B (8:57)

Blinds.

C (9:01)

These are the cyber security headlines for Tuesday, November 25, 2025. I'm Sarah Lane. CISA orders feds to patch OIM CISA ordered federal agencies to patch a critical Oracle Identity Manager or oim Zero day by december twelveth after evidence showed attackers were probing the flaw weeks before Oracle issued a fix on October 21st. The bug lets unauthenticated attackers take over OIM with a single HTTP request. With researchers at Searchlight Cyber calling exploitation trivial sans Internet Storm Center's Johannes Ulrich found logs showing pre patch scans dating back to late August pointing to at least one threat actor using it as a zero day. It is now on CESA's known exploited vulnerabilities list.

A (9:54)

All right, all right, so a couple things here. Number one, number one, if you're running Oracle Identity Manager, you absolutely have to patch it. Ah, you got to patch it. You have to patch it. This is not a joke, okay? The anytime you have a technology that has to do with security, especially in, you know, basically a zero trust architecture paradigm, which is what we live in now, the identity and access that's granted with identities is one of the, you know, most crown jewels. This is why getting domain controller, domain admin, getting ownership of AD has long been the crown jewel, kind of the finish line for a pen test. It's because once you own ad, you can, you can do anything. You have access to all the things. So, you know, basically this is legit. Now Oracle is, you know, for those who don't know because maybe you're young, Oracle is kind of like an enterprise grade only solution. It's incredibly. And Oracle is a company, right? Identity Manager is just one of their products. But traditionally all of the Oracle products I've ever interacted with has been big and bloated and you know, just large, right? And even the Oracle E business suite that's been getting punched in the mouth lately I'm sure is not trivial. So this is going to be for large enterprises, likely Team Solo people are not running Oracle Identity Manager, so you will have to connect with your IT counterparts, perhaps if you're large enough the identity and access management team to get this sorted out, but this is an absolute must fix. The next thing that I would say is there are. There's. There's a couple things like, all right, gather around the corner here, gather around the fire, right? When it comes to vulnerability management, which is what this is, this is a vulnerability, we have to take into account GRC Mafia people. We have to take into account a couple things on like prioritizing or evaluating this. Right. Number one is like, what's the impact if this gets popped? Okay. For me, that's the first thing. How bad is this? All right, this is awful. Okay? Number two is like, what's the likelihood of it getting popped? Now? There's a couple, There are a couple nuances to deciding how likely it is, right? It's not just like, can it be done? Like, is there. Is there an exploit out in the wild? Number one, right? Number two, how easy is it to exploit? Just be. Listen, just because there's an exploit out there or a poc. A proof of concept exploit, basically like a defanged version of the exploit on GitHub, for example, that doesn't mean that it's trivial to exploit some exploits or some vulnerabilities require. Require setup some vulnerabilities. The exploit has to fire just right. Okay? So the level of sophistication on exploiting is another variable that needs to be accounted for in this one. This is why I'm like, well, you gotta go in this one. They're talking about it being trivial to exploit. That's a key word here. Trivial. That means that I could do it. Okay, right. My. This means My son, 10 year old, you know, know, rocking around on ugg on his VR or his iPad or wherever he's doing. Right. His bone lab. He could exploit this. So that means that the popul. The whole reason is the population of people that could exploit this is large. Oh my. What? Tony MBA coming in hot. Got the risk analyst job started yesterday. Grc Mafia. So Tony, take this story and run with it, brother. Dude, sick. Super sick. Hold on. I got a. I got a GRC Mafia. This guy. GRC Mafia. I think some Oprah would be nice in there. What else we got here so hot right now? There we go, dude. Nice. Super pumped for you. Oh, of course. In the freaking wrecking ball. Thank you, haircut fish. There we go. If you're a squad member, do. Do me a favor, go in that emo tray and grab the wrecking ball. Emote and drop Some love for Tony NBA. We always celebrate when members of our community nail it and get a job. All right, so I've outlined why you've got to get you why you've got to patch it and the urgency of doing it really quick. I already know that you got to patch this, but just from a best practice perspective, let's go to epsslookup.com Holy Jesus. All right, this is. This is all sorts of bad. Okay? This is all sorts of bad. According to EPSS, you have a 71 chance of being exploited in the next 30 days if you're running this. Okay? Which is like guaranteed number two of the hundreds of thousands of vulnerabilities in EPSS's database. This ranks as in the 98th percentile for bad. All right? There are not many more vulnerabilities out there that could be worse. That's what this means. That's. That's not good. And then of course, CBSS score and is saying it's a 9 8, which is gross. Honestly, again, I hate to be such a nerd, but this is actually a 10 now. Okay, so just really quick. This is a 10. It says 9 8, but when it's actively being exploited, it gets bumped up to a 10. That's kind of the rule of thumb, right? Like, wink, wink, nod, nod. Like if you work in GRC, you know damn well a 98 means really bad but not exploited. 10 out of 10 means active exploitation, which this one absolutely is. Final thing I'll say is, yes, go patch it. But as they mentioned in the story, Johan Ulrich from Sans Internet Storm center has identified telemetry suggesting that pre patch before the patch came out. Scans are being done looking for this vulnerability, which means you very much likely could have gotten punched in the face already. So go thread hunting. Go thread hunting. You'll have. I don't have time to look for this right now live on stream, but basically, if you're running, I do. Here's your. Here's your call to action. Okay? This is what you got to do. And by the way, if you're new here, I don't typically demand that you have to do anything. I'll strongly suggest this is one where I'm going to pull out that arrow from my quiver and shoot it. If you're running or Oracle Identity Manager, you have to make sure that this gets sorted out asap. And then you have to go threat hunt and make sure that you were not exploited prior to patching it.

