A

All right. Good Tuesday morning everybody. Welcome to the party. Today is November 18, 2025. This is episode 1008 of your Simply Cyber Daily Cyber Threat Brief. Listen. Over the next hour you can expect to get informed and updated on the top cyber news stories of the day, while at the same time being given additional insights and value from experience of people that have been working in the industry decades on, going beyond those headlines. So ultimately you can level yourself up faster and be more proficient, deliver greater value to your business stakeholders or switching jobs. Interviewing Just absolutely wowing interviewers with your broad depth of knowledge. This is Simply Cyber Daily Cyber Threat Brief. I am your host, Dr. Gerald Ozier alongside Simply Cyber Community members. We're off and running on a beautiful Tuesday morning. Let's go. That's right. Good morning everybody. If you're cold somewhere like Steve Young, or here in the low country where it's a bit chilly, do try to stay warm today. Hope everyone's having a wonderful week off and running. As always, I want to say hello to the Simply Cyber Community Team sc. Great to see so many regulars in chat. Definitely appreciate starting my day and waking up with you guys. If you're running around bustling in the kitchen, getting ready for work, maybe you're on the elliptical like Nick Barker or pumping iron, getting those gangs like Derek Welsie. Whatever you're doing, however you work Simply Cybers Daily Cyber Threat Brief into your morning routine or your evening routine because we are international, I want to say thank you for making the effort and being part of the community. Definitely appreciate it. If today's your first episode, Holla @ you. Look at you adding new things to your routine. Hashtag first timer in chat. If it's your first time, we have a special sound effect, a special emote and the squad members definitely have a warm embrace for you. I want to say what's up to Brogan's hero. Still thrilled to be part of the community. Seven months. Love it, dude. Thank you so much for the support. Glad to have you here, guys. So first timers, let me know in chat if you see a first timer, just spam John McLean emote so I can see it. I also want to let you know every single episode. Yes, we have a lot of fun here. We high five and have fun stories and red Hulk and stuff. But also, this is an instructor led webinar. Don't tell anybody that. It's an instructor led webinar. I have 20 plus years of experience, a bevy of education. I am qualified to run this session and we do half a CPE because it's 30 minutes of value sprinkled with 30 minutes here and there of good times. So say what's up? Grab a screenshot of your name like face Doyle. Coffee cup. Cheers. Ireland's owned. Grab a screenshot, include the show title because it has the episode unique identifier and the date right? File it away once a year, count up those screenshots just ctrl a and look at how many files you got and then divide by two. Simple as that. And I get this question often. You only need the screenshots if you get audited by the certification body. It is evidence just in case. Okay, gotta get that going. What's up, DJ B? Second haircut fish in mod chat. Good to see you guys. Looks like we have a first timer everybody. Thomas Barnett, 3609 Thomas Barnett. Welcome to the party, pal. Welcome to the party. Oh, my man. Gary Sturgiatis in the hisy. Good to see you, Gary. Sierra Nevada celebration ales out. Gary, I don't know if you got into that action yet, but it tis the season as it were. All right guys, we got our CPEs, we got our first timers. It is Tuesday every single day of the week as a special segment and Tuesdays is Tidbits Tuesday where I share a little bit about myself with y'. All. Last week I told you about how I like, like, like low key wrestled Bo Jackson in my dream and woke up to my wife wondering what the hell I'm doing. So who knows where we're going to go from there? I don't know. Elliot Mati Port 0 Good morning to everybody. Before we get into it though, allow me to pay the bills. Let me say what's up and holla to Kimberly can fix it. Ah, also worth noting, guys, this week CTF guys, if you didn't know it, we do a lot for the community here. But I'm, I don't do the best of telling everybody. We do these monthly flash CTFs. What is a flash CTF? A flash CTF is for two hours, a two hour session every month. So this month it's Thursday, November 20th at 5:00pm Eastern. And for only two hours, this competition is open. It is free to join. I give out cash prizes because everybody likes Kashish and basically you get a cool black badge role in chat on Discord server, come out, hang out ctfs. It's fun, it's competitive, but it's very casual. It's super cash. Okay? It's, it's super, it's like casually Joseph Casual. Okay, it's very cash. Go check it out. Poner Joe runs it for us, which I appreciate. He sends me the list of winners and then I fire off a bunch of Amazon gift cards. It's part of my Friday morning routine once a month. So come on down to Meta ctf, Flash etf. Now