what I mean? Way to go, Russia. Glad this guy is held accountable.

C (32:45)

Care Cloud probes data breach. Care Cloud disclosed a cybersecurity incident that disrupted one of its electronic health record environments for about eight hours and may have exposed patient data. The company says the breach was limited to its Care cloud health platform with no impact on other systems, and all affected services have since been restored. An investigation is ongoing to determine whether the data was accessed or exfiltrated. And while no threat actor has claimed responsibility, the company reported the incident due to the sensitivity of the data and potential regulatory and reputational risks.

A (33:29)

All right. Hey, way to go. Care Cloud. Like, they must have a good information security professional on their team or good ciso. Hold on. Of course I'm gonna. All right, Clear. What is it? Clear. Cloud. Care Cloud. Is it Care Cloud? Care Cloud. Care Cloud. Okay, hold on one second. Care Care Cloud. Ciso. See what this guy is, broseph. Holy crap, dude. This guy's in Pakistan. I don't know if he's the right guy. Here we go. No. Oh, I can't pull it up right away. It's too bad, because you don't normally see this. This is what I like to call responsible. You don't see that very often by, you know, for, like, publicly traded companies. This thing's on the nasdaq. They got compromised. They don't know who did it. They don't know really the extent of it. Their network was temporarily disrupted, and one of its six EHR environments was affected for eight hours. Based on the potential. They. They declared a compromise, and fortunately, their operational functionality wasn't. Wasn't screwed because they have good I. T. Architecture. Here's another thing. Okay, like, let me. So this is a nothing story. This company got hacked. They don't know what happened or how bad it was. They're up and running. What's up, Shimeria Gonzalez H. Town. What's up? Here's the TLDR Cyber Security, or the Cyber Team, or whatever you want to call us. Information Security Office and IT are partners. They're not. I mean, yes, if You're a small enough business, you do IT and cyber. But organizationally IT and cyber or IT and Information Security are two different departments and they have a lot of overlap and complementary things, but they're not, they have some things that are not aligned. Okay, for example, this is the easiest example. It wants five nines uptime all the time. I. Information Security wants to protect confidentiality, integrity and availability. So if there's an active compromise and Information Security wants to shut it down like John Taffer and Bar Rescue, it is like, nah, we're not going to shut it down. It's Black Friday and we're making the most money ever right now. So no, we're not going to shut it down. Or we can do a. Dude, I used to deal with this all the time at the hospital. You can do your maintenance window between 2 and 4am on Saturday night because we can't shut anything down. It's like this is actively a problem. So there's some conflict there. However, you can partner with each other for great security architecture complemented with great IT architecture. And in this instance they have six different, you know, EHR environments and only one got compromised. The other five were insulated and segmented off and not remotely affected in any way. You can achieve these things through firewalls, micro segmentation, privileged access management, you know, conditional access. There's a whole bunch of like controls at our disposal. But shout out to these guys and again, I like to give you additional insight. All right. Hey, Harish, doing some osin for us live says that company doesn't have a ciso, but they do have a Chief Strategy Officer and cto. Do any of them take care of that responsibility? No. Okay, so really quickly, again, giving you guys additional insights and value depending on the size of the company. Right? Different roles do different things. You don't typically see CTO take on that role. Definitely not the Chief Strategy Officer. Chief Strategy is much more around, like, how are we going to make more money in this, in this enterprise cio, a Chief Information Officer would be the next logical person who would take on Information Security. You could say CTO could be responsible for information security. If they don't have a CIO or a cto, I, I don't know to what level they are taking cyber seriously. I will say it is possible that they have a Director of Information Security reporting to the cto and that's a deliberate attempt organizationally to, to basically hobble Information Security. So it's crystal clear that they don't have equal footing with the IT Department. They're, they're very much a. Not a servant. What's the word I'm looking for? They are subordinate to it Again, so this conflict I'm talking about never rises. Yeah, B SEC saying CIO or VP of Security if they don't have a ciso, like a lot of times they're deliberately doing that in order to basically control information securities

C (38:43)

reach Citrix Net Scalar bug exploited A critical Citrix netscaler flaw is already actively being exploited days after disclosure. Disclosure with researchers at Watchtower observing attackers scanning and targeting vulnerable systems. The bug allows memory over read attacks that can expose sensitive data like session tokens and credentials and may actually consist of multiple related vulnerabilities. Security agencies warn netscaler devices are high value targets because they sit in authentication paths, leaving organizations rushing to patch as attackers move quickly to extract data from exposed systems.

A (39:31)

All right, for the sake of time, since I gave you the breaking news Axio story, we talked about Citrix netscaler vulnerability yesterday or is today Tuesday? Yeah, we talked about this yesterday or last week. I don't remember. We did. We did talk about this. My guy. That was a misfire. Also my guy. Ah, you gotta. Patrick. Patrick, your netscaler. What are you doing? Citrix is used everywhere. Like, you don't accidentally have Citrix. Citrix is a big boy. Netscalers are big boys. You don't accidentally have this. You don't have a developer randomly spinning up Citrix netscaler. You know, if you have it, go patch it. See you tomorrow.

C (40:20)

Huge thanks to our sponsor Threat Locker. Ransomware doesn't need to be sophisticated if it's allowed to execute. A growing number of security teams are shifting focus from detecting ransomware to preventing execution in the first place. Controlling applications, scripts and installers so unauthorized code never gets the chance to run. Learn more@threat locker.com all right.

A (40:50)

Holla. Oh, it just feels good. All right. Hala. Halahala. Hey, shout out to all of you. Thank you so very much for being here again, Threat Locker, Anti Siphon and Flare. Supporting the channel financially, Sponsors of the show, they allow me to do this retro synth wave background. They allow all of this lighting to happen and the Buffer Oer Flow studio. So guys, I'm serious. If, if you enjoy the show, if you're, you know, a. A fan, if you will. If you want to support the channel, don't send me money. Click on the link below. That helps the show. It's very easy. Check it out. And again, I don't take sponsors from products that suck. So I am a big fan of threat locker anti siphon and flare and appreciate it. All right, guys, every single day of the week has a special segment, and Tuesdays is Tidbits Tuesday. And I want to tell you guys really quickly, let's talk about hair, okay? Just. I'm gonna take you back. Okay, guys, this. I've been rocking this kind of style. Obviously, my hair is way too long right now, but I'm 46, right? I've been around the block a few times. I run different hairs. I want to share with you, but drop it in chat. Maybe you had a haircut. I. I know Jesse Johnson has a mullet right now by choice. Okay. When I was in high school, in addition to getting a lower back tattoo, another hot thing. Okay, that Hansel's so hot, right? I'm not even exaggerating because I was in, like, the skater click as well as the rustling click. So it. I grew my hair out really long, but just on the top. So basically, the side. The sides were shaved and the back was shaved. So only the hair on top was. I only had hair on top. So you could go like this and hold it, and it would look like I was a shaved head everywhere except this. And then you could put it, like, in a weird ponytail, or you could just put it, like a. Like a 90s version of a man bun up here, but for the most part, you would just let it hang down, and then you'd be like. You know, you'd be like. You'd have, like, 90s long hair, but then you could pull it up if you wanted. That was probably the most extreme haircut I've ever had. I also. I never ran, like, very long down the back of my head. Obviously, shaved heads quite a bit. I've been rocking this one for a minute, but this is absolutely too long for me. Like I said, if you're wondering if I'm dressing up like Cameron Diaz or something, something about Mary for my Halloween costume, you'd be right. I'm gonna. And if you don't know because you're young, let me show you. And I'm not gonna explain this in chat, but, like, basically, she. She puts some special hair gel in her hair, and she goes on a date like that. Okay? It's a. This movie's hilarious. And just really quickly, like, compare, please. All right, so anyways, drop your. Drop your hair. Your haircuts, your tidbits haircuts, your throwback haircuts in chat. What do we got in here? Side undercut. And blue hair. Turtle. Anime protagonist. A skullet. I guess maybe that's called Roswell's got a Mullet. Mullets are so hot right now. Oh my God. I don't know if you guys saw this viral haircut. Redhead. Lancelot. Oh my God. There's a guy going viral right now on on social media because he got like the most ridiculous haircut. I can't find it. Anyways, let the LA la's wash over you. Thanks for sharing your haircuts. I hope you enjoyed the segment. Like I said, it's just a little fun thing we do at the mid roll. If you're a first timer, let this wash over you. La. All right, let's keep cooking everybody. Thanks for sharing your stories. I hope you're enjoying the show.