C (17:06)

Delta dental of Virginia incurs data breach. Delta dental of Virginia says a compromised email account exposed personal and health data for about 146,000 customers. The breach was discovered April 23 and may have allowed access to emails and and attachments going back to March 21, including names, Social Security numbers, government ID numbers and protected health information. The company says there's no evidence of misuse but is offering a year of free identity protection and credit monitoring to affected individuals systems.

A (17:43)

All right, I'm glad I went long on Oracle Identity Manager so we don't have to go long on this story. Hi. Insurance company of state Variable data breach impacts X number variable of customers Insurance company suffers no loss of data. This is like this company. Like this report just goes short of saying like business operations were not impacted and shareholders value was not compromised. Oh, we got some gifted subs here from Brian. Brian with the gifted subs. Did we just become best friends?

B (18:21)

Yep.

A (18:22)

Thanks Brian Gruce. Definitely appreciate it. So I mean if you needed an. Hey listen guys, you know the holidays are right around the corner. Nothing quite fits under the tree like identity theft protection. You know, you've already got seven or eight of them. Bundle it up, put a bow on it, re gift it, take it as your secret Santa, Yankee swap. Identity theft protection. That's definitely going to work. Throw a couple scratches on there, you got yourself a nice little office gift.

C (18:51)

Down at Postal operator in Ukraine the Ukrainian Cyber alliance, also known as uca, claimed responsibility for a cyber attack that disrupted Donbas Post, a Russia state owned postal operator in occupied eastern Ukraine. The the attack reportedly wiped out more than 1,000 workstations, around 1,000 virtual machines and several dozen terabytes of data. Donbass Post restricted services and suspended branch and call center operations. The disruption coincided with a drone strike on local energy infrastructure, leaving many wondering if the incidents were perhaps coordinated. UCA has previously targeted Russian financial, telecom and municipal systems.

A (19:39)

Dude, Micah Romine in chat. Blank company compromised blank months ago affecting blank customers. Yes, dude, like cyber security. Like sometimes we deal with real things, sometimes it's mad libs. All right, this sounds pretty awful guys. This postal operator out of Ukraine, eastern Ukraine, which is Russia occupied, they didn't say Crimea but, but I mean actually I don't even know like EUR European people in chat. I know we don't typically have like Ukrainians or Belarusians or Russians for sure but how, how do people perceive Crimea? Like is Crimea. Like do we recognize it on the world stage? I guess. Elliot, do we recognize it as Ukraine or like, like the way that we recognize Taiwan as its independent country? Like I. I don't quite know, but they said Russia occupied Eastern Ukraine. Wait, hold on. This isn't even the right story. Wait a minute. What happened to the post office story? Hold on one second. Okay. Must have closed it by accident. All right, Moscow run postal oper. So pro Ukrainian activist group. So, you know, this is an ideologically motivated attack. This is a pretty serious attack, by the way. Like, dude, hacktivists. Typically, like, hacktivists can be everything from like, you know, you know, picketing outside the building all the way to like, denial of service attacks. You'll see, or sharing information that might shed light or, or, you know, bring light to atrocities or issues or whatever. And then you have this. This is like next level, dude. They wiped thousands of workstations, hundreds of virtual machines, several dozen terabytes destroyed. This is a. This is a real, like, this is real impact, man. It coincided with Ukrainian drone strike on energy infrastructure and left half a million without power. Okay, so a couple things here. Number one, Okay, Number one, this is a geopolitical, you know, Russia, Ukraine story, okay? So for the most part, there isn't much here for practitioners to take action on. Okay? Like the Oracle identity manager that was like, get going live beat labs hopping in the car. Let's go. Okay, so, but this is a good opportunity for educating people in general when we think about threat actors, right? Whenever, again, I'm a big GRC dork, so I always try to bring things back to GRC whenever we're actually doing, like, we found a risk in our environment and we're trying to evaluate it and come up with some type of qualified calculation. The first thing you have to do is threat modeling, right? You can't just be like, oh, there's a vulnerability. Like, that's why vulnerability scanner results are, you know, you know, an opening position at best, because you have to do threat landