Daily Cyber Threat Brief – Nov 24, 2025 (Ep. 1012)

Host: Dr. Gerald Auger
Podcast: Simply Cyber Media Group
Date: November 24, 2025

Episode Overview

This episode delivers real-time expert analysis of the top cybersecurity news relevant to practitioners, analysts, and security leaders. Dr. Gerald Auger, seasoned GRC (Governance, Risk, and Compliance) pro and community builder, recaps eight major stories, providing actionable insights, context, and plenty of wit to help listeners stay on the cutting edge of cyber threats and industry trends.

Key Discussion Points & Insights

1. CrowdStrike Insider Threat – Insider Leaks Internal Data

Timestamp: 09:53–17:57

• Story: A CrowdStrike employee shared internal system screenshots with cybercriminals, resulting in information surfacing on Telegram. There was no breach of core systems or customer data. The perpetrator reportedly received $25,000.
• Gerald’s Analysis:
  • Insider threats are inevitable in any large tech company, especially in security vendors. “This is insider threat all day long, okay? Tech companies definitely need to worry about insider threat.” (10:45)
  • Contextualizes the motivations behind insider threats—not always malicious intent, but personal desperation (e.g., medical emergencies, debts).
  • Emphasizes the importance of detection controls, honey tokens, threat intelligence, and objective monitoring. Calls for realistic, not naive, trust models:

    “Companies can love their employees, treat them well, but at any moment, an employee can be compromised.” (14:37)

  • Commends CrowdStrike’s rapid detection and response.
• Memorable Moment: Gerald’s personalized storytelling and comedic social critique of workplace culture, coupled with serious reminders about incident detection.

2. Iberia Airline – Third-Party Supplier Data Breach

Timestamp: 17:57–20:37

• Story: Spanish airline Iberia reported a leak of customer names, emails, and loyalty card IDs due to unauthorized access to a supplier’s systems. No passwords or payment info lost.
• Gerald’s Analysis:
  • Reframes as a supply chain risk problem: “Company that has customers discloses customer data leak after third party security breach. This is the world we live in.” (18:28)
  • Underlines the reputational harm of such breaches, even when the company itself isn’t directly responsible.

    “It doesn't say the company that actually had the data breach, it just says Iberia.” (18:56)

  • Notes the limited impact and that regulatory (GDPR?) factors likely drive disclosure.

3. AI Too Risky to Insure – Insurance Industry Wary of AI Liabilities

Timestamp: 20:37–27:35

• Story: According to the Financial Times, major insurers now seek to exclude AI-related liabilities, calling AI “too much of a black box.” Concerns stem from high-profile errors (Google, Air Canada) and major AI-driven frauds.
• Gerald’s Analysis:
  • Connects to broader trends: Early cyber insurance was like a gold rush, but mass ransomware incidents woke up the industry.
  • Warns that “AI is in everything” today, making blanket insurance exclusions problematic:

    “If everything has AI in it, whenever you have a claim, can't they just be like ‘AI is not covered’?” (22:54)

  • Predicts more risk will be shifted back onto businesses if insurers steer clear.
• Poll Launched: Gerald asks audience if they'd like an insurer as a Fireside guest to discuss AI’s insurability (over 90% “yes” response).

4. Salesforce Data Breach via Third-Party App (GainSite)

Timestamp: 27:35–32:19

• Story: Salesforce detected unauthorized access to customer data through an external app, GainSite, likely tied to Scattered Spider/ShinyHunters. No Salesforce platform vulnerability cited.
• Gerald’s Analysis:
  • Notes the value of Salesforce (CRM) data—can reveal lucrative targets to attackers.
  • Observes how threat actors use third-party app integrations as an entry point.
  • Warns:

    “This to me, this is what they're doing. They're fueling their pipeline. This is like the recon phase of their kill chain.” (30:04)

  • Predicts the merger of major threat groups may make them susceptible to law enforcement in 2026.

5. SonicWall SSL VPN Buffer Overflow Vulnerability

Timestamp: 37:55–42:48

• Story: High-severity buffer overflow flaw (CVSS 7.5) in SonicWall Gen7/Gen8 SSL VPN; attackers could cause firewall crashes (DoS). No exploitation seen yet; patches urged.
• Gerald’s Analysis:
  • “Sonic Wall, one of the revolving doors of … vulnerability news reports on the regular.” (38:40)
  • Stresses importance of patching Internet-facing security appliances but offers risk-based context:
    • Low current likelihood of exploit (0.03% in 30 days per EPSS).
    • Holiday week, lower user activity—may reduce urgency.
    • Advises rational (not panicked) vulnerability management:

      “You want to patch this, but I wouldn’t prioritize this as you gotta pull everything down and get it fixed right now.” (41:03)

  • Teaches GRC listeners about nuanced vulnerability triage.