let me say shout out and thanks to the stream sponsors. The the re. Okay, for a quick example, the reason I can give out cash prizes for Meta CTF and for community events is because I have stream sponsors that pay pay the bills. So let's take a minute and recognize them. Delete Me makes it easy, quick and safe to remove your personal data online. At a time when surveillance and data breaches are common enough to make everyone vulnerable. Delete Me does all the hard work of wiping you and your family's personal information from data broker websites. Delete Me knows your privacy is worth protecting. Sign up and provide deleting with exactly what information you want deleted and their experts take it from there. As someone with an active online presence, privacy is really important to me. I've been using delete me for probably two years now. I tell them to delete all the things I have a wife, kids, a home, you know, very public profile. I'm basically streaming multiple times a day. But I'd like to choose who has my address. Zach Hill texted me this morning. What's your address? I want to send you some magic cards. Okay. And I'm happy to text them back my address but I would like to choose that you know, decision take control of your data. Keep your private life private by signing up for delete me now at a special discount for our listeners. Get 20 off your Delete Me plan when you go to joinedelete me.com simply cyber and use promo code Simply cyber checkout. The only way to get 20 off is go to joinedelete me.com simply cyber and a code something cyber check out that's join the email.com/cyber code/cyber20 off. Come on down. Speaking of value train guys anti siphon training tomorrow at noon tomorrow there's still time to register. Would you like to have a full dude to me looking doing a full 2025 data deep dive on macro level insights things that you're seeing across the entire year. You know, trend data all this is great guys. I love really well done annual retrospectives and if you don't know what a retrospective is, it's a popular technique to look back, lessons learned, insights and then you can apply them going forward into 2026. This right here is get your popcorn, get your barker lounger, reach down with your left hand, grab that lever, throw it back so you can fully recline and let Jordan Drysdale and Ken Ickler take you on an awesome wave, on an awesome ride. This is definitely cool. I'm going to make every effort to be there. To me, these retrospective deep dives are a gold mine. And, and if you're looking for a job, whether you're employed or not currently employed, it doesn't matter. You could always be looking some of these insights, I swear to God, just copy and paste the insights into the job interview. Okay? It's not, it's not fraudulent. You're like literally going, doing research, getting educated and then taking the nuggets that you like and bringing them forward with you. So don't sleep on this. This is a good one. My man Nerman, 24 months, blue badge. I love myself some Nerman. Nerman loves the community. I love NER and I know the community does too. Great guy, team player for sure. All right, hey, let's hear from Threat Locker really quickly and oh, go to AntiSiphon Training.com to get signed up for this one. I'll see you guys in the Discord server when this live stream happens. Although actually Wednesday at noon. I actually. Hold on, I think I'm doing something Wednesday. No, give me one second. Hold on. Let's listen to Threat Locker and I'll check my calendar off stream. I want to give some love to the daily Cyber Threat brief sponsor, Threat Locker. Do zero day exploits and supply chain attacks. Keep you up at night, worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and complex compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how Threat Locker can help prevent ransomware and ensure compliance. Visit threat locker.com daily cyber. All right, so I do have a conflict at noon tomorrow. However I have a meeting from 10 to 12 with Tyler Ramsby to record some stuff and then my meeting at noon is with Tyler Ramsby to talk about Cairo sec, the pen testing company that we run. And I think if I can get the 10 to 12 recording done quickly, we can just move the meeting up. So I will be there with hopefully at noon tomorrow so hope to see you guys in chat before we go live here. I'm gonna do the news in 15 seconds. I just want to take a hot minute and say shout out. I. I try to do it regularly, but I don't always do it. I want to give a quick shout out to the mods. Jenny, Haircut, Fish, Kimberly, dj, B Sec, Casually, Joseph, Justin, Gold, Eric Taylor, others that are, you know, here guys. It. It really does take a village. Okay? And the mods. You guys have no idea how amazing the mods are on Discord too. Guys. Discord. Someone says, oh, hey, at mod because we got like crypto scammers or some bull crap in there, but boom, they're on top of it. So I definitely appreciate that. All right, here we go. Cloud flare is having issues right now. I do have everything loaded up, but we'll see how this.

B

Goes. From the CISO series, it's cyber security headlines. These are the cyber security headlines for Tuesday, November 18, 2025. I'm Sarah Lane. Azure hit by DDoS using 500,000 IPs. Microsoft reported that its Azure network was hit by a 15.72-terabit per second DDoS attack from more than 500,000 IPs launched by the Asiru botnet. The attack targeted an Australian IP and peaked at 3.64 billion packets per second using high rate UDP floods. Asuro, a Turbo Murray Class IoT botnet, exploits vulnerable home routers, IP cameras and DVRs and has previously conducted record breaking attacks, including a 22.2 terabit per second assault mitigated by Cloudflare.

A

Kenyan. All right, so check it out. First of all, definitely appreciate Sarah. I. So first of all, she pronounced it incorrectly. It's Mirai. Just so everybody knows, like, and I'm not throwing shade at her, right? Like, this is one of those ones where if you don't know, then you pronounce it however you think it's pronounced, but if you pronounce it incorrectly, people are like, oh, you know, they saying it wrong. So I'm just educating everyone. It's. It's me, right? Mirai Botnet. Okay. This is a seminal piece of malware. It's got a very rich history on how it came about. And it originally designed to blow Minecraft servers off the Internet by a couple college kids who were trying to make a couple bucks, right? But definitely go look into that if you don't know it. I will tell you this in. In a job interview. Whoever's sitting across from you absolutely knows What Mirai is. Okay, now here's the next thing. 1 500,000IP addresses. Now we're talking. Okay, yesterday there was a story about something illa service attack and it mentioned 15000 IP addresses. And if you were here yesterday, I like absolutely dunked on that story and I'm like bro, 15000 IPS. I don't get out of bed for like less than a hundred thousand ips. Like what are you doing? Oh, and the, the denial of service attack didn't work, right? I think it was the Russian ports up in friggin the Baltic Sea. The Russian ports are being attacked by a denial of service 15000 IPS and it didn't work. This is why I was dunking on it. 500 000. Now you've got my attention. Okay, the original Mirai bought net just to show you how far we've come. Got to like 450,000, 500,000 and 600,000. And like FBI got involved, federal law enforcement got involved. That's because they were, they didn't know where it was coming from and they thought it was Russia nation state and they were weaponizing it. Nowadays dude, 500000 IPS using a Mirai variant and it's just like a news story, like law enforcement isn't even getting on it. So this is where we are at this point. Now as far as practitioners go, Microsoft Azure got hit by this. This is a massive, massive attack. Okay, 15 terabytes per second or terabits per second, that is volume. Now remember, all denial of service attacks like, like flood attacks, UDP flood attacks require constant pushing of that data. Now if the bots inside the botnet are controlled, which they are, they can maintain that. But there's denial of service services that can help manage that risk. And obviously if you get enough IP addresses like 500,000, it's very difficult. I didn't know Azure was down. Considering Azure is like one of these massive main critical infrastructure as far as I'm concerned. I don't know about you guys. What do you think? Do you think Azure is critical infrastructure? I'm going to start a Q and A here. Is Azure critical infrastructure? Wait, hold on. I don't want to do a Q and A. What the hell is this? Start a poll. Okay, Is Azure critical infrastructure? All right. And I vote yes. Okay, UDP floods. It's worth, Listen, it's worth studying. It's worth studying. And honestly Cloudflare this morning is having issues and I wonder if it is tied to a denial of service attack. DJ B. Second, I were talking this morning. He seems to believe it's an internal maintenance issue, but honestly, with attacks like this, this level of attack. 22, 22 terabits a second, 10 billion packets a second. Dude, this is not your dad's denial of service attack. This is like legit. Now you'll see that it only lasted 40 seconds. And this is the, this is the crux of a denial of service attack. You need to maintain it and it's difficult to do, but it was the equivalent of streaming 1 million 4K videos simultaneously. All right, I. I wish that Simply Cyber could get there. Not much you can do. All I would say is, you know, if you depend on Azure, have business continuity plans. Get ready. But 40 seconds. I don't know about you, but dude, I. My business, your business, we can, we can sustain a 40 second downtime. I'm streaming right now. If we went down for 40 seconds, I'm sure you guys would be like, oh, wait, what happened? What's going on? Less than a minute. You. You probably wouldn't leave, right? And then I could spin back up and be streaming again, so. Oh, okay. And B says that Azure blocked it, not that it was down. Okay, interesting. Here we.

B

Go. Government websites back online. Kenya's government.

A

Web. Whoa. Down. Detectors down. Hold.

B

On.

A

Ooh, that's very meta. Phil Stafford. Town Detectors Town. Cats and dogs Living together sites.

B

Were briefly defaced on November 17 with white supremacist messages targeting ministries including Interior, Health, Education, Energy, labor and water. The interior ministry said the attack linked to a group calling itself PCP at Kenya was contained quickly with systems now monitored. This follows a reported cyber attack in Somalia on its EV visa system, potentially exposing data of at least 35,000 travelers.

A

EV. Dude, what in the hell is wrong with people nowadays, dude? So I'm not going to read it, but the website, the government websites were hacked. And. What's the word I want to use? What's it called when like, you like graffiti on something? It's a. It was big in the night. Defaced. They defaced the website with like basically hate messages. I. I don't understand what the hell is wrong with people, man, but, but. All right, All right, so here's the deal. Kenyan government website, obviously they didn't have very good security procedures. Threat actors were able to. Who are ideologically motivated. They were able to deface the website, which in know it's not a good look for the Kenyan website and it's a little Scary. It's more of a terror attack. But, I mean, you know, this doesn't disrupt operations. If you were trying to figure out if you could pay your tax bill that day, you could still do it. Water didn't stop. Emergency services didn't stop. This is a, Like, I don't. Not petty, but this is just like, Like, like, this is like a burr under the saddle. It's annoying. It's. It's, it's offensive. But, you know, they could just go in and fix the website and then I. How did it. Initial password. I'm trying to find out how they got in. This is a different story. The Somalia one. So they don't have an explanation of how. How they got in. Websites can get hacked a lot of different ways. Okay. So it is what it is. But you could see here, basically, as soon as they found. This is the thing why it's so, like, simple. As soon as they found out, they basically just restored the website from a backup, or they went in and deleted the hate messages and then probably figured out, I mean, if it were me, like, like, who made the changes and then go disable that account. Do a little bit of, like, you know, investigation into the log, see what's up. All right. I will say this is a good opportunity. If you do have a website like your business, it's worth confirming, like, just as a very simple tabletop exercise. Hey, are. You know, and it's an easy one for people to get their head around. Hey, our company website got defaced and it has hate messages on it. What do we do? Oh, we restore from backups. All right, John, like, where are the backups? Oh, I don't know. Okay, well, it's cute to say restore from backups, but if you don't know where they are or how to do it, we have. We have a. We have an operation. Okay. Don't ever say a problem, by the way. Just say, oh, great. We have an opportunity to improve our processes. Wonderful. Thank you, John. Don't say it as sarcastically as I just did. Thanks, John, for helping us improve our processes. This is great.

B

Okay. Illusion emerges. Researchers identified a new malware campaign evolution using click fix social engineering to deliver Amatera Steeler and and. Net support rat. Amatera targets crypto wallets, browsers, messaging apps, FTP clients, and email. Using evasion techniques, attacks trick users into running malicious commands via fake Captchas, which launch PowerShell scripts that download and execute payloads. The campaign also employs phishing kits to harvest credentials selectively.

A

Kraken. Okay, You Know what? Whoever made this infographic, this process flow, I respect you, I appreciate you. Listen, anyone can create a process flow diagram using like basic, you know, basically visio shapes, right? Square, block, circle, the wavy line. This person, whoever, this, whoever this absolute darling is, went the next level and made custom graphics start run box, the executable icon from like Windows XP, little PowerShell media flare got a fire and then the piece de resistan. Look at this eagle T like eagle head. Like I would like to buy this person a beer. Do. Do they have a buy me a coffee link? I want to send them two bucks just for this. Eagle head. I love it. Oh, we got a first timer in chat. Sci fry. Hey, community at Sci Fry. Sci Fry. Welcome to the party. Welcome to the party, pal. Picked a good time to show up. You get to watch me drool over an infographic. Now, you know, it doesn't have a caption, but I'll allow it. All right, so guys, tldr. This is an absolute opportunity. Info stealer. Here's the thing, guys. Eval evaluation, delivering Amatera Steeler Remote access Trojan data exfil credential stealer, Spyware keylogger. It doesn't friggin matter, okay? The deal is get like it's the infection that you got to worry about. The post exploitation payloads, yes, you don't want those detonating on your box or your end user. But that's not what you should be focused on, right? I mean obviously if you can write detections and if your EDR can be tuned, do it. But let's focus on GRC mafia and awareness training. Guys, you can get in front of this. I've been saying this for months. Educate your end users on click fix, how to avoid it, what it looks like if like this is an awesome screenshot. Hey end user, if you see this, it's bad. Hey end user, if you're told to hit Windows key R Windows key R and see this pop up, that's bad. Don't do it. In fact, let us know so we can block that website, friend. All right, you can even. I've seen instances. This works better at small and midsize businesses. Large businesses can't really do that, but I've seen instances where like every, you know, like true positive reported like click fix website reported to information security gets you like a, a ticket. And then at the end of the month they draw for like a 500Amazon gift card or they draw for an iPad or something like something crazy cool where you have people like really dialed in to look for these things. Now, you got to be careful, though, because then they'll start, like, literally looking for them, which is problematic. But just educate your end users, make a little video, show them what's up. In fact, you know what I'm gonna do? What's my calendar look like for today? I have a haircut at 4. I look like a wolf man. I'm gonna make. All right, like. Like this. I'm gonna make a click fix. Click fix, end user video. Okay, warning. I'm gonna make one, okay? I'm gonna show you what I'm talking about, okay? And you guys could steal it. I'm gonna literally make it accessible so it can be stolen. And you could slap your own company logo in the corner and I'll post it on LinkedIn. Okay? Like, this is. This is. We can educate people on this click fix. And. And by the way, just as a quick heads up, the fact that this continues as in new campaigns means it's working okay. Threat actors, they're very good at pivoting. If something's not working, they will stop doing it and pivot on to something else. All right? Poor Kathy Chambers, I had a meeting with her yesterday where I was peak Wolfman. I look like Michael J. Fox and Teen Wolf. Not the first one that was good, But Teen Wolf 2, the real messy one, that low budget one. Oh, it was rough.

B

Yesterday. Enhances ransomware attacks. Cisco. Talos says that ransomware group Kraken has been running big attacks across Windows, Linux, and.

A

ESXi. Hold on. We got some wins here, by the way, at Jack Pierce. Hold on one second, Jack. I'm gonna do a Ric Flair here at Jack Pierce and at Slimy Puppet, which Jack Pierce just graduated with an associates in Computer science and cyber security. 373 GPA. Jack Pierce. And then my man, Slimy Puppet squad member just graduated. WGU and Cyber, excited to get to work. Way to go, man. Straight crushing it. Look at all these bosses, guys. I gotta tell you, absolute bosses up in here at Team sc. Just sharing the wins, crushing, and really just setting the tone. I do like Jason.

B

Baitman. Since February, the group now benchmarks each victim's system before encrypting files, so so it can pick the fastest method without crashing the machine or triggering defenses. Talos observed intrusions using exposed SMB services for entry, Cloudflare for persistence, and SSHFS for data theft. With ransom demands around $1 million. Kraken lists victims in multiple countries, including the US, the UK and Canada. And its new Last Haven forum Appears to be a collaborative space supported by former hello Kitty.

A

Operators. All right, well, hey, the joke's on them. They use cloud flare for persistence. Hold on one second. I. I gotta. You guys. Like this is worth it. Okay, check it out. Threat actors used cloud flare for persistence. Oh, yeah, that's good. Oh, that's hilar serious. Guess what? Kraken's down. We win. All right. For real, though, this is an interesting technique, obviously sophisticated concern. Remember that every single. Oh, down. Detectors back up. Thank you, Elliot Matice. Twitter's down. Oh, Cloudflare's down. Oh, good thing YouTube's fine or else we'd have a problem here.

B

Whoops. All.

A

Right. Hey, guys, check it out really quickly. In the world of cyber security, we, we have jobs and we get paid decently because of threat actors. Right? If threat actors didn't exist, probably two thirds of us wouldn't have jobs. Okay? A cat and mouse game. And when we come up with defenses, threat actors adjust and pivot and move around. You've seen it at the operating system level with buffer overflows. Then they came out with DEP and aslr. They got around that with rop, ROP gadgets. Then we came out with control flow guard. Okay. Now there's JOP to get around control flow guard. Okay. And in the ransomware space, there's been all sorts of defensive technologies over the last couple years, Right? Backups have always been a great option, but there's tools that look to see if massive amounts of files are being encrypted and then it. It'll kill those processes. It looks at certain directories, like canary token directories, basically, and if the canaries get encrypted, they kill the processes, etc. Right. So this is an evolution. So to me, it. This is less about Kraken and more about the evolution and of the cat and mouse game of the ransomware space. So I would take this as a macro level insight. I'd also, for what it's worth, keep this in mind as far as job interviews. And if you are protecting your own organization and ransomware should be one of the threats that you're thinking about. Be mindful of this advancement on the threat actor side. So what it does is when it gets on the box, it actually benchmarks the machine to figure out the optimal encryption approach to ransomware in the box. So it can look to see, oh, hey, like, you know, I don't want to encrypt a bunch of files really quickly because that's going to tip over a scan that's going to tip over a detection to let the threat actors, I mean, to let the defenders know that I'm doing this. So I'll slowly encrypt and I won't reach a level of concern for the defensive solutions to fire off and prevent the encryption. So essentially, some of your defensive techniques could be compromised or not. Some of your defensive techniques could not be utilized because this Kraken software is doing a bit of an analysis and an evaluation of the machine and the defensive tech on it prior to detonating. It's not always easy, but you know, for me personally, you know, I, what I would like to do here is like, okay, like let's get a copy of this Kraken, put it on a lab machine with our, you know, security tech, stack on it and run it, you know, in a controlled way and see if our defensive technologies identify and stop it. Okay. Now, I don't know enough about Kraken to know if they have anti analysis techniques. Sometimes it could not detonate correctly because it knows it's being studied. But did we just become best.

B

Friends?

A

Yep. All right, Space Tacos says I only got four hours of sleep last night. I appreciate your energy, Jerry. Thanks for keeping me awake. Heading out to an all day training with Deloitte at the Rockefeller Center. Ooh, Grc Mafia. First of all, thank you Space Tacos. Also have a great time at the training. All day training is definitely good and Deloitte is definitely, you know, high class. All right, guys, let's keep crooking. A A fairy says send. Much love to all the Simply Cyber crew. This is one of the best spaces in the world. Thank you, Jerry and the whole team. That and the chat army. Yeah, I love it. Thank.

B

You. Huge thanks to our sponsor, Nob4. Your email gateway isn't catching everything and cybercriminals know that. That's why there's KnowBe4's Cloud Email Secure platform. It's not just another filter. It's a dynamic AI powered layer of defense that detects and stops advanced threats before they reach your user's inbox. Request a demo of Know Before's cloud email security@nov4.com or visit them this week at Microsoft Ignite booth.

A

5532. All right, let's go. I've been doing the warm chocolate. All right. Hey, shout out to all you guys. A lot of love in chat today. I definitely appreciate it. It feels good. It's like a digital hug. So thank you. Thank you very much, guys. I want to Say shout out to the stream sponsors, Anti Siphon, Delete me, Threat Locker and Barricade Cyber Solutions. Guys, Barricade Cyber Solutions has been putting together a pretty great bi weekly webinar series. Go check it out. Fortified365 and the episode is tomorrow. Tomorrow is on SharePoint and OneDrive. Guys, listen, if you are running Microsoft Azure, which many of us are, and you also agree that it's critical infrastructure, every single one of your end users gets issued the, you know, basically access to the personal OneDrive and Sharepoints access. So if you don't properly configure that, if you just go with the default configuration, you are taking on risk that you don't need to. But honestly guys, maybe you don't know how to solve this. That's why Eric Taylor and Barricade Cyber are here with their webinar series. He if you come tomorrow at 1pm eastern time for this free session, you'll be able to learn how to set external sharing defaults for new and existing guests. Right? Ooh, guest access. You got to control that group policy for seamless OneDrive integration, restricting OneDrive to domain sync to putting in retention policies. Dude, this is a very practical webinar. Not a lot of fluff. All sizzle. Oh wait, no. All steak and sizzle. So go to webinars.barricadecyber.com today. Check it out. Every single day of the week has a special segment and Tuesdays is Tidbits Tuesday where I share a little bit about myself and see if we vibe together. I gotta tell you guys, what can I tell you guys because I basically I, I'm setting up like an overhead shot on my desk over there to do some videos where overhead top down. I don't really feel like that that's something you guys care about though. Okay, how about this? We got Thanksgiving coming up next week, which blows my mind. We're doing something different this year. We usually do family stuff a couple years. We've been going to my, my aunt's house for years, but due to some, in, due to some differences in, you know, perspective, we're, we're not going, we're not, we're not invited there anymore. So last year we did Thanksgiving here at the house, like our own thing. We did the big turkey and everything. And this year we're trying, we're going to a friend's know, good friend's house and his family and his parents who I'm good friends with growing up. We've known him for, you know, 30 years. So we're doing, like, the friends giving type thing with our families. So what's your Thanksgiving tradition? You guys starting new ones? No, it's not Aunt Dorothea. No, no, it's Aunt Susan. My Aunt Susan, but yeah. So what's your. What's your Thanksgiving plans? That's. That's what I'm doing. We're trying a new one. Kind of a friends giving situation. All right, guys, let's keep cooking. There's my man Zach Hill in chat. All right, let's.

B

Go. Cursor paves way for credential stealing attacks Cursor's AI powered developer environment lets attackers hijack its internal browser to steal credentials. Gnostic researchers found Cursor doesn't validate certain runtime components, allowing a malicious MCP server to inject JavaScript, overwrite login pages, and run code across all browser tabs. Cursor says this isn't a fixable bug, but a risk of how AI coding tools work. Users are warned to review code and avoid autorun.

A

Features. All right, so again, I know I sound like an old curmudgeon fist shaking at the clouds. Oh, I'm. I'm all gray and old. I remember when magic was, you know, big beasts and you just smash the face. Okay. And I've been complaining about vibe coding for a minute. Cursor is like vibe coding ground zero. And as a cyber security professional, you should be absolutely aware of this. What is happening is these platforms that can vibe code, which means you basically just tell it what you want the application to do, and AI handles the programming part of it, is littered with OWASP top 10 vulnerabilities because it's a software engineer, not a security professional. You can see here, researchers are discovering a security weakness in this tool that allows malicious MCP servers to hijack Cursor's internal browser. Now, MCP servers, you should absolutely get it up to date on are they allow for modularization of services to integrate with AI tooling. So think of them as like API interfaces for web applications. And if that's a lot of friggin acronyms, just instead of having to code everything in, MCP servers allow you to reach into capabilities and pull things out. It looks like we have a first timer in here. Mickey T10 or T1037 at Mickey M I C K E Y like Mickey Mouse. Please welcome Mickey to the stream. Welcome to the party, pal. Welcome to the party. All right, so malicious MCP server is definitely a thing. And let's see how Kersha gets screwed over. By this one, Cursor allows attackers to take over its browser and deliver credential stealing attacks. Now remember, credential stealing is not good. Wait, did we just become best.

B

Friends?

A

Yep. We've got a Felucci D with a super chat. Thanks Jerry, for all you do. You've been an inspiration. I started a YouTube channel, I sentry Insights where I share insights on cyber and fraud prevention. Heck yeah, dude, I love it. Way to go, man. Congratulations. Keep going. Also, hey, really quickly since Felucci D started YouTube channel, my like personal branding 4 day, 16 hour course, it's like only delivered live is happening in the last like second to last week of January. I just made this decision yesterday. So uh, just letting everybody know in case anyone's down with that. Okay, so this particular attack is not a software development OAS top 10 issue. But you should be aware that Cursor vibe coded stuff does have that. How does this work? All right, so the security researchers were able to replace the login page with Cursors internal browser with a page that harvests creds and sends it to the user. Basically this is a simple basic phishing landing page and they're able to bake it into the web app. Now, the MCP server. All right. Researchers created a proof of concept malicious MCP server, then implemented a script to modify unverified code for when an MCP server is registered. That allowed them to inject arbitrary code into the internal browser which they injected JavaScript to basically scrape the username and password from the login page and then send it to the threat act. To the researchers. This is a pretty cool attack. It's elegant. Yeah, this is Phil Stafford. Got any thoughts on this? Drop them in chat. Phil Stafford. John V. Kind of the AI security people in chat. The question is how do you protect against this? It's not clear to me because Cursor's not going to fix this because Cursor is saying that this is a, this isn't a flaw. This is just the kind of the architecture of the system. And the thing is the mcp, the malicious MCP server is kind of the attack element, right? That there's just no validation being done by cursor. So developers using tools should triple check every MCP and extension they add. Okay, so this is basically no different than importing malicious functions like when PYPY, npm, GitHub get compromised. Spoiler alert. In 2025 when you are integrating MCP servers, make sure they're legit, make sure they're not malicious. That's the TLDR of this story and I don't 100% know I'm I've still got to learn more about AI. I don't even know 100% how you validate an MCP server isn't malicious. Phil Stafford if you got an answer, drop it in chat. But this is not about a vibe code issue. This is about depending on an MCP server that's not.

B

Safe. Overconfidence is the New Zero Day A new report from Immersive shows that cybersecurity teams are overconfident but underprepared. Across 1.8 million simulated exercises, participants averaged 22% accuracy and took 29 hours to contain infections. Readiness scores have flatlined since 2023, with many teams practicing outdated scenarios and excluding non technical roles, which undermines coordination. Immersive says confidence often exceeds actual skill and metrics like training completion, mask, capability gaps. The report urges orgs to shift from assumption based confidence to evidence backed readiness, continuously testing skills against evolving threats, including AI enabled.

A

Attacks. Okay, if you have been a regular member of the community, then you know that I have consistently been banging the drum on tabletop exercises and specifically not letting Kevin, who's been there for 30 years and I know I got some push back in chat a couple days ago when I said this, but the person who knows all the things, don't let them be the one talking. Start the, Start the tabletop exercise off. As you're on vacation, you're. You're on read only right now you're not allowed to speak. Okay? Overconfidence is a killer. Oh hey, what happens if we get hit with ransomware? Oh, we'll just restore from backups, no big deal. And sometimes there's a lot of shade being thrown, right? Like oh my God, like especially if you're by the way, just spoiler alert. Because this is real and you wouldn't. You will never read this in a textbook, I guarantee you. But I've seen this in my career multiple times. If you are younger or you're only a couple years of experience in the industry, right, you could be a 45 year old, but you just got into cyber two years ago, right? So it's not about age, it's about time in the seat, for lack of a better term, right? When you say oh hey, there was a rant, you're running a tabletop exercise and you're like oh, there was a ransomware attack and the person who's been there 30 years, been doing it forever, knows everything and they're like, we would just restore from backups, Jerry. Like sarcasm, like talk. Not toxicity, but just like throwing shade. I got to ask you. Have a high. Not ask you. I got to tell you. Have a high eq. Have a high emotional quotient. Have. Have a high ability to let that just slide off you, okay? And not take it personal. Be objective. I know this is going to be difficult, especially for me to do, but remove passion from the equation. Be objective. Be almost cyborg like. And when they say, oh, just restore from backups, be like, okay, that's great. I'm glad we have that capability. Tina, you're on the IT Team. Kevin says, we restore from backups. How do we do that? Right? And Tina's like, I don't know. It's like, okay. And by the way, set expectations, too. Be like, hey, listen, when we do this tabletop exercise, there will be questions asked, and there will be such times when you don't know the answer. All that is is an opportunity for us to improve. Because if we don't know the answer, that means when we really have to deal with a real situation, we're not going to know the answer. So no one's. No one's getting written up. No one's wrong. No one's not doing their job. No one's. No one's getting in trouble. Today, what we are trying to do is kick rocks over and figure out where our problems are. So let's take a real hard look at ourselves. We're all great professionals here, but we can improve. You might even want to throw it out there. I mean, is there anyone in this room who doesn't think that they can improve? And if you got that one person who's like, no, I'm awesome. Be like, all right, well, since you're awesome, let's go ahead and remove you from the equation. Just deal with you later. All right? I'm telling you, tabletop exercises, removing passion. That is how you handle this risk, because I'm telling you, overconfidence, Guys. If you've never dealt with a real incident, it is an adrenaline dump. It is very high stress, and you're not making great choices, especially if you haven't.

B

Practiced. Princeton University database breached. Princeton University says a database holding donor alumni, student, faculty, and parent information was accessed on November 10. The intruder was in the system for under a day, and it's unclear what was viewed. But the database stores names, contact details, and donation records. It typically does not include Social Security numbers, financial data, or student records covered by federal privacy Law. No other systems appear to have been.

A

Touched. Oh, well. So here's the real. This is interesting. I can just tell you right now, Princeton is an Ivy League school. By the way, shout out to East Brunswick, New Jersey and the grease trucks. Am I right? I don't even know if they have those grease trucks anymore. I haven't had a grease truck sandwich since, you know, 1999. These disgustingly unhealthy sandwiches that are so good. Shout out to fat Cocos in the chat. And if you know, you know. Okay, listen now, Zmith. This wouldn't have FERPA data. This is donor information. Guys, Princeton University as an Ivy League school, probably has some very wealthy alumni who definitely donate money. So to me, this is less about Princeton University and more about straight cash, homie. Straight cash, homie. They said that the threat actor was only in there for 24 hours and they don't know what it looked at. It doesn't look like any data Excel, if I had to guess. My. My thoughts are this is some, you know, curious person who stumbled in here, looked around and then got the hell out of there, realizing that they didn't want to do anything. East Brunswick is Rutgers. Yeah, but isn't Princeton right there? Why? Okay, it's in princeton, new jersey. But hold on, Hold on. I'm sorry. Really quick chat. Hold on. I gotta. We gotta figure this out because I swear to God, I, like, I was definitely at Princeton. I was definitely eating at grease trucks and I definitely was near East Brunswick. Oh, it's closer to Trenton. Yeah, New Brunswick's right here. I'm not that far. I mean, I don't know how far this is. Maybe I slept in New Brunswick and drove to the grease trucks. I don't remember. Guys, if you knew me in 1999, I was a much different person. I. I definitely slept on the floor that night somewhere. I definitely ate grease trucks at 3 in the morning. I. I was. It was a different time. Okay. Anyways, I don't know if they're going to notify these people, the donors, big money. The universities depend on donor money. So this is not good. This is a bad look for Princeton University. They're going to have to do damage control, crisis management because they don't want those donors getting pissy and taking their money.

B

Elsewhere. Dash email spoof. Spoof sparks dispute. Doordash patched a flaw that let anyone with a free DoorDash for Business account send fully branded emails from no-replyordash.com creating a phishing vector. The researcher who found it says the issue sat unaddressed for more than 15 months and was only fixed after he applied pressure. While DoorDash accuses him of attempting extortion and banned him from its bug bounty program, the now resolved bug didn't appear to expose user data.

A

Csap. Oh boy, here we go. So this is one of those situations when we talk about vulnerability disclosure, responsible disclosure, bug bounty programs, paying researchers for their work. Sometimes it gets ugly and this looks like one of those. So DoorDash patch the issue. Ah, you gotta patch it. This researcher discovered that they could send official DoorDash emails from the company's official servers. So this would, this would pass DChem, DMARC, SPF security controls, right? A perfect fishing opportunity. Hey, here's a fifty dollar DoorDash credit. You know, put in your. Putting in your DoorDash cred. Super easy. Hey, DoorDash has shared a, you know, a. You know, like doordash now allows you to log in with your Google account. We're offering people $100 DoorDash as part of the celebration of partnering with Google. Put in your creds, right, Whatever. Download this new app, download this malware in order to, you know, see your Door Dash delivery guy in real time, right? Like a million different ways, right? Phishing email with all the. Phishing email with all the bells and whistles of authority. But here's the issue. The researcher reported the vulnerability, which they fixed by the way. And now it's a finger pointing game of impropriety. Anyone could send the email. All right, so security, Reacher, researcher, double 07, which by the way, love the James Bond reference. I mean, honestly, I don't see what, why DoorDash didn't pay them. Threat. So the researcher did. Did the appropriate thing. They did not go wide, they didn't go public. They responsibly disclosed it. It looks like Door Dash was telling them to kick sand. So they approached a news outlet discreetly and provided evidence showing it. So I. Here's my thing. What the hell was Door Dash's argument here? What like, dude, if you run a bug bounty program, you have to pay your security researches. It's such a ugly ass look to not. So what is the. All right, so DoorDash to me, DoorDash acted inappropriate here. So they responsibly disclosed and DoorDash just drug their feet. 15 months of this thing not being accepted as a vulnerability. So then he released a. He reached out to news outlets. Yeah, And Hacker1 is the bug bounty platform Door Dash uses and they closed the vulnerability as informative and never escalated it even though it was exploitable. So I don't know if anyone in chat works with bug bounties. I'd love to ask Jason Haddocks this. He's going to be my guest at some point soon. I would love to ask him this. Dude, imagine if you will your business and you barely are paying for security research anyways, but you do bug bounty and then any legit bug that comes in, you just say it's informative and you close. Even if it's a real bug and you don't pay your researchers, that's how you get an ugly look. And you know what irritates me is like doordash. Like, I'm not saying you have money to spend, but dude, like you can't give this guy a thousand bucks. Like, why are you so petty? I, I can't stand businesses that spend a dime to save a nickel, right? Or they, they, you know, they're just like so cheap. It's, it's so short sighted. Anyways, I, I, I agree with the researcher in this instance, right? Based on the evidence I have. That's what's up. All right, here we go. Whoa, whoa, excuse me. Wait, hold on. We have one more story. I'm.

B

Sorry. CISA plans hiring spree to rebuild depleted ranks CISA plans a major hiring push in 2026 to recover from prior staffing cuts and strengthen defenses against China related threats. Acting Director Madhu Kutumakala cites a roughly 40% vacancy rate in critical mission areas and says the agency will prioritize state cybersecurity coordinators, regional advisors and talent through DHS's Cyber Talent Management System. CISA plans to offer more flexible work options, expand university partnerships, reinvigorate internships and recruit scholarship for service graduates to restore operational capacity and mission readiness.

A

Calling. All right, so, okay, so CEASE is going to be hiring. I find it funny, almost laughable. Like we, you see this from time to time in, in business. But like, this is ridiculous. So remember earlier this year, like in February when DOGE like fired a bunch of people? Right? Now they're hiring. So this is great for us. This is great for, you know, this is great for us. Okay. Love it, love it, love it. SISA to me delivers a lot of value. Cyber Security Infrastructure Security Agency. This is for, or excuse me, Cyber Security and Infrastructure Security Agency under Department of Homeland Security. Helps protect, you know, the Internet. A lot of information sharing and analysis. Lot of like kind of, you know, known Exploited Vulnerability Catalog. There's a lot of value in being able to help businesses, you know, state, excuse me, public and private organizations protect themselves. They have a 40% vacancy rate across mission areas. So Sisa is a skeleton crew. They're. They have a great mission and they're not able to deliver on it because of staffing issues. The good news is, right, for many of us, I would say that, you know, hiring has been a hot mess, right? Like lots of layoffs going on. Some, some of us in this community have been laid off and CESA is going to go on a hiring spree. So good on that. Look for, look for some jobs. This could, this could like help the economy. You know what I mean? So let's go. All right, hold on one second. We got to figure out Eric Taylor here. All right, guys, I do want to say shout out to all you, thank you so very much for being here. I hope you got value. From the stream to Mickey who's doing the college tabletop exercises. Hope you got value. Hope you come back tomorrow. To all the other first timers, I hope you enjoyed it. To all you long timers, as always, thanks for being here. We've got Simply offensive Philip wy Show Episode 6 of this season coming up. You got to build some labs. And look who his guest is. None other than our very own Daniel Lowry. So you know, this is going to be a banger of a conversation, but until 9:30, we've got some jawjacking. Now, you may have noticed I'm wearing a. A button down shirt. That means I got to go teach. If I'm not wearing a cyber security T shirt, means I got to go teach. I teach at the Citadel Military College on Tuesdays and Thursdays. So let's figure out Eric Taylor's issue really quickly. Give me one second. Talk amongst yourselves. Let's go really quickly. I'll spend one minute trying to help Eric here and. He has to accept his invite. Unfortunately, Restream, which is the platform we use for distribution of the show. I only have four seats in Restream. I have one, Kimberly has one, Daniel has one, and Eric Taylor has one. Because we're on the shows often and I've got to juggle one of the things because I let other people use it from time to time for reasons. Thank you, Amish brain. Thank you, Elliot, Mati. All right, let's keep going. I'll give, I guess, 13 more seconds here to Eric Taylor. Kimberly's here. Like I don't know if he's trying to log in or what, but. All right, y'. All okay, no problem. All right, here's the deal, guys. I think part of the Cloudflare issue is now preventing people from logging into restream, which, by the way, thank God I was able to get in here. The backup backup plan is really disaster recovery if I can't get into Restream, but we can't do that. So, guys, I'm gonna end the show. If you can check out Philip Wiley, Simply Offensive in about half an hour, maybe go grab a muffin and a coffee, hit the head, take a bio break, and then come on back. Leave the stream up. I'm Jerry from Simply Cyber. Shout out to all of you. Thank you so very much for being here. Have a wonderful Tuesday and I'll see you tomorrow at 8:00am Eastern Time. And don't forget public accountability. I'm going to be making an end user awareness training video that you can steal. I will literally make it so you can steal it and make it for your business. All right, I'm Jerry from Simply Cyber. Till next time, stay secure, see.