C (45:51)

EC Downplays Shiny Hunter's Impact the European Commission said a cyber attack on its Europa EU web portal was contained quickly and didn't impact internal systems, despite claims by Shiny Hunters that it stole more than 350 gigabytes of data. Officials acknowledged limited impact to public facing sites, noting the data may already be publicly available and said defenses detected and mitigated the intrusion without service disruption. An investigation is ongoing to determine what data was actually accessed.

A (46:32)

All right, so this story was in the news yesterday. Shiny Hunters got into the European Commission and it was very formal or whatever. Remember, Shiny Hunters contacted bleeping computer to disclose this information showing that they had done it. The European Commission is basically pushing back on the severity of the attack. Remember when we're calculating how bad it's it is the impact of the attack, how wide was it reaching, what, what level of data sensitivity did it get? What's the long term impact? What was the blast radius of the attack? So I love this. The title of the story is European Commission Downplays Attack and then it says specifically in the story and I quote, the Commission did not specify what data may have been accessed or how many users were affected, and declined to comment on whether personal data was involved. So we're going to downplay it, but we're also not going to provide any detail on the who, the what, the how. We're fine here. Like nothing to see here. Please move along. This is fine. Here's the thing though, you can't hide. Like if Shiny Hunters has this information, they're going to release it and it's going to come out. So. 350 gigs of data, including databases, emails, internal docs. I don't know if they're going to pay the ransom. Let's say Pay. The word pay does not show up in the story. A dollar symbol does not show up in the story. So it's unknown at this time what Shiny Hunters is asking for. I don't like to go on the Dark Web because, you know, I. I don't want to take a shower again today. But for those who like to wade into the, into the mire, into the marsh, into the cabal coffers if you will, of the Dark Web, that was a magic reference. You can tell me. I'm sure it's on their leak site. As far as what they're asking OpenAI

C (48:42)

patches ChatGPT flaw over DNS data checkpoint Researchers disclosed a ChatGPT vulnerability that allowed data exfiltration via a malicious prompt, exploiting a hidden DNS based side channel in its Linux runtime, potentially leaking conversations and files without user awareness. The flaw bypassed built in safeguards enabling covert data transfer and remote command execution. OpenAI patched it on February 20th and said there's no evidence of real world exploitation. Separately, Beyond Trust, Phantom Labs found a command injection bug in OpenAI codecs that let attackers abuse GitHub branch names to execute code and steal access tokens enabling full repository access. OpenAI fixed that issue February 5th.

A (49:43)

All right, hold on.

C (49:44)

Manufacturing.

A (49:45)

I mean, like for real though, this one kind of caught me off guard. I love infographs. All right guys, so open AI's chat GPT had a problem. They say that they have no evidence to support that it was in fact exploited. I mean, this looks like a pretty thorough infograph by Checkpoint Research to explain something that didn't happen. But okay, they're basically using DNS for C2. I will say DNS for C2 is not uncommon. It's not a new technique, it's not innovative or novel. If you can send anything out of your network or out of your endpoint, I mean really out of your network and get responses. It doesn't matter if it's telegram, Twitter, blockchain, DNS, you know, anything you can, you can use it for C2, right? If you can send a ham sandwich out or if you could send a request to doordash out and a ham sandwich comes back with some, you know, obfuscated powershell code in it. That's C2, right? There's even been examples of oh my God, I think there's been like snail mail C2 somehow. Like I remember there's been some like bizarre uses of C2 that have been wicked slow and kind of unrealistic. But anyways, I will say, according to Mike Saunders at Red Siege. DNS for C2 is very effective. And if you're not looking for it in DNS, it, it, it's, you know, you won't see it obviously if you're not looking for it. However, if you are looking at DNS for C2, it will be abundantly clear that DNS is being used for C2. By the way, just again, I like to do everything I can to explain acronyms because a lot of people who are new to industry get overwhelmed by the acronyms. C2 is Command and control. Command and control is basically a concept of threat actor server on the Internet, compromised endpoints everywhere else on the Internet and how the attacker speaks to and controls that compromised endpoint, that is C2. DNS is domain naming service. It's basically translating domain names like google.com to an IP address. You know, 10, or not 10, but 11. Okay? Because humans talk in domain names, computers talk in IP addresses. And don't get me started on IPv6. I don't have time for a headache. All right, Open AI resolved this, so there's nothing really to do. All I would say here is since they said there was no exploit, probably not. What I would point out is that you should not think of this. This is one of the reasons why AI governance is so important and AI visibility is so important because these systems have wide reaching access and, and they're operating in, in many instances not, not fully autonomously, but on behalf of humans at, at machine speed, not human speed. So when a problem, you know, gets introduced or an AI gets weaponized to help a threat actor achieve its mission, you could probably, you could possibly not see it or the, the, the impact could be realized much quicker than you're expecting. Okay? And I know people are like closing that, they're like ending the stream because they're like, oh my God, this guy's talking about AI governance. Listen, I'm serious. You can move recklessly at breakneck speed and that's great. And maybe some of you will get to the end of the, you know, the steel beam over the 50 foot chasm, right? Meaning like, listen, say there's like an I beam 100 floors above the ground, right? You're building a skyscraper in New York. It's 1925, it's Empire State Building. You got this steel beam, yeah. You, you can have 50 people try to sprint across the beam, 49 of them are going to fall off and die, okay? And I'm not trying to make this hyperbolic and extreme, but just bear with Me, one of you is going to get across. Now if you got down on your hands and knees and kind of shimmied across the I beam, all of you would probably make it. It's not going to be as quick, it's not going to be as cool, but you're all going to make it, right? This is what like governance is in the world of AI. Like, just like, take a beat, man. Like, I get it, we got to move at machine speed. Our competitors just this, this is like one realized example. AI governance. It's so hot right now that Hansel. So hot right now.

C (54:55)

And healthcare share password struggles. Manufacturing and healthcare are top ransomware targets due to weak password practices. With research from Black Kite showing manufacturing as the most targeted sector for four consecutive years. Experts say both industries rely on legacy systems and prioritize uptime, leading to risky behaviors like shared credentials, weak passwords, or no authentication at all, which attackers exploit for initial access.

A (55:31)

All right, hey, really quick, I do want to say shout out to Roswell uk, who does a great job. I cover the stories and give you insights and stuff like that. Roswell UK regularly puts great information. Like obviously he puts dad jokes and talks about his mullet and his haircut and everything like that. But, but whenever I cover a story, Roswell UK typically drops some type of like, actionable step to complement what I'm saying. So thank you Roswell UK and everybody in the chat. Like, I, I watch him put these things. He's never putting like misleading information in there as far as like remediation steps. Yep. We're going to talk about Kathy's podcast at 9:30, definitely. All right, passwords, first of all, manufacturing and healthcare, the two most targeted industries for ransomware threat actors. So if you're running in healthcare or manufacturing, you might wanna, you know, listen up. Okay. All right, all right. So what are they talking about? Passwords. My password is password. Okay, good, good. Oh yeah. Again, I don't research or prep for these shows, so I don't look at these things in advance. But you can see right here the story's confirming what I already said. Two of the biggest ransomware targets. Okay, listen, here's the reality. Passwords are fine, but they are easy to compromise. People reuse them. We're trying to get passwordless. Okay, I have seen. Listen, two things and I'll make this quick for the sake of time. Manufacturing, you typically have a workstation that has three people that rotate so they don't log into the machine. It's just like on. And when I get off work, Jesse Johnson comes in and he sits at the same machine. Right. So you don't like log in like that. Okay. Manufacturing. You just. Whether it's manufacturing or healthcare, which has physicians who are getting burnt out by having to document everything, they'll just give nurses their credentials. They don't want, you know, patient safety takes priority. So they don't want any type of hurdles. There's a lot of struggles, I'll tell you really quickly, try to find alternatives to passwords. One example that I saw in health care that I thought was phenomenal is every, every physician, every clinical care team member has a swipe badge on them. I have seen implementations of the swipe badge basically being a physical credential for them to swipe, like tap to unlock the machine. Hyper effective, very secure, super easy for the clinical team. Very like security team. Loves it. Definitely look into that. Okay.

C (58:16)

Deep load to use AI for persistent evasion Researchers at ReliaQuest uncovered a credential stealing campaign called Deep Load that uses AI generated obfuscation and social engineering and to gain persistent access. Often triggered by fake browser prompts. The malware logs keystrokes, hides malicious code under massive volumes of AI generated junk code, runs under trusted Windows processes, and can reinfect systems days later via USB spread and hidden persistence mechanisms. AI driven attacks like this are increasingly eroding traditional signature based defenses, pushing organizations towards behavioral and runtime detection.

A (59:06)

Okay, so real quick, yes, for the sake of time, I'm going to Capture this in 30 seconds. AI to build evasion. Sure, sure, sure. The takeaway she said in the story was like, get away from signature based attacks, dude. If you're using signature based anti malware Solutions exclusively in 2026, you are going to get compromised, period. Full stop. I want to point out really quickly the story at the beginning. John Hammond's Axios NPM attack, all this. They detected it 89 seconds after the malware was introduced to the branch. 89 seconds. You don't do that with signature based attacks. It's behavior based exclusively. You have to be using behavior based attacks. So for this reporter to be like, oh, researchers are saying that, you know, signature base isn't going to catch anything. Of course it's not. You got to use behavior based, period. Right. And then credential stealing. Hello. You've got to have multi factor authentication which isn't a silver bullet as we discovered with the main developer on this Axios NPM package having MFA and getting compromised. All right, listen, for the sake of time, we're going to end there let's do this. All right, guys, it's been a banger. I want to say thank you very much. Eric is there. Hold on one second. Before I announce this yet, Eric Taylor is coming on for Jawjacking. We're gonna be mixing things up starting in April. I haven't communicated all this out to everybody, but we're going to be rotating hosts for Jawjacking, giving different flavors. We're gonna have some female representation on the Jawjacking panels, which is great. I've been talking to the women of Simply Cyber about that. Just there's a whole bunch coming. I just haven't had time because of RSA. But I want to tell you, at 9:30am don't sleep on this. You're gonna get 30 minutes of Eric Taylor answering your questions. And then what? Hey, what is going on? Give me, give me computer. And then at 9:30am Kathy Chambers Media. I'm gonna subscribe to that. Kathy Chambers Media sharing her Authentically Cyber Episode 1 Zero to Cyber Hero, Episode 1 of Authentically Cyber. Let's go support Kathy. This is her show. 9:30am Eastern time. Kathy's a long time Simply Cyber community member. She's a dear friend of mine and I'm a big fan. I hope you guys can support her and go check it out as she interviews Ray McElroy about her story. All right, guys, I'm Jerry from Simply Cyber Deuces. And until next time, stay secure. Get your questions ready. Eric Taylor's gonna melt your face with hot cyber answers. Until next time, stay secure. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field. Lot live, unfiltered and totally free. Let's level up together. It's time for some Jawjacking. We are muted. Well, Eric gets his audio sorted out. I will say he's got some dope beats going. Sounds like a little house lo fi hip hop. It's very nice. So what we're going to be doing here in a minute is Eric Taylor, this gentleman right here, deep digital forensics experience. He is going to be doing Jawjacking. Jawjacking is a 30 minute AMA where if you have questions about cyber security career, Eric is going to help you answer those. Also. I'm getting confirmation right now. Eric and I were talking about this. Jesse Johnson will be one of our talents for jawjacking in April. James McQuiggin at 35, 000ft will be one of our talents for jawjacking. In April. I can't confirm the any of the females yet, although those are in discussion, I think. Oh, there we go. I just got hot mic. Hot mic. All right, guys, I leave you in the capable hands of Eric. Eric, thank you so very much. And until. Have a good job. Jack and I almost said until next time, stay secure. Right?

B (63:46)