6. Cox Enterprises – Oracle E-Business Suite Zero-Day Data Breach

Timestamp: 42:48–46:41

• Story: Cox Enterprises breached via an Oracle EBS zero-day in August, disclosed in September. Clop ransomware group took credit. Types of data exposed remain unspecified.
• Gerald’s Analysis:
  • Notes delayed detection reflects suboptimal IR capability:

    “They were hacked in August. Didn't find out till September. Which tells me that their incident response program is ‘meh’...” (43:29)

  • Calls out corporate legal tactics in not naming the attacker, even when it’s publicly visible (“It’s Clop, we all know it’s Clop!”).
  • Advises listeners to use incident as a tabletop scenario and suggests ransom demand baseline:

    “Select 3% of your annual revenue as a number to make it ... skin in the game for the executives.” (44:53)

7. Ransomware Hits Law Enforcement in Oklahoma and Massachusetts

Timestamp: 46:41–47:22

• Story: Ransomware disrupted Oklahoma’s Cleveland County Sheriff's Office. In Massachusetts, Attleborough’s government/police dept. cyberattack crippled phones, email, and bill-pay. Emergency services (911) stayed operational.
• Gerald’s Analysis:
  • Emphasizes state and local agencies’ persistent vulnerability due to underfunding and heavy IT workloads:

    “They have IT people that are basically told to also be cyber security, who are also spread thin…” (47:22)

  • Easy first step: “Show me your external Internet facing IP range ... Let’s start hardening that. Let’s see what the criminals see.” (49:57)

8. Wind Farm Insider Crypto-Mining: Dutch Operator Catches Employee Mining at Work

Timestamp: 50:40–51:43

• Story: Nordex manager in the Netherlands was sentenced for running crypto mining rigs at wind farm sites after the company was hit by Conti ransomware. Historical cases from Russia and China cited.
• Gerald’s Analysis:
  • Finds humor in the poor timing and location:

    “This guy’s an idiot for plugging it in directly into the wind turbine after a cyber attack. Buddy, as we saw with Salesforce … whenever a company has suffered a cyber attack ... everybody’s on high alert.” (51:43)

  • Points out power theft (not crypto mining itself) is the crime, and it’s likely more rampant than we realize.
  • Doubts the seriousness of the deterrent (120 hours community service): “If that guy mined one bitcoin, would you do three weeks of work for $86,000? I would.” (51:43)
  • Ends by reminiscing about past detection of crypto mining in user browsers as a low-priority threat.

Notable Community Segments and Quotes

Simply Cyber Community Member of the Week

Timestamp: 33:07–37:55
Recipient: Shamira Gonzalez

• Praised for veteran status, participation in the upcoming video series, and launching monthly Women’s Virtual Meetings within the community.
• “Thank you so much for being such an amazing Simply Cyber Community member.” (35:45)

Lighter Moments & Show Tone

• Gerald combines deep insights with casual, relatable storytelling, jokes about holiday food, and references to movies and pop culture.
• Strong encouragement of security career development, learning, and community support.
• Examples:
  • “You’ve got to be a lifelong learner. I’m excited about it.” (career chat, ~1:18:00)
  • “It's a conspiracy put on by big turkey.” (joking about Thanksgiving, ~1:09:30)

Timestamps for Important Segments

• CrowdStrike Insider Threat: 09:53–17:57
• Iberia Data Leak (3rd Party): 17:57–20:37
• AI Insurance Bubble: 20:37–27:35
• Salesforce/GainSite Breach: 27:35–32:19
• SonicWall Vulnerability: 37:55–42:48
• Cox Enterprises Oracle Breach: 42:48–46:41
• Law Enforcement Agencies Hit: 46:41–47:22
• Insider Crypto Mining at Wind Farms: 50:40–51:43
• Community/AMA “Jawjacking”: 1:03:00–End

Conclusion & Key Takeaways

• Insider threats and supply chain attacks remain evergreen topics; both require objective vigilance and continuous monitoring/detection.
• Cyber insurance for AI is emerging as a major risk discussion—uncertainty abounds, and businesses may be left holding the risk.
• Third-party integrations (e.g., with Salesforce) and unpatched critical vulnerabilities (SonicWall, Oracle) continue to drive big incidents.
• Critical infrastructure and state/local government remain tempting and under-defended targets.
• Community engagement is essential for career growth, peer support, and diversity in cybersecurity.

Dr. Auger’s Authenticity & Enthusiasm:
Throughout the briefing, Gerald’s blend of humor, candor, technical insight, and real-world stories makes the show both accessible and substantive for cybersecurity professionals at any stage.

Notable Quotes Recap:

• “You can trust your employees, but at any moment, an employee can be compromised.” (14:37)
• “AI is risky to insure … No one understands how it comes to its conclusions.” (23:55)
• “If you do work in state or local, my hat’s off to you. You’ve got an uphill battle.” (47:22)

Catch the show live weekdays at 8am ET on Simply Cyber Streams. For community chat, replay, and podcast archives: Simply Cyber.