Loading summary
A
Good morning, everybody. Welcome to the party. Today is Tuesday. No, Today is Wednesday. May 27, 2026. Hot Mess Express here at the Buffer Osier Flow Studio. I'll break that down in just a minute, but welcome to Simply Cyber's Daily Cyber Threat Brief Podcast. I'm your host, Dr. Gerald Ozier, coming to you from the aforementioned Buffer Ozer Flow Studio. And I want to say welcome to the party, pal. We are going to be crushing it over the next hour. Who knows what's gonna happen? I gotta tell you, I just. I just had to like, literally fight my computer in order to gain control of it. This thing is on its way out. I swear to God. Computer. We've been having on camera issues for months. And now you're trying to do it before I go live? Oh, not on my watch, buddy. All right, everybody, get your coffee, get settled. We got a great show for you. Let's cook to the show. All right, everybody, welcome to the party. As I mentioned, this is the Daily Cyber Threat Brief. One hour every day we're going to go through the top eight stories of the day. I don't know what they are. You know, why ain't nobody got time for that? That's right, I don't have time for that. But I will tell you, I don't need to prep for the show because I'm a cyber practitioner. Love this industry, 20 plus years, lots of education. Whatever the story is, we'll get the surface level lesson, like, you know, whatever manufacturing company, ransomware, you know, first world government passes regulation, whatever it is, you'll get the surface level. But what I'm going to do is double click down, give you additional insights and values from my experience. Experience alongside the Simply Cyber community. It is all about good times and helping people level up. What's up, Ms. Julian? Great to see her in chat. Ms. Julian, the magic the Gathering has been in full tilt over here in the low country. Looking forward to Wild west hack and fast and throwing down cards with you guys. Every episode of the Daily Cyber Threat Brief is worth half a cpe. So it's very simple. All you gotta do is go to Cyberthreat Brief, Simply Cyber IO. You'll see at the top here, CPE can also hit exclamation point, CPE in chat. And Nightbot will give you a nice clickable link here. Let me go do that for you. Basically, claim your cps. Yeah. Put your name in first, last, right. And then email@emailmail.com and then double check marks, hit that verification button and just do it once a day. No big deal. And then when the first of the month comes around, I'm going to email each of you your own personalized CPE certificate of attendance for the month of May. All the dates you attended will be there. My. My little John Hancock will be in the corner. Herbie Hancock will be in the corner. And yeah, we're classing up the CPE game here at Simply Cyber. Now, you might be like, wait a minute, what are we doing? I'm new here. Don't worry if you're new here. Welcome to the party, pal. We're super happy that you chose to check us out. Do us a favor, drop a hashtag. First timer in chat, if you would. You first timer. We're not trying to call you out. We're not trying to identify you as, you know, as an excluded party. What we're trying to do is welcome you to the party and let you know how welcome you are by saying first timer in chat. The rest of the Simply Cyber community, like space tacos here, will know to welcome you with our special emotes, our special sound effects. We've got a whole. We've got a whole vibe going on up in this mother trucker. So welcome to the party. All right, first timers, CPEs, it's all here, guys. Let me just tell you. I come in the studio, I get set up. No big deal, right? I've got multiple monitors. Many of you have seen my setup in the past. Cyber security, Cyber bo, bow tie, cyber guy. Robert, I need. I owe you a studio walkthrough. Still, it's not off my radar. Listen, I run power toys on my computer. It helps me write on the screen. It helps me do all these things. One of my monitors got zoomed in permanently, and I couldn't move the mouse off. I'm fighting it. I'm talking to AI on my phone, trying to get this thing unscrewed. I. I was going to have to reboot my whole machine. I got to tell you, I can get set up quickly, but it's not Trivial to open 19 different apps, get all the tabs up, Spotify podcast, all the things. Get the soundboard working. Come on. So, anyways, the good news is it didn't happen. Dread Hoser. I think he said cissp. Can I get a wrecking ball? I will say that typically we only play wrecking balls for jobs. Certs get the Ric Flair. Woo. But because you asked, Dreaded Hoser. And it's all about good times up in this piece. Congratulations on Crushing that cisp. Massive career milestone. I remember when I got my CIS P I was over the moon. Dreaded hoser. Yes sir. Yes sir. All right guys. Hey. Shows sponsors it's not possible without them. Want to say shout out? Love to Flair Flare Academy. Go to Simply Cyber IO Flare. Check this out. Simply Cyber IO Flare. I know TJ said he was in a training yesterday. Guys, tomorrow, tomorrow. Illicit Network Mapping. Listen, I never thought of using DNS to track down cyber criminals and use use it in forensics investigations. I don't know if I'll ever do it, but I sure would love to know how to do it. And I'm going to learn tomorrow in a two hour session presented by Flare Academy for free. I'm going to be able to use DNS to pivot to develop illicit connections. Guys, if you don't know what DNS is, this is a great opportunity to learn it. NS lookup Dig. These are classic command line tools that we've used forever. DNS is how the Internet works. It's the reason that online commerce is a thing. But it's also a powerful protocol. Also you can't really encrypt DNS because you got to be able to, you got to be able to resolve it to know you know what IP address to send the encrypted data to. Come on down. I will tell you Confirmed I am registered and will be attending this talk. So if you want to come hang out with me, hang out with other Simply Cyber Community members. This is where you want to go. Go to Simply Cyber IO Flare to learn more. Speaking of learning more anti siphon training, by the way, give me one, give me one second. I actually have a code for you guys. Give me one second. Of course I was fully prepared for this stupid magnifying glass. Let's see, simply Cyber26 is it? Yeah, I think this is the. Okay, so check it out. Anti Siphon training is putting on the Threat Hunting Summit 2026. This is a free one day virtual conference. Just because it's virtual does not mean you can't take advantage of LobbyCon. Okay? You can take advantage of LobbyCon, meaning you'll be in virtual discord channels talking to other people in between sessions, in between breaks. You can talk, you can engage, you can meet like minded people that are interested in leveling themselves up. And dude, I'm telling you, you're Gonna Love it. June 17th. You have plenty of time to get this sorted out. 10am to 4:30. Get six and a half CPEs. Get trained up now. The conference, the summit is free. Anyone can register. They do have live training and it is an assortment of different live training depending on what you want to do. They have threat hunting on the edge, living off the land. CTI with Wade Wells. By the way, Wade Wells will be my guest on Firesides tomorrow and we'll be raffling off a $575 ticket to this course for free. Like free to enter. To enter the raffle. Come check it out. Also, if you are interested in doing any of the training, any of the training, you can get 20 off that right off the rip by being a member of the Simply Cyber community. Simply cyber 2620 off code. And this is good right up into the conference. This is something that they did for Simply Cyber since they love our community over there at Anti Siphon, hooking us up with a 20 discount. You won't get anywhere else. Get check. Oh, John Strand's doing a network hunting training as well. Very cool. All right, so free Summit, great training at a discounted price. What more could you want? Go check it out. I'm going to drop a link in the discussion in the discussion in the chat below. Oh gosh, you know what? Shout out to Threat Locker. I gotta tell you some one of one of the Simply Cyber Community members who does not want to be named right now. He did not give me permission, just signed an offer letter with Threat Locker. So I'm not going to say his name. It this is kind of a thin wrecking ball but I'm telling you he knows who he is. And congratulations by the way. This guy interviewed with me like seven years ago and he didn't get the job and he took the right attitude and stayed in contact, leveled up and now he works at Threat Locker. You might be asking what is Threat Locker? Threat Locker is an application denied by default enterprise grade security application. They do it at the endpoint and they do it in the cloud. Now let's hear from Threat Locker and then we're going to go through the stories and I'm going to melt your face. I want to give some love to the daily cyber threat brief sponsor Threat Locker do zero day exploits and supply chain attacks. Keep you up at night, worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how ThreatLocker can help prevent ransomware and ensure compliance. Visit threatlocker.com DailyCyber. All right, I just want to remind everybody, every day of the week has a special segment and Wednesdays is way back. Wednesday, I'm gonna throw a piece of retro tech at you. Gotta tell you, not the tech. I'm old, right? Like the gray in this beard is not just for men. Inverted edition. I literally am old and gray. And sometimes the tech is not so old that I did live through it. We're gonna go. We're gonna go. I got a fun one for you today. Perfect example of great technology. Bad market fit. But stay tuned for that, guys. All right, do me a favor. Soap flavored guy named 303Pocket Pixels. I need you to sit back and relax. Phil Stafford, you minx. Let's let the cool sounds of the hot news wash over us all in an awesome wave, guys. See you at the roll. Let's cook. From the CISO series, it's cybersecurity headlines.
B
These are the cyber security headlines for Wednesday, May 27, 2026. I'm Rich Drofalino Nimbus Manticore. Learning new tricks. This Iranian backed apt with ties to the Islamic Revolutionary Guard Corps, also known as Smoke, Sandstorm and Boherium, has been active online since at least 2022. It's known for targeting sophisticated actors in the aerospace, aviation and defense sectors across the Middle east and Europe. Researchers at Checkpoint recently found that the group is changing tactics and expanding targets to the US this has seen them switching from tried and true DLL sideloading to app domain hijacking. Using Trojanized installers for legitimate apps like Zoom and OnlyOffice to install an updated version of its mini junk backdoor check point notes. The group shows the ability to rapidly adapt to new approaches, to use new tooling and maintain infrastructure for persistence.
A
All right, so you know, honestly, like, well, first of all, guy named 303 with the gifted subs. Thank you very much guy 303. Did we just become best friends? Yep. And I want to say shout out to Chioma, Debor, Margaret, Robert or Mark Margaret O. Robert, Cloud Strife, Shane Kale and Lt. Gen. Lt Gen. 07 new squad members. Guy named 303. Very considerate of you. Thank you for spreading the love here at Simply Cyber. Okay, so check it out, dude. When the United States, you know, attacked Iran, you know, Iran and Israel got the thing going. Hold on one second. I Gotta fix the, the chat here. On screen chat. Can't have on screen chat not working. Do this. Hold on. How do, how do we, bruh, how do we. Oh my God. Guy, can we like turn it off and on again? You gotta be kidding me. Shut down source are not visible. All right, hold on, let me, let me try to do this. There we go. Is that working now? All right, good, good. All right, it looks like we're working. All right. So when the United States first bombed Iran and Israel was, you know, getting up in Iran's shorts. Iran is facing an existential threat, right? Like they're, they're, they're talking about effectively like the term genocide was thrown around at one point. So if, when you're backed into a corner, you will pull out all the stops. Iran, Iran, cyber capabilities, muddy waters. Which is kind of like their, you know, tier A or S tier if you want to be those people. Cyber threat actor group were hitting anyone and everyone that they possibly could and then it honestly kind of tampered down. I don't know if you guys felt that way. Like obviously the, the conflict is still going on the straight of her moves has turned into more of the linchpin than in necessarily the cyber attacks all over the place. But that doesn't mean that they're not slowing down. And this is what you need to know. It is a new threat actor. Nimbus Manticore. Again, the naming convention here depends on the. Whoever the Cyber Threat Intelligence Agency is that's naming that. So Nimus Manicort probably. Let's see if they are also apt. Other names. Let me see one second. See if they are Muddy waters. So they are rust, fly, boream, TA455 Iranian dream job screening Serpent, Smoke, Sandstorm as named by Microsoft. Again, these are all the same. These are all the same group, right? They just have different names based on the threat Intelligent group. So don't think that like Iran all of a sudden has like 15 different apts, okay? It, it is not muddy water. So there's that. All right, what are they doing? They are attacking. They're impersonating aviation and software businesses across basically us, Europe, Middle East. So all of the allied countries against Iran, which makes sense. And they're using it to install backdoors. So they can, you know, basically the reason you would install a backdoor on someone's computer is so you can come and go as you please and install malware either for destructive purposes like terror attacks or for espionage purposes. So you can, you know, read emails or Steal whatever intellectual property you want. Chances are like looking at Iran's situation, I would assume it's both for espionage purposes to figure out what the hell is going on, but also, you know, coordinated destructive attack. Like a wiper malware. Go look at striker. Right. If you want like a perfect example of what I'm talking about and why. Why I would suspect this. Hold on, man. What wasn't it called Stryker? What am I missing here? Not Stryker. Medical Wipes. What the hell, what's the name of the. Hold on, I thought it was Stryker. Okay, Medical company hit by Iranian wiper virus. It was just a couple like months ago. Yeah, Stryker. I'm not friggin like out of my mind here. Stryker Corp. Wiper, Iran. Yeah. So anyways, this happened what, March 11, right. So two months ago this was kind of like, you know, from Go. Iran did this. So the way that they do this is they could, yes, they could just install these payloads and do drive by hits and stuff like that. But if they have a back door on critical systems, imagine they have a back door on a deployment server that pushes updates to endpoints. Right? Those kind of things. That is where it's at. Now it sounds like they're attacking individuals specifically. Kind of just a scatter shot. Another thing, we hear spear fishing and you hear fishing. Remember fishing? Fishing's like throwing a net into the water. And whatever you catch, you catch. Spear fishing is like exactly what it sounds like. You've got a spear and you're going to target one big fat fish and you're going to jam. Jam it. This right here is more of a spray and pray you get something. Attack. They're using SEO poisoning. Search engine optimization poisoning. The idea behind this is that somehow threat actors are great at marketing the librarian, AKA Christina Paulika. If she ever wanted to become a threat actor, she would crush it with SEO poisoning. But the idea is that they get to the top of the Google search results and when you type in Zoom installer, instead of getting the official Zoom installer, you get some type of trojanized malware that installs the Zoom client, but also installs these mini, what do they call it, Mini junk malware or mini jank malware. Jank being the way that Zach Hill plays Magic the Gathering with his janky decks. Okay, so you could see they're moving. What do you need to do about it today? Listen, number one, if you work in aviation or software, which I know are wide swaths of industry, you have an increased likelihood of attack by this Iranian based threat Actor. Now that doesn't mean you kick in your boss's door and you're like, oh my God, oh my God, Iran's after us. Just chill on all that. But know that you have an increased likelihood of attack. Also if you are involved in any type of like defense industrial base or supply chain into the, you know, European American war machine, you would have an increased activity. Also. Also, if your company is in aviation or software, but you have very public alliances or ties to Israel, you could have an increased activity simply by virtue of the politics of this thing. A lot of Israeli based companies are cybersecurity software companies. Israel has great cyber security capabilities, so it is possible for that. So just be mindful of all of those. The reason that I'm not saying AI is not going to take jobs and stuff like that, but one of the reasons that GRC is so valuable and so important is because we don't just calculate a value. And here's your risk score for 2026. There are so many dynamic variables when we're calculating risk that it changes very, very often. It's almost like, you know, these like screensaver backgrounds that look like ne. Like Mac does it all the time. Apple's it's like this nebulous kind of abstract color thing that's like dark and it's like bubbly and stuff like that. That's what risk is. You can't really put your arms around risk. All you can do is kind of keep your eyes on it and constantly be adjusting to it. So Nimbus Manicore, you busted. Okay, let's keep going Fishing moves to
B
real time credential harvesting. Researchers at Google's Threat Intelligence Group warned that it's seen increasing sophistication from phishing as a service operators. Within the broader Asian cybercriminal ecosystem there's been a shift from static password harvesting to real time interception. These operations target the general public with phishing lures that spoof non Chinese entities. These use encrypted RCS and iMessage channels to deliver phishing messages, making it harder for infrastructure layer blockers to be effective. Operators then seek to capture one time passcodes in real time to bypass MFA and ultimately get victims payment cards linked to an attacker's virtual wallet. It's believed many of these efforts are aided by AI automation as many providers show a lack of usual operational security and cyber hygiene. While when advertising these schemes, Iran.