Yeah. Thank you so much. I forgot to change over my mic settings, so thank you all so much. As Jerry was saying, you know, definitely do the cues in there. You know, it's. It's been a pleasure. You know, this definitely coming to the news as you know, Jerry is saying, you know, this will probably be one of my last jaw jockeying sessions with you guys. It's been, geez, I've been doing this for what, two years now, roughly. Definitely co hosting and doing jawjacking. It's been a wonderful, wonderful ride and being able to hang out with everybody and answering questions. Let's make this the a best last one that you guys will potentially see me on a granted. Well, I'm sure Jerry will bring me in from time to time to answer or be able to fill in. But you know, my standing thing is it's going away, but it's gonna be good. It's gonna be good. Like I said last week, the, you know, allowing other people to come on will definitely be beneficial to the group. From call sign Moody. What would be a good approach to propose or convince a county government to separate information security from it? Separations of power. I mean, information security, I'm assuming. I'm going to go out on a limb here that you are referring to. Oh, we'll do the dolphin here in just a second that you're referring to like the security sock department. And for that it's. They should be. But they should be working together at the same time. Right. So should they be their separate department? Yeah, because they have separate roles, especially in the municipality. You're your. IT is definitely working on end user errors and setting up workstations and things of that nature. And your security team is definitely doing security aspects of things with that. Let's do the dolphin sound. All right. That's definitely seen a lot of that. What is your opinion on yubikeys? Who in your organization should use them? I love yubikeys. I've got many, many yubikeys. I think at least executives and well, anybody with administrative privileges should start using yubikeys. Those who don't know what a yubikey is. Let's see, I've been 3D printing containers. But these are if I can get the focus. Yubikey. This one is really nice ub. It's got the UBC USB C connection, so it fits most of your phones. It's also got the nfc, so that way when you're trying to authenticate and use it close to your phone, it's. It works in that fashion as well. So that's. I'm a huge, huge fan of Yubikey. Definitely, definitely like them. The one thing you got to know about Yubikey is the pain in the butt part is when you're setting up a new account or you can't back up a Yubikey. Technically you can't back up a Yubikey. The when like you're setting up MFA or you're trying to set up passkeys in, let's say you're trying to lock down your Facebook or your LinkedIn or whatever, you got to make sure you have any and all Yubikeys. And I Recommend at least 2, the primary and your backup. I personally have 4. So I have one that kind of stays on my desk. I got one that goes for travel, I got an emergency kit, blah, blah, blah. So. So at least have two for each person. So that way you set them up and just make sure the user is checking to make sure everything is synced, technically synced. You know, you got the same accounts on both UB keys and set the second one as a backup. That's going to stay in the safe or wherever is applicable for your office. Why Is it in 2026 we still can't get our mic sorted? Dude. Yeah, no, no joke. So I've. I forgot that. So you normally see like the DJI thing here and that's camera. And I forgot to change it over my AirPods because I got them over there charging because I just came back from a trip and I was using the trash out of them. So they're over there charging and I forgot to. Forgot to do that. Exactly. James mcguigan. Exactly. Thank you so much. GRC Garden Cardrail. Yeah, it's. It's sad to agree, right? It's been a staple on the calendar for years. But like I said, it's going to be good. You know, we're going to have some other folks in here given different perspective. And to be honest. Let's just be honest, ladies and gentlemen, having multiple people on Jawjacking gives a different perspective, right? And sometimes I do feel like I don't bring value to Jawjacking to some degree because, you know, I'm reiterating the all the same stuff over and over again. It feels like sometimes. How did you get into cyber? I was a hacker when I was a very, very early age. There's a lot of episodes here in Simply Cyber. There are some with Jack Scott there. There's a number, a number of them. All you gotta do is just look, I've been pretty open. Any. Anyone else seeing that tiny door behind Eric keeps slowly opening and get a hand because. No, so that's just. That's not a tiny door. That's a regular door. I'm just kidding. It is a tiny door. It's goes into the attic space. But I mess with people like. No, that's the normal door. I don't know what you're talking about. I'm just that tall, kind of crouch down enough so I. The office here is in the house but it's what we call a frog. Front room over garage and on that side is the air handler and stuff like that. So when you're going to work on the AC unit and stuff like that in the attic, you go through that door. That's what it's for. Thanks FedEx. I appreciate that, sir. Firstly, thank you for the two years and your insight. Secondly, what is next for you? Can you discuss it? Yeah, I mean we're just going to be. I'm going to be taking the energy. You know, we've got the new website finally launched, we're working through some blog posts. I've got a threat intel to do. But yeah, we're something that's been in the works for a year is really me pushing the barricade brand as much as possible. And while Dog Jacket doesn't take that much time out of my day, I'm sitting here just rambling. But you know, last year we really started trying to push everything into the website as much as can. So I'll be still very active on LinkedIn. While granted most of it will be first released under the membership platform within a week or so that gets released out on the general YouTube, the I've got YouTube just released courses. So I've got something I've been working on with the fortify. I've been injecting in the API some malicious stuff and going to be walking through how we kind