A
All right, hold on. So China, China, China's the title says threat actors ditch static fishing pages for live credit interception. Okay, so like let's like okay, nice buzzword bingo here. So let's actually dig into the meat on this one. China has long been amazing at espionage. Listen, if I'm drafting a team, I've said this on the channel before. If I'm Drafting like the 1992 Olympic men's basketball dream team, but for cyber threat actor capabilities. And I like, my strategy is to go with espionage. Nsa, you're cute, I love you, obviously, but China's got to be my first round pick. They are awesome at espionage. Okay, so let's see what they're doing here. Let's see GT Notes, whatever. Instead of relying on traditional sms, which is, you know, whatever fake text messages, they've shifted to encrypted messaging protocols and Apple imessage to deliver phishing lures. Okay, okay. Attackers can interact with victims in real time to capture one time P. Okay, so all right, here's the deal. I mean this is kind of gross. This is. Hold on. They do have a graphic here. Let's take a look. Are you saxophone worthy, bro? Not really. All right, here we go. Let me, let me just break this down for you really quickly. What they're saying is that there's an evolution in fishing. Instead of just sending you a link saying that you have like an outstanding toll violation or you miss jury duty, click here or here's an invoice, click here. And then they go and log into some fake look alike web page and give up their creds. Because multi factor authentication is getting deployed all over the place. They are offering now the opportunity where there is a human threat actor waiting. And then when a victim does things like types in their username and password. Threat actor attacker will interact with the victim in real time in order to steal those one time passwords, those you know, six digit text messages and stuff like that. I've got some thoughts on this really quickly. Number one, let's go through the workflow here. Victim perspective on the top, threat actor perspective on the bottom. The victim clicks on the link and the text message. The threat actor then looks to see if the victim is somebody they want or not. That's another Sean Saylor's has got an update. What's the Sean Saylor's update mods? Can you see what Sean Saylors did? People are a past Google assessment for threat analyst mandate custom intelligence role. Oh, nice job dude. I love it. Let's go. All right, so hey, here's one thing that you may or may not know. If you're, if you're junior you're not, you know, indoctrinated in this stuff. You might think that, like any victim that a threat actor catches is they take them and they bag them, right? Actually, actually more advanced threat actors will actually look first at the victim to see if it's worth going on to, to the actual compromise face. So this is the equivalent of like catching a fish and then like throwing it back in the water because it's not, you know, it's not over ten pounds or it's not a halibut or whatever, right? So advanced threat actors will not just catch everybody. And part of the reason is it, it. It's like less likely to ex. To expose their criminal operation if they catch everybody. There's a lot more victims walking around talking about, oh, my God, I got caught here. If they only take the choice meats, right? If they only take. They only take the fat whales, right, Then the, a, the, the, the criminal infrastructure can persist longer. All right, so let's assume that they are a whale. They are going to present the initial fishing landing page, which is a static landing page I want to point out really quickly, which is why I was dubious of this article title to begin with. They're not ditching static fishing pages, my guy. They're actually using the static fishing pages, but increasing the attack by then introducing live credential interception. So words matter, like, don't, don't you, don't you dare mislead the cyber security professional reading this story. They're literally handing them a static fishing page. That's step one. It's actually step two. I'm just pissed now about it, okay? Once they get their creds in there, the threat actor saves it off. You know what, dude, this is like lame af. Like this whole attack sequence, this whole graphic right here, is just the traditional threat actor phishing attack. You can see that the victim gets presented with something. They put in their creds. Threat actors stores it in a database, continues to do a man in the middle or adversarial in the middle attack. That's all that's going on here. This is an adversary in the middle attack. They push the creds through, request the next page from the actual target. The target gets delivered to the victim. The victim then puts in the second set of credentials, MFA or MFA, you know, OTPs or whatever. Then victim gets sent to actual website while threat actor saves off creds, OTPs, session tokens, and goes about their business. Victim is none the wiser. Threat actor has all the things they want. I don't know, like maybe I'm missing the point here, but like this doesn't seem like groundbreaking innovation. Like I don't think we're. Somebody stopped the presses. We got to send an urgent extra, extra update on this one. This is, this is changing the game. No. And look, by the way, I don't, I don't research or prep for these in advance, by the way. So. I don't prep for these in advance. So I, I like, you know what I mean? I'm wondering if it says adversary in the middle. Hold on one second. James McQuiggin is confusing me here. All right, let's continue on as it
B
will reopen Internet access. According to state media reports, Iran's president Masood Pezeshkian issued an order to restore Internet access nationwide. According to netblocks a lot of people
A
welcoming Poltergeist167 into the chat. Poltergeist. Welcome to the party, pal. Welcome to the party. Love it. Thank you. First timer from Team Replay. I love it. So a regular on the replays making it to the live chat. Poltergeist. I know you know what the show is, but I hope you enjoy the living heck out of today's programming here live in the chat. Love it.
B
Iran cut off international Internet access 87 days ago after initial strikes were made by US and Israeli forces on February 28. This followed another multi week Internet blackout that started on July 8th following massive anti government protests. It's unclear how and when Iran will restore access or if the country will change its existing censorship policies. All right, India wants.
A
Hold on. So this happens occasionally. It's annoying af. I'm sorry, I'm sorry. Like, listen, I think I have some form of ADHD or I, I don't know what it is. I'm not diagnosed. I was supposed to get diagnosed and then I, I skipped the appointment. But this, these two stories are in. Not in order. He just did the Iran one. While I'm staring at an India wants 12 hour patches story. So give me a second. I've got to, I've got to get this re reestablished here. So Iran's president orders reopen of international Internet. Okay, so what did Iran do here? 90 day BL blackout. It wasn't a blackout necessarily. They had access to the Internet internally. Honestly, you know what this is all about. Normally when you see Internet blackouts in the country, it's authoritative regimes suppressing authoritative regimes suppressing their citizens from being able to coordinate and have anti government protests. Now it does say they initially imposed it because of anti government protest. But if I had to guess, it's to prevent, you know, first world power cyber capabilities from attacking them. You know what I mean? Like, good luck attacking our critical infrastructure of the Internet's not up. Like you're not going to get any of that. Hopefully over these last 87 days, you know, for Iran's purposes, hopefully, they have been working diligently, putting in firewalls, putting in ACLs on the kind of. At the. Well, I don't know, can you put in. I need some network engineering, deep expertise. Can you put in like ACLs on BGP? So ACLs are access control as. BGP is border gateway protocol. BGP is like secretly how the Internet works. Most people don't know this. I. And if you know it, I know you know it. But like BGP is how the Internet works. It, it. BGP is what connects ASNs, or I think those are autonomous service networks or autonomous system networks. The. Oh my God. It's like every time I try to say something I have to go up one level. The Internet is basically just a network of networks, okay? So period, full stop, the Internet's a network of networks. Those networks are ASNs. ASNs communicate with each other using BGP. Now, anytime you have network to network communication, you can use firewalls and have access control lists to allow communication. I don't know if you can do ACLs on BGP, but if you can, I see Kenneth J. Saying yes. I don't know if he's answering yes to my question, but I could see Iran having somehow done this with their ASNs. Iran may only have one ASN. How many ASNs does Iran have? Iran may just have one coming in. Holy Jesus. Iran has approximately 700 to 900 allocated ASNs. That doesn't mean they're all active. There's 480 that are currently active. So I mean that. I guess that's what I'm saying, dude. Like with 480 ASNs, those are 480 entry points that a nation state. I don't know the United States could leverage to get into these type of things. Dan Reardon, asking the Internet, can you put ACLS on bgp? Let me give you the answer, Dan Reardon. I like to think of Dan Reardon as my Ed McMahon. Okay, yes, you can absolutely use ACLs within the BGP, securing BGP sessions at the control plane and filtering BGP routing updates. So the BGP routing updates is what I was thinking of. I didn't think of the control plane protection, but I mean it that's kind of makes sense right? Like protecting it from being unauthorized access. So today I learned ACLS on BGP is a thing. I think that's what Iran has been doing these last 90 days or whatever. If you want another example, Brute7679 is talking about IPv8. I thought that was a joke, but it seems like you're serious. Holy crap. If you want an example of how authoritative regimes can suppress populations from anti government protesting, check out Turkey Protests, Corruption, DNS, Google. There's a really great story here. I mean it's, it's a horrible story. But for the example of making this point in Turkey in 2014 like the the leader of Turkey was like using the Federal bank like his personal slush fund and it came out and the people of Turkey were flipping out and they were coordinating over Twitter. It, it became really popular or famous story because Turkey's way of blocking the Internet, such a, such a ham fisted solution. The way that they blocked the Internet was by not allowing Twitter's DNS resolution to resolve Twitter's IP address to resolve. So people started changing their resolvers to Google DNS which circumvented that lame a control that they had also Quick shout out. We've got bonus value for today. Dan Reardon Haircut Fish bringing the heat on BGP protocols. Want to let you all know Dan Reardon AKA the Haircut Fish has actually developed a python script that is free and you can use today to know if an ASN is actually reputable or not. Thank you Dan. Dan Reardon with the ASN Integrity Checker.
B
Let's keep cooking our patches. This comes from new guidance from the Indian Computer Emergency Response Team or CERT in which urges organizations to meet this timeline for actively exploited Internet facing vulnerabilities. The guidance lays out a further triage timeline for less severe vulnerabilities ranging from one to five days. This guidance was developed in response to AI enhanced exploitation and also includes a framework for zero trust architecture encourages the use of AI bill of materials and other best practices. India has had a requirement to report cyber incidents to Cert in within six hours of detection since 2022 and now
A
a huge that that was like buzzword bingo. I don't know if like Rich Strofolina was trying to like do that on purpose or not but like we heard zero trust architecture, AI vulnerability man, like all the things. Okay, so the country of India, a lot of countries have certs, right? C E R T Not to be confused with you know Slay cert. Not to be confused with cybersecurity certificate certifications, but Certus Comm Computer Emergency Response Team. And it's basically like the firefighters for the country when it comes to cyber incidents, kind of. Okay. And they also provide guidance. Etc. Dude, I am cold. I'm gonna have to put on a cardigan in a second. So they are coming off the top rope saying that AI has introduced a shorter meantime to exploitation. I don't know if they said that specifically, but I'm coining that term right now. Meaning that when a patch. When a patch comes out, right? Oh, you got a patch. It. Ah, you gotta patch it. The idea here is it's not zero days, okay? It's like Microsoft releases, Releases a patch, you know, whatever. Avanti releases a patch. They are saying that AI is so good that the AI can reverse the patch and flip it, rub it down. Oh, no. And start exploiting your stuff almost instantly. Which, by the way, is fairly true. Okay? You can use AI to spin, reverse these patches quickly develop exploits, etc. Right. Mythos, anthropics. Mythos is probably quite capable of doing this. So what they're saying in all of their brilliance here is 12 hours patch deadline. So this is. This is the deal. If a patch comes out and you've got a vulnerability for it in your environment, you have 12 hours to patch it. Now, if I may, Dan Reardon, can I please have the magic, the gathering. Gather round the campfire green card. Because I would love to spend a hot GRC minute on this. And I know we're a couple minutes over on time, but please grant me grace as I spend a minute on this one. Okay, here we go. Gather round, GRC people. This is what's up. Number one. Do you know how many times I have seen leadership in the past 20 years? Okay, say, oh, you know what we need to do? We need to patch faster. That'll fix the problem. Let's set a policy. 12 hours. Let's set a policy. One hour. Let's set a policy. 72 hours. Hey, the state of South Carolina. If you're. If. Thank you. State of South Carolina. If a citizen's information is breached, the company has 72 hours to notify them. Gather around the campfire, y'. All. This is a magic card. Okay, Let me. Let me explain this to you, okay? This is fine on paper, everybody that's wearing a suit or like a, you know, pencil skirt with a blazer, you know, I'm not a woman. I don't dress like a Woman. So I'm assuming that that counts as business. Professional business attire. They all say, oh, you gotta patch it instantly. I feel like our work here is done. Shall we go grab, you know, a round of golf or should we all go hop on the yacht? Hello. Hi, I'm Jerry. I live in reality. Listen, you cannot apply patches in 12 hours. You absolute. Like you're. You. Like, it doesn't even make sense. Listen, let me, let me explain to you what happens, all right? If you get 12 out, if, if it's 5 o' clock at night and you just punched out for work, you're not even going to be back to work within 12 hours. How can you possibly meet this demand? First of all, that is stupid. Second of all, my guy, if you just smash the patch button, vulnerability management wouldn't be a thing if all we had to do was hit the patch button. You can get one of those fraking birds that has water in its butt that Homer used to push the key with when he turned in when he got heavy and was working from home. Homer Simpson. Okay, I. I can write a script that pushes the button every 15 seconds. There's a reason that you need a human there, because sometimes when you patch something, it breaks it. Sometimes when you patch it, the patch doesn't take. Sometimes when you try to patch something it's not connected to the mother ship, sometimes you have to test it. Sometimes applications break. Like, sometimes it bricks things. Go. Look at crowd strike when it patched something two years ago. Crowdstroke. Okay, so 12 hours. This is the most tone deaf executive, like, boardroom decision that is not grounded in reality in any way. Now, like, trust me, I get it. I get it. AI is rapidly changing how quickly they can weaponize patches. But, but this, this is. I, I don't want to call it lazy. It's just not informed. Like, did you not talk to anyone that actually works in IT or cyber when you made this decision? I don't know. I don't know. May. Maybe I'm wrong. Oh, listen to this old guy who's not really getting with the times. What does he know? Well, what I know is I've seen tons of people patch things and break things, and when you put a, like, blistering hot time frame underneath it, what are they gonna do? Here's. Here's what I'm gonna do. So if I don't meet this, I'm non compliant and I'm not doing my job and I'm fired. All right, well, you said it, boss. Patch, patch, patch. Break. Brick, wipe downtime. What do you want me to do? Why is the Internet down, Jerry? I don't know, boss. Because you told me to patch the friggin firewall servers within 12 hours and we had zero time because I. When I got to work this morning, I was already seven hours late on patching this thing from overnight. So what do you want me to do, huh? What do you want? You're the one who said 12 hours. Here, here you go. Here's a button. You push the button every 12 hours and then I'll ask you, why is it down? Sorry. Sorry. If you've worked in vulnerability management for a minute, you know the apathy is real.
B
Thanks to our sponsor, Guard Square. Is your mobile app truly protected? Relying on the OS isn't enough. A global study of 1300 security and developer leaders found that 96% of teams using layered protection reported significantly fewer security incidents. Don't wait for a breach to harden your defenses. Get the protection needed for modern security risks. Learn more@guard square.com all right. Knowledge Deliver delivers Back door.
A
All right, all right. What's up everybody? Welcome to the mid roll. Thank you for allowing me. I love this show and I love this community, guys. Thank you. It's not every forum where I can just absolutely voice my internal monologue. Thank you to the stream sponsors Threadlocker Anti Siphon flare for not trying to control me. All right, guys, I do want to say really quick shout out to all of you. Thanks for being here. I just want to let everybody know I put a cardigan on backwards. This. This actually like upsets a lot of people in the community when I do it. So I felt like letting them know. I run a wire down my back. If I put the cardigan on, it pulls the wire and rips the earpiece out of my ear so my arms are cold. That's why I'm wearing my sweater. But I got it on backwards for convenience. Just let everybody let that wash over them. Okay? Now every single day of the week has a special segment. And Wednesdays is Way Back Wednesday where we kick it old school. I'm big on nostalgia. The Kool Aid man is in the emo tray for a reason. And I just want to share with you this, okay? Way Back Wednesday, guys. There was a point at one point where like there was a very small window between having needs for external hard drives and USB drives. When USB drives came on the scene, they absolutely eviscerated the jazz drive zip drive scene. But basically, back in the day you would have, you'd have, you know, floppy discs basically, right? You'd have three and a. Three and a quarter. Three and a half, I think three and a half, five and a quarter. And they could hold like one mag, two megs. Dude, like seriously, like multi part. Multi disk installers. Let's see if I can get a graphic of this. Like, dude, back in the day. Oh my God. Let's see if I can find this. Like, I can't even find a good graphic. Back in the day, if you wanted to install like Windows or something or Photoshop, you'd have like 30 discs and it would be like, insert disk two, insert disk three, insert disc four. Dude, it was like forever, okay? Forever. And then, and then on the scene came Jazz drives and zip drives. And these things were hot. They were 100 megabyte drives, okay? 100 megabytes. You were the bee's knees walking around with one of these suckers, okay? And then like immediately the USB drive came out and just absolutely destroyed this market. So. So anyways, yeah, I just want to say shout out to jazz drives, Zip drives. I feel like zip and jazz drives with like the two competitors in the space. But also just bonus, bonus for the. The multi disc installs. You guys remember multi disc installs? Oh, yeah. Here we go. Thank you. Here we go. This is it right here. This is it. You want to install Microsoft, you want to re image your computer, you better pack a lunch because you're gonna have to install like literally disc 23, disc 24, disc 25, and forget about it if you lost one of these discs. Oh, my God. All right, so that's the way back Wednesday, hopefully. You guys feel your neck is a little stiff from the whiplash of going back in time on this one. All right, let's finish strong.
B
Delivers backdoors. Researchers at Mandian discovered a campaign impacting Digital Knowledge's Knowledge delivered elearning platform, which is particularly popular in Japan. This exploited a zero day that was able to exploit known hard coded values in the platform's web config file, allowing for deserialization attacks against other deployments. The attackers used Godzilla web shells to pull down further payloads to the machine, learning, ultimately infecting with a cobalt strike backdoor. All Knowledge delivered Deployments prior to February 24, 2026 are vulnerable.
A
All right, no code. Ah, you got a Patchett. Here's the deal. It's mostly in Japan for the sake of this story. If you're running a LMS learning management system platform that uses knowledge delivery as the infrastructure, so think like if you're running Canvas instructures solution that's not knowledge delivery. Again it's mainly in Japan so that's kind of where it is. They basically had hard coded values in installation scripts so threat actors found it and basically could exploit it. Once they exploit it they can install or they can deploy Godzilla web shells which is deployed in memory so not written to disk. And once you have a web shell you can just basically do remote code execution once you know. I guess the first thing they're doing is installing Cobalt Strike which is a post exploitation framework. Gives a lot more utility, a lot more visibility of the compromised systems and compromised network if you would like. Mandian has gone ahead and done some good work by providing IOCs. Where are they? You know, it's annoying. I hate when news stories say they provided IOCs and then they don't have a link to it. So Mandian IOCs knowledge deliver malware. All right, I guess you'll have to do the work yourself. I'm sorry, I. I tried tried to find a zero day. I mean not a zero day ioc but there's no links here. All right people having a good, a good time on in the chat with way back Wednesday TRS 80 from Radio Shack. Yes the T's were quite hot. Tech grunt Classic live demo problem not having that drive it there Cyber Shin Andami knows the knows the struggle didn't even have a hard drive on the computer. I think Commodore 64 had a a little bit of a hard drive but it was a lot of disk. Yeah.
B
Comes to malware ESET researchers published details on an Android remote access Trojan called btmob which ships with commercial style packaging and includes an APK builder to let buyers generate new payloads and reconfigure phishing lures without any coding. Ultimately, BTMob is capable of full device takeover by abusing Android's accessibility services. This malware as a service operation is sold through Telegram channels as well as X and Instagram accounts, offering a $5,000 lifetime license plus additional monthly support fees. Researchers saw this operating mostly in Brazil and Argentina with operators posing as streaming services, major brands or tax authorities.
A
All right. I mean this is not new, but it is. I haven't seen it in a while, so it's cool. Cool in the sense from a cyber academic perspective. It's not cool for me and you as practitioners. Basically somebody on the Internet has developed a essentially a wysiwyg or what you see is what you get. Malware builder tool Again, malware builder tools have Been around forever. They allow script kiddies or individuals with little to no technical capability to build custom malware. Let me show you custom malware builder checkboxes, old school dos. See if I can find an image here. I don't have, I don't have one necessarily, but I've seen them in the past. If you've seen them, you've seen them. Basically it's like a bunch of checkboxes on like what do you want it to do and what binary do you want to infect? Like Trojan eyes and it would just do it for you. Now obviously the signatures are pretty obvious and you can block it, but that, that was in the 90s that you could have done that. Now this Android one is, is current. For five grand you get a lifetime license. Not a bad business model for this threat actor selling B2B essentially. Now this will allow anybody to build a malicious Android malware. The threat actor still needs to get the malware installed on your Android device. There's a bunch of different ways to do it, right? They mentioned in here faking it to be like stealing paid streaming services. Like imagine if you will, you, you launch some type of Android app that claims that you can stream Peacock for free or you can stream Hulu for free. Right now, obviously it's bull crap and it's going to get ripped down. But for the, for the individuals who don't have money that really want to watch season two of the Bachelorette. And again, I don't follow Bachelorette, so I don't know if it's on those streaming services. But my point is these are targeting individuals, most likely in a pray and spray like volume type attack. So if I can convince a thousand people to install my app, that isn't going to work. And then I'm. I'm able to escalate privileges because Android's accessibility features allow that I can then compromise up to a thousand devices and then potentially do further attacks, right? I can either wipe their phone and hold it ransom. I could steal their pictures and extort them. I could install further malware. Like there's a lot of financial crime Android malware right now where like it does like a transparent overlay to steal finger pin codes and stuff like that. So there's a lot of different opportunities. Again, I like using Android, not that it's invulnerable to malware. Excuse me, I like using iPhone, not because it's invulnerable to malware, but because it has less likelihood. And I'm a guy who manages risks For a living. So if I can reduce likelihood, then I'm all about it. Thank you, come again. All I would say is from an individual perspective, guys, continue to educate your end users about the, the risks of Android malware and how not to install it, how, how to avoid installing it, how. Too good to be true is likely too good to be true. But yeah, Android malware is going to continue to be a thing.
B
Microsoft testing Automated Endpoint Isolation Microsoft released a preview for Defender for Endpoint that can automatically isolate compromised endpoints. This is designed to limit lateral movement across the network by attackers. While cut off from the network, endpoints will still remain connectivity to the Microsoft Defender for Endpoint service for monitoring. Admins will also be able to release devices from this automated isolation at any time. Microsoft introduced manual endpoint isolation for defender back in June 2022. Netherlands blocks the sale of Authentication all
A
right, hey, I like it, I like it. Here's my only thing. There's a reason that we do intrusion detection systems and not intrusion prevention systems, IDS versus IPS is because if there is a false positive and you isolate an endpoint, you could have a problem, right? You could have a, you could have a production issue, an availability problem problem. Imagine if you will. Now they say endpoints, but imagine if you will, you have a active directory that false positive isolates itself from the network and all of a sudden you lose directory services. That could be a problem. Again, if this is just Defender for Endpoint meaning workstations and whatever, that's fine. Honestly, like I don't know, I, I don't know about you guys. I mean I've, I've run. So when you work at a smaller business and like small doesn't mean micro. Like I worked at a company that was like 700 million dollar annual revenue and had probably a thousand employees and I would consider that like small to mid size, right? We had budget but you know, the cyber team was small, probably like six people in it total. And so I would, not only was I the, you know, director of Information Security, but I was also the blue team, right? Dude, I, I wouldn't hesitate from just isolating an endpoint on the network. Like go into the EDR console and just hit the quarantine button because it's an endpoint, chances are, I mean, yes, you could piss someone off but like that's the. You're not pulling down like manufacturing operations and stuff like that. So if Microsoft defenders fidelity for identifying true positives is good or they're only going to isolate if they have A high confidence that it is a compromised asset. I'm all for it, dude. Listen, if. If the EDR knows about it, take action, my guy. That's what I would say. So like more EDR should do that. I do think some EDRs already do this, but yeah. Human operated ransomware attack. Let's go. It's the best way to prevent lateral movement. Now. Now I do want to point out two things. One, it is isolated, but oftentimes it's not truly completely isolated. It's isolated in the sense that it cannot speak to any other endpoints on the network or the Internet. And all. And all, all it can talk to, it's allowed to talk to is the edr, you know, centralized console server to allow an analyst to be able to interact with the isolated machine. So it's isolated. Ish. Okay. Just so everyone knows. It's not like. It's not like you have to physically go walk to this computer because it's been cut off. The Internet tech to us.
B
In November, the US firm Kyndryl announced it would acquire the Dutch company Solvinity, which operates the Digi D app platform that citizens use to authenticate identities with public authorities. In a letter to the national parliament, the Dutch government said that the national authority that screens investments had advised the government to block the acquisition as it posed a possible risk to the public interest. This announcement comes a week before the European Commission releases a tech sovereignty policy proposal to reduce EU reliance on foreign technology, particularly for the cloud and AI. A statement from Kyndryl said it was extremely disappointed about the politicization of this process.