of do becs. We're going to be talking about drone forensics soon. There's. There's a lot of stuff that we're getting asked to get into. So it's gonna. It's gonna be good. So. What's a question you wish someone would have asked you. Jawjacking but never asked. That's a good question, James. I didn't even think of that as a possible situation. The one thing I guess I would definitely leave everybody with and I think I've said it many times before, but in all seriousness, you need to have both the heart of a teacher and the curiosity to learn. Never let your head get so big that you think you know everything. Don't ever do it. That is the worst thing you could ever do. One thing I've always I mean I was even on a client call with a third party MSP vendor that the dude was brought in because he did pen testing and was now their security expert. I I ripped him to shreds on camera and it wasn't to belittle him. Even though that individual needed to be belittled because he was sitting there on camera with a smirk like he knew everything and he needed to be clarified. He actually knew Bunkus and my job as so we in a lot of these cases we are brought in as a to handle an incident and then the company's like we want to keep you around in case we have an incident and advise us to make sure we're preventing further incidents. That is my role. My role is to protect the client. No offense to the vendor, but I'm going to shred them seven ways from Sunday if I need to to defend the interest and the network of my client. And most of them get it, you know, and sometimes I even have to go back to them, you know, I even to this one and I just said, you know, did I overstep the bounds with these you Because I feel like maybe I did. But they're like, no, you, you're doing what we paid you to do. We want you to be brutally honest and we, we expect that from you. For you not to be that is would be out of character and because they know, they know me, they know I'm brutally honest. AKA why do the brutally honest podcasts which is coming out again soon. Thankfully. Once we get the new team member, I've got one in mind. So we'll be hopefully making a job offer on Friday. But that would be my biggest thing. James is my biggest. It's not a question, but I definitely want everybody to take away. Never let your head get big. Too big. Never let it get too big. Never assume, you know, everything. I I'm still learning. I've been doing it I don't know how many years and I'm still learning there's new things I never thought about. There's new perspective that I'm learning from somebody on LinkedIn or X. I'm like, oh, I didn't think of it that way. Yeah, that's a, that's a good call out. Right? It's always be learning but always do your best to take the time to teach the next person person as well. Because you know, this isn't, you know, anti AI rhetoric by any means, but AI to some degree will remove entry level positions. You know, we already see this with the outsourcing as you know, not to get political, but a lot of companies are looking for US based talent. But over the past years we've been outsourcing it third party countries. Nothing good or bad, it's just the way it is. And as you're trying to shift people back but you're using AI to augment some of the entry level stuff, I do worry about people getting into the space is going to be hard. So again, never let your head get too big and always try to teach the next person to bring them up to speed. Ask questions. That's, you know, that's the biggest thing to put too fine of a point. Always ask questions. Always. The one about biggest things is, hey, can you explain that to me? Like I'm a three year old, literally, like I, I want to understand the basics of what you're trying to tell me and, or teach me. I took your advice and bought The Wolf Box MegaFlow 3000. Best of it. Thanks for the plug, bro. Yeah, absolutely man. Question, what chair do you recommend? The one that works for you. So this one, I don't know much about chairs but the, this one is exterior. It's a tech executive or whatever. I don't know but it works for me. I like it. I know people that wear by other types of chairs. You know, it's the best thing, it's the best thing in the world to them. I would say just, you know, if there's a way that you can actually go somewhere and try out chairs, you know, people have different needs. They need like upper back support, they need lumbar support, they need a cushy seat versus anything else. Right. So question asking because I don't know but if an app is using Axios as a user agent, does the supply chain compromise have any effect? Yes, it does. Sorry about trying to, trying to laugh, but yes, absolutely right. And that's going to be one of the biggest things you're gonna. People need to start. I've been starting to Have I think I talked about this on a couple recent jawjackets, but I know I've been talking privately to organizations about this. But you know, this whole vibe coding thing is going to be a major problem. You granted every week you're seeing somebody, you know, literally every day, multiple times a day, new tool has been launched. It's all vibe coded garbage. Granted, some of it looks pretty cool. Like if you're trying to track the shipments and the planes and stuff that's going on in certain, you know, geographic conflicts, some of those tools are just recirculated garbage all doing the same thing. But they created their own thing and they're, they're messing with AI. So kudos to them. The problem I see going back to the AI topic is you're going to have organizations that are going to vibe code stuff to overcome a need or hurdle inside of a development or maybe even an entire application. And that's going to open up supply chain risk. Because let's just say hypothetically you are an msp. You're using an RN tool. Cassia Datto, Connectwise, Ninja, whatever. Datto. I'm not sure if it still is. They're owned by Kaseya now, but the RMM was publicly open sourced for built on like that was the biggest claim that they had. And they started, I believe started injecting AI for the code building and stuff like that. Maybe not. But let's just say hypothetically for argument, they did. So you got an RMM agent that is potentially again in this makeup scenario because I'm not 100% sure. So legal disclaimer.

A (81:16)

There

B (81:18)

is being augmented and vibe coded for some features to be built into the RMM agent. Okay, you're using a third party tool, let's just say cloud code, Grok Chat, GPT, gym, whatever tool that you want to use. But those are also using third, potentially third party stuff as well. So now you're injecting multiple layers of potential AI vibe coding stuff in your supply chain. Going to cause a problem. So, Favorite Pixar movie and why is I think this one? Oh, I'm just googling it. Who made this? I think it Disney made it. All right, hold on. I don't, I don't watch a lot of movies and to know which one is what. Okay, so it would have to be Toy Story. I knew Toy Story was on Disney, I just didn't know it was on. It was made by Pixar, but Toy Story would have to be it. And it's a little sentimental because that was some of Hunter's favorite stuff. And the spin off of Forky has a question still a running gag in in the house. So. What is one thing you wish you would have done, you would have done or done more of when coming up in the industry? I would have to say so those who don't know, you know, I stepped away for a long, long time. I always, I mean I did many, many years as being an industrial electrician commercial and ended up in the residential electrical space. I wish I would have got back into it sooner but. And you'll hear it on the other. On some of the other stuff when you start going through the I. Because you know of Hunter that's been around. Yeah, you guys have been with us for a long time. But you know, I had a family that depended on me and I didn't know if I could trust myself to stay within the confined spaces. And thinking back on it, I probably didn't. It took time for me to mature to get back into it. You know, the one thing I will always say, Kyle Kao, is. This might get a little sentimental but might cry a little bit. But the never look in the past. Do your best not to look in the past and look at woulda, shoulda, coulda. We, we can all live in that space. And unfortunately I live in that space too much even today. So I'm even talking to myself. Should I spent more time with Hunter? Should I done this, should I done that? We all can live in that space. You know, should I have not got in that car and got into that big wreck and you know, all we can do that all of our lives. No matter what the topic, Just make sure when you're looking back and reflecting on the pros and cons of anything in your life, make sure you're learning from it. It's human to go and reflect it is. Very much so. The one thing you can control is to ensure you're learning something or verifying that you've learned a lesson. Pro or bad, pro or con. I feel this is a lot, a lot more personal today and I love it. Question. Not a question, but a statement. I've got some big shoes to fill following you, Eric, but I'm excited to be involved. Dude, you got your own good shoes, man. You got your own. I'm. I'm like, I tell everybody I am just a fish in a big sea feeding some humble pie. I don't know about that, but I just want people to be genuine. Probably got that guy fired knowing that msp. No, I'M just again I'm just one guy. Let's see. Definitely gotta get caught up on some questions as we're coming up on the bottom. I don't want to approach on Ms. Kimberly or not Kimberly, but Kathy Chambers. How do you it's about without being arrogant. This would be the last one. Seriously. Making sure like I said before that. Always asking for feedback. Like I mentioned a moment ago that I even went back to my client and made sure that I didn't overstep my bounds and. Making sure that I was staying in lane always get client feedback on any and all engagements. All right everybody, thank you all so much again. I know we're coming to the bottom of the hour and we all need to go over and raid Cathy Chambers again. It's been a real pleasure being with all of you. It's been an enjoyable ride. Again, I'm sure from time to time Jerry will bring me back. But again, I have truly, truly, truly appreciated everything. I've been appreciative to be a part of the community and being on here and let's see what the next the rest of this year and let's let's see what the new personalities have to say. Maybe they'll agree, maybe they'll disagree. Let's see. I'll be up for it. All right y'. All. Until next time, stay curious.

A (88:53)

Hey everybody. I hope you enjoyed that content. Keep the cyber security train going by connecting with the other Simply Cyber Community resources. We have the Discord server that's lively and always keeps the conversation going. You can connect with me directly on LinkedIn and also every single weekday morning on the Simply Cyber channel. We're doing live daily Cyber threat at briefings 8aM Eastern time as well as Thursday at 4:30pM we're doing live stream interviews with industry experts and we produce videos that we push out every Wednesday morning. I'm Jerry from Simply Cyber. I hope you enjoyed the content and we'll see you in the next one.