A
All right, the Dutch government's blocking US based companies attempt to acquire online identification IT supplier. Okay, are the Dutch the ones who own Greenland? Do you remember when Greenland was like a thing there for a minute? It still, still feels like a fever dream. All right, so some Dutch company has a identity identity based solution and a US company wanted to buy it. Okay. All right. This doesn't, I don't know. To me this doesn't seem. I don't know. Honestly, this sucks. Like, just, just looking, just. Denmark owns Greenland. Okay, thank you. Just looking at this one, this seems like a little bit of a pissing match. Which is kind of wild because the Netherlands in the US have been like BFFs when it comes to controlling micro micro computer and like chip, semiconductor chip technology from China. But apparently when it comes to identity based, you know, solutions, Netherlands says no, we're done here. Like no more. So I don't, I don't know if like, you know, whatever. Like the US didn't stay to help clean up after the semiconductor party and now the Netherlands is all pissy. This seems far more politicized than anything else, dude. A company wanted to buy another company and the government stepped in and said no. This doesn't seem like it's, I don't know, like Palantir trying to buy an identity company out of Europe or something like this. This just seems like to a company that wanted to, you know, augment its portfolio by acquiring a company instead of developing it internally and they got shut down. I, I guess, I don't know. The one thing I would say is for what it's worth, I mean, there's probably other companies that this company could purchase, but it is annoying because a lot of companies want, you know, like that's their goal is to get acquired and to have the government intervene. This gets into like capitalism versus libertarianism versus, you know, big government overreaching, etc. Etc. This isn't really a supply a cyber story, so it's a fine one to end on. Meaning that I'm going to cut it short. Netherlands has good beer. Hello. What's up everybody? Welcome. We just crushed it. This was your Simply Cyber Daily Cyber Threat Brief podcast. Shout out to all y' all for being here. What? We got 320 people. A couple people had to boogie out of here to go to their 9 o'. Clock. I got you. I got you. Guys, don't go anywhere because we're about to flip the script and make it real here with Cyber Career Hotline. Here we go. Get my Hot 80s look on cyber Career Hotline. Phone lines are open. I'm gonna do everything I can to answer all your questions. We do it every single day at 9am Eastern time, bringing different industry professionals to bear to give you those answers. I'm Jerry from Simply Cyber. Until next time, I'm Dr. Gerald Osher. This is the Cyber Career Hotline. If you're building a career in cyber security, this show is for you. Let's get into it. Hey, what's up everybody? Welcome to the party. My name, my name is Jerry Guy. Coming hot off the heels from the Daily Cyber Threat Brief hosted by that nerd, Dr. Gerald Ozier. Oh my God. Nerd. Can someone please let Dr. Gerald Oer know that he does not need to get all twisted up on vulnerability management and this country of India. Dictating 12 hour patch times, my guy. Go get a pina colada and chillax. You're picking up what I'm Putting down now. Let's get to what's important. This is Cyber Career Hotline. It is a program that we've designed to mentor at scale. I love helping people. It is rooted in my existence. I'm here to help. So if you got a question, put it in chat with the queue and I will answer it. Phone lines are open. I am very excited. Got a bunch of projects going on. Had an epiphany yesterday, and I've got a really, really cool project on the deck. I will tell you, I've been trying to practice not telling people about things until I've done it. Just. You know what I mean? That way, it's. I gotta tell you, it's much more effective to show people than it is to tell people. But I've got a really awesome, awesome initiative coming up. I'm so excited about it. I also want to remind everybody that the question interview, Question answer interview, junior mid senior for Soc Analyst Question 3 was published on Sunday. If you missed that, people are loving that sock analyst job interview series. All right, so let's look at chat. I gotta put a Q in chat and I'll answer it. And if anyone asks me what my big project is, I'm happy to talk about it.
B
Teasing.
A
I am excited about it, though, especially because it involves simply cyber community members. All right. Oh, talking about BBS's. I love it. All right. Okay. Sean Sailors, put the Google cloud article with IOCs in the Discord news feed. Thank you very much, Sean Sailors. Appreciate you. Come on. Looking through chat. I want to answer your questions. Daniel Lowry has entered the chat. Daniel Lowry, huge fan of my friend Daniel Lowry. Continuing to look through chat. Daniel, what's the. What monster energy drink flavor you got going on today? Let us know in chat. All right, guys, a lot of great conversation going on here. Not. Not a lot of questions. I. I would love to help you. Let. Let me help you. I'm like a stage four clinger. I'm like, get. Let me help you. Like, I don't need it. Come on. Looking through chat. Looking through chat. Oh, I'm in the Greenland Dutch phase right now of the chat. Hold on one second. Give me a second. I'm trying to catch up, y'. All. Question. No. Damn it. Cyber Risk Witch is here. Always good to see you. Cyber Risk Witch. All right, let's see. Question. Tj. What's this awesome new project? Thank you, tj. All right, so check this out. I am so excited. Listen, I don't even know how to market this yet, okay? I'll figure it out later. Listen, I tell people all the time. Oh, like I think in today's market it's more important to have personal brand. I think it's more important to build networks and relationships. I think it's more important to market yourself more than technical skills, especially with AI. You know what I mean? But people are always like, how do I do that? Like, oh, it's easy for you to say, right? Okay. Okay. So I, I got an idea. Okay. It is a four part series. So it'll be like right now it's four YouTube videos. But I, I think it almost should be like a course at Simply Cyber Academy for $0. Anyways, I have recruited an individual who is the daughter of a Simply Cyber community member. Okay. Just, she just graduated with a degree in art. She's a creative. She's doing an internship as a soc analyst. She has her Google Cyber search. She's studying SEC plus. She, she's, she's, I think she's 24 and she's entering workforce. She is an absolute avatar of so many people who are trying to pivot into cyber security. Whether you owned an air conditioning company and retired and you want a second career in cyber or you're in the military and you're transitioning out. Right. Whatever it is. Okay. So I have developed not just four videos, but it's like an active workshop. I have like, I don't know, something like 30 different AI prompts. I am going to do a before and an after. So what we're going to do is I'm going to capture everything about this woman's LinkedIn profile. She doesn't have a GitHub yet. She's going to have a GitHub, personal website, blogs. I've got a diary template for her to fill out every single day. And I am going to show you. I'm going to take this woman, okay, who can do it on her own. All right? So it's not like she needs me. She's just agreed to work with me on this one. I'm going to take her and in one month, I guarantee I'm going to take her from where she is now. And I'm absolutely gonna supercharge her to be like the, the go to person for what it is she wants to do within her space. And I'll just give you a little teaser. She wants to be a GRC analyst. She has a degree in creative. In being creative. Hello. She can write creative, compelling storytelling. She can make amazing graphics for information security awareness. She can make compelling Risk based conversations sound engaging and sell those. She's got all of it. All we need to do is hone her and, and factor her down. And what I'm going to do is I'm going to show you as an example but then I'm going to give you all. I have an entire kit. You can download the whole thing. Just like literally download the kit and then follow the videos and you too will, will crush it. I'm Gary, I'm gonna put my like not my money where my mouth is. But I'm telling you I know exactly how to do it. So I'm gonna give you the full blueprint with all the things, no paywalls. And then it just becomes this is the empowerment core value of Simply Cyber. I will give you everything to empower you to take action. It. It has to be on you to invest in yourself and the time. You guys watch. I'm telling you, I am super excited about this. All right, so hopefully you guys like that idea. I'll look at chat to see if there's any here. I'm gonna, I'm flagging right now. I, I'm flagging questions that were in chat. I'm just curious if anyone had any ideas. Well, you know what, keep mods. If people have interesting things they want to say about that, please let me know. But I'm gonna just keep answering questions. Stay tuned though. I again, I'm super excited. All right, here we go. Subjective but my plan this summer fell through. Would it be better to focus on homeland cyber deck building, finding a certain course or two or part time remote support desk work, Soap flavored? If you can find remote support desk work, I would, I would do that because experience is super valuable. And then I would also consi. Continue like basically developing your skills but make sure you're documenting those home lab cyber deck building steps. Right, that's what I would recommend. Ever been apprehensive about leaving a role taekwondong? Yes. It's very risky to leave a job for another job or you know, to quit to start your own company. When I quit my job to go do Simply Cyber full time, that's probably the most apprehensive I've ever been. What would you say? And by the way, for me personally, I'm risk based. Right. So I needed to make sure that where I'm going is rock solid and my finances are rock solid. What would you say to people who think risk management is just thinking negatively? I would say, I mean that's kind of a simplified view of what Risk management is what I like to think of. Risk management is you only have so much resources, right? You only have so much money. Like hey person who thinks it's just thinking negatively. Imagine you're throwing a birthday party for your kid and you got a budget, right? You don't have infinite money, so you're going to get a hundred dollars. Do you spend a hundred dollars and buy one super huge balloon? No. That sounds stupid, right? Your kid's not going to have a gift. There's no cupcakes, no streamers, nothing. So maybe you think about how are you going to allocate your money to optimize the outcome of your kid's birthday. It's the same thing, except instead of your kid's birthday, it's reducing cyber risk to your organization from experience an adverse effect. Will you need any volunteers or simply cybercon? Yeah, I mean we'll need some volunteers for sure. Details to follow. What's the best non us beer you've ever had? Oh, you know what I mean. I like cheme. I think she may 12 not shimay. Oh my God. The monk. The. The Saint Bernardus 12. Poltergeist. Just about to graduate in cyber and advice on what to do next. Poltergeist. Yeah. Network. Network, Network. And begin documenting what you're doing and making other people aware of it. Share it on socials, drive people to you. The easiest way to get a job in cyber security is through a side door because someone says something about you in a room when you're not in there. That's good. Also, Poltergeist, the series that I'm talking about doing is literally going to be made for someone just like you. Okay. All right. Holy Jesus. Dutton. Doable or dunable? Hiding the the headline, dude. Six months unemployed 300 apps. Starting GRC job today. Love it, love it, love it. Dude. Congratulations. Super pumped for you. Will simply cyber be adding new courses? Possibly. Like I said, I have a vulnerability management. One that I just can't get over the hump. This. This. If anyone has any thoughts about this project I'm talking about, let me know. I was actually thinking about making it a course, not a set of YouTube videos. Because with YouTube videos you could watch them in different orders. With YouTube videos, I feel like people don't aren't going to take the YouTube video as seriously. So I must wonder if I should make it a course and just make one YouTube video. That's like a high level introduction of the course. Okay. Best way to negotiate a better raise during the review. Average salary for GRC analysts in El Coal is significantly higher than current salary. So, all right, so for me personally, I don't wait until the performance review to ask for more money. You got to remember this, Warham, like, just think about it as a business, right? So, all right, it's time for performance review. The business is going to say we have X amount of money to allocate to perform to increase salaries, right? So like they're looking across the entire business, like, let's say you have a thousand employees and they're like, well, we have, we have a thousand dollars of extra money to give to salary raises. So we could give each person $1. That means the people who suck at their job get a dollar. And the people who have worked nights and weekends and skipped kids sports also get a dollar. So that doesn't feel good. So like, let's give, let's do a bell curve. So a third of the people get no pay raise, A third of the people get $2 and a third of the people get $1. That seems fair on balance. But then what about you? Who is underpaid for where you are and someone who came in like, like you got hired four years ago and you're getting paid whatever. Someone got hired this week and they are already making more than you because of the market demand, right? So you're both going to get a dollar. That doesn't always seem fair, especially if you've been crushing it. So for me, what, just to point this out, what I like to do is I like to have these conversations in advance because it feels less confrontational, right? So say you're having your monthly one on one with your boss or your weekly one on one with your boss. Say, hey, listen, I've been looking at salaries for analysts and you know, My salary is $45,000, which your boss will know. My salary is $45,000. But on the market, a lot of entry level analysts are getting paid 60,000. Now, I'm not asking for a pay raise right now. What I'm asking for is how can we work towards getting this balanced a bit? Because I, you know, I feel, I feel it's not necessarily fair to be making 15 less than market average for this. So what, what's this gonna do? Listen, this is a huge lesson learned for everybody in my opinion. Okay? What you're going to do is you're going to give your boss like basically an opportunity. So your boss is probably going to say, well, let me go look into that. What, you don't want to ask them for is a yes or no answer. You don't want to give them an ultimatum. You want to give them an opportunity to go to bat for you. So, hey, you know, I really wanted to know, like, how can we. How can we go towards getting my salary adjust? Now? They might say, you need to get a promotion. Okay, that's fine. The next question is, well, how do I. What can we do to put me on the fast track to promotion? Okay, so then when you're in your performance review and they say, oh, you got a $1 pay raise or whatever, and you're like, well, okay, I mean, we've talked about this for the last six months on and off. I told you I was making 15 less than market average, and I did the things you asked me to do. You know, this doesn't feel like what we talked about. And then they're gonna say, oh, well, you know, the budgets are tight, AI layoffs, economy, gas prices, whatever. And you could say, okay, okay. Now, at that point, a Warham. What I would do is say, okay, like, they've shown their cards. They either don't appreciate me or they don't have the money. Either way, I'm not gonna get it here. Right? Like. Like, you know what I mean? Like, you can't get water from a stone. So now you have to begin looking other places. But, you know, it's easy to find a job when you have a job. Also, just point out, you know, like, hey, all right. I mean, what you should not say is, okay, I'm gonna go on to the market and see if I can find that pay raise I want on the market. Because now you're going to get fired or you'll be the first one that they lay off when it's time to lay people off. So keep that close to the vest. Hopefully this helps. There is no magic way. What I would. The final tldr. I would say here is just try to get your boss to be your advocate. Unless they suck. If you have a toxic boss or something, that's not going to work. All right, so Code Brew likes my idea. I'm excited. Cyber David Goggins. Okay. I. I'm excited for her. And honestly, space talk was. I didn't know she wanted to be grc. This just kind of got put together. Is this going to highlight the network aspect? Yeah, I mean, this is mostly like, the work I'll be doing is with the networking aspect in the marketing aspect. I. I expect her. I have to have a call with her today to make sure that she will agree and commit to, like, what this program is, but she'll have to continue to commit and develop those skills. There's a lot of public accountability elements to what I'm going to do, so. Yeah. All right. So people are, are liking this idea. Sounds awesome. Wow. So amazing. Cool. All right, I'm excited. Pirate Kitty, who's a relatively newcomer to the community, do you have any suggestions for doing something interesting with GitHub when you have no background in software? I'm lost. Oh, yeah. So Pirate Kitty, this is what I would recommend. Obviously, get a GitHub repo. Get a GitHub account. Right? You can. This is what you absolutely should do. All right. Register a Cloudflare account. Register a GitHub account. Both are free. Then use AI or whatever and Vibe code a personal branding website. Right. Like, who are you? Right. Like just something easy and then use it to commit to GitHub. GitHub is served via Cloudflare. And now you'll have a website that is your personal, you know, zero landing page. That's awesome. That you can update quite well. You'll have a GitHub repo that's actually quite active. And Cloudflare hosting a GitHub repo is a CICD pipeline. It's basic, but it's. It is a CICD pipeline and that is how modern web apps are managed and deployed. So not only will you have your own personal website, but you'll also be experiencing what cicd pipelines look like with micro micro commits and stuff like that. It's phenomenal. All for $0. The only thing you'll have to invest in if you want to, is registering a domain name, but you can get one for like 10 bucks a year. Mars says, when's it dropping? Probably like June, July maybe. I mean, I. I've got to film it all and figure out how. What I'm gonna do here. But I've got the whole. The whole thing's laid out on all of my prompts, all of my artifacts, like the toolkit, all the downloads, those are all done. It's just I had to develop it all so then I could execute it on a case study. Anything going on with the TV deal you were working on? If you're talking about Nerdy by nature, nerdpocalypse, that is still going on. It's just tabled right now because. And I'm assuming that's what you're talking about. I've done three TV shows, so the most recent one is Nerd Apocalypse. Spoiler alert. I Talked to my lawyer. I can't use nerdy by nature. And I might move to Georgia, which would, you know, impact my entire summer. So I can't film a TV show if I don't know where I'm going to be living. Ah, here we go. Yeah. St. Bernardous Abbott 12 Belgian quad. You got to be careful though. I'm getting old. Guys, the. The ABV matters now. Been. Been pivoting to founders all day ipa. All right. Oh, Franz o' Connor is delicious. Franza Connor might be one of the best wheat beers. Hot day. Franz O. Connor. Get out of my way. I love it. All right. Continuing to look through Chad. For the salary increase question, how would you frame that for a government job versus a private sector job? I mean government, it's kind of out of your control. With a government, you might be able to like, you know, reclassify your job or move internally. Private sector, you're going to have a lot more flexibility on, you know, commission increase. Plus for a Warham, who asked about the compensation, Remember, with your. Especially in private sector, with your boss, you could say, hey, you know what? Like, I know like, especially if you're like, hey, how can I get more money? I'm underpaid. And they're like, you can't. Like we don't have any money to give you. Well, then you could say, hey listen, you know what would be worth more than money to me? Having every other Friday off. Can I work 9 hour days and take every other Friday off? 3 day weekend? Every other weekend would be quite nice. You know, it won't impact. It won't impact business. I'll still get all my work done. Or hey, can I work 4 10s? It would be worth. Instead of giving me money, it would be my time is worth money. It would be worth it to me since I'm not being compensated financially with market standard. I would love to work four tens. Let's try. Oh, and by the way, say, can we just try 4 10s for a month? The month of June. Let's just see how it works. If it doesn't work, totally understand. Happy to pull it back. That's what I would do. What's the best way to break into cyber? I have a bachelor's in Cyber Home Labs Comptia. Any advice helps maintain like literally. This is why I'm gonna build this program that I mentioned earlier. Here's what I would Recommend. Get a LinkedIn, optimize it for whatever job you want in cyber security. Get a personal website, whatever you're working on. Like how what search you have, how you studied for them, what market you want to work in, what job you want to work in, what tools are you learning, what conferences have you gone to, what experiences are you having? Document them on your personal website. Then use LinkedIn to make posts about it, to engage and point back to your personal website. Begin to get known, network with people in the Simply Cyber community. Go on the Discord server and talk to people. Look at Reddit and find questions people have and then answer them for everyone. Is it odd if a company doesn't promote from within? They make people apply for the job? No, it's not, it's not uncommon. I mean, I've seen it before. I don't think it, I don't think it's great for culture, frankly, because I, I don't know, I like rewarding my people. All right, follow up question. What about a situation where you're as ra, don't get one, find a new job and then they offer you the match? Should you state no? What? No, no, I, I, I'm, you know, I know that this is a thing. I'm firmly in the camp. Like, it's business. Right? Like, I would say no. I would just, I mean, unless you really like the company and you want to stay. But for, as far as I'm concerned, that company showed its colors. Like, they don't value you. Like, they're only like, what they value is not having the pain of having to backfill you. So they're gonna throw some money at it. But I will say by doing this, when there's layoffs or, or, you know, con contraction needing to happen, you're probably going to be targeted because you've already identified yourself as not a company person. Right. I would just say, dude, it's like, it's like anything else where you're like, no, like, I gave you an opportunity. You made your decision. All right, we're at 9:30. I'm gonna go a couple minutes over because I started at 904. What's the best way to prove you can use AI to companies? Do I do projects? I don't believe in any of the AI certs. Yeah. Striving to learn. I would do projects. I would, I would share that. I mean, really, right now is a very good time to be on social media talking about the AI work you're doing. AI content performs very well, so that's what I would do. I mean, I'm not doing, I'm using AI quite a bit. I just, I guess, like, I'M doing it a little different. Like this, this project I've been talking about, I'm using AI to help, you know, basically review, optimize, you know, like LinkedIn profiles, website building, all that other stuff. So like it's, it's like AI implicit. But yeah. Oh, Pirate Kitty's already got some GitHub stuff. That's perfect. Pirate Kitty, keep, keep doing it. You're gonna love it. Yeah. Code Brew has naa beers. I'm telling you, it's just, I don't know if it's old age or it's just like enough's enough. But for interview questions, how do you prioritize tasks and projects? What kind of answers are managers looking for? So for interview questions, I mean anything you can relate back to current events or to work you've done, do it. But make sure that you're being like you're, you're, you're anchoring on what the interview question is. Remember a lot of times the interview question, yeah, sure, if it's like what port is telnet? Like there's only one answer. But oftentimes, at least in the interviews I like to do, I do scenario based questions because I want to see how you think. Right. A lot of people talk about the Star method. I'm not entirely familiar with that, like off the top of my head, but you know, I, I like referencing current events because it shows your current, it shows you understand how to work them into. So this person says four turns turns into four 12s. I guess. I mean you gotta have boundaries though. All right, looks like we're caught up. Chatter. Bob, welcome back. Good to see you. All right guys, we did it. It's 9:34. Thank you all so very much. I want to say thank you for being here. I hope you enjoyed Cyber Career Hotline. I'm just realizing right now that this jawjacking thing is up here. We got to get rid of that. Hold on. Let's get rid of that. Thank you all so very much for being here. Let's go ahead and increase the chat window, shall we? Can we do that? Nope, Hold on. I'm playing now. Okay, I'll get it sorted out guys. Thank you all so very much. Have a wonderful Wednesday. I'm Jerry, your chat. I'll be at Cisco Live next week doing the show live from Vegas. So if you're going to be at Cisco Live, let me know. We can high five proper. Be well everybody. And until next time, stay secure. See.
Date: May 27, 2026
Host: Dr. Gerald Auger, Simply Cyber Media Group
This episode of the Daily Cyber Threat Brief delivers the top cyber news stories impacting industry professionals, with Dr. Gerald Auger providing expert analysis, practical advice, and trademark humor. Covering threats ranging from APT group activity, phishing trends, national patching mandates, to malware-for-hire, the podcast blends actionable insights with community engagement and career-building tidbits. Special emphasis is placed on the ever-evolving risk landscape and pragmatic responses to industry trends.
Timestamps: 12:06–21:41
Summary:
Iranian-backed APT group, known under many names (Smoke Sandstorm, Boherium, etc.), historically targets aerospace and defense sectors. Recently, it’s expanded focus to the US, shifting tactics from DLL sideloading to app domain hijacking and using trojanized installers for legitimate apps (e.g., Zoom, OnlyOffice).
Dr. Auger’s Insights:
Risk & Mitigation Recommendations:
Notable Moment:
Timestamps: 21:41–29:25
Summary:
Phishing operations are moving from static credential harvesting to real-time interception, using encrypted channels (RCS and iMessage) to target users, often bypassing MFA and capturing one-time passcodes.
Analysis:
Practical Advice:
Notable Quote:
Timestamps: 29:25–36:37
Summary:
Iran restored international Internet after 87 days offline, a tactic used both for population control and thwarting foreign cyber actions.
Deeper Dive:
Engagement:
Timestamps: 36:37–44:23
Summary:
New guidance from CERT-In requires organizations to patch actively exploited, Internet-facing vulnerabilities within 12 hours, citing AI-accelerated exploit development.
Host Reaction:
Risk/GRC Reflection:
Timestamps: 44:54–48:40
Timestamps: 48:40–51:44
Summary:
Mandian researchers uncover attackers exploiting hardcoded web config values in popular Japanese e-learning system, granting remote access (Godzilla web shell) and facilitating Cobalt Strike backdoors.
Key Points:
Timestamps: 51:44–56:20
Summary:
BTMob, a customizable Android remote access trojan with no-code APK builder, sold via Telegram/X, enables full device takeover for ~$5,000 a license.
Analysis:
Advice:
Timestamps: 56:20–59:57
Summary:
Automated endpoint isolation now in Defender for Endpoint preview; system can quarantine suspected compromised endpoints while keeping Defender connectivity intact.
Expert Take:
Notable Quote:
Timestamps: 59:57–60:37
Summary:
Netherlands halts US firm Kyndryl from acquiring Solvinity, citing national tech sovereignty concerns.
Host Perspective:
Timestamps: 61:00–End
Career Q&A Highlights:
Notable Moment:
The episode exemplifies the podcast’s blend of up-to-the-minute cyber threat news, real-world professional wisdom, and interactive community focus—with Dr. Auger’s signature enthusiastic, relatable tone. Throughout, technical depth is balanced with actionable advice for both practitioners and those entering the field.
For more:
Catch the Daily Cyber Threat Brief live at 8 AM ET or join the growing Simply Cyber community via simplycyber.io and Discord/socials.
This summary was prepared for listeners seeking comprehensive insights on today’s top cyber stories and career strategies, including targeted timestamps for deeper dives into each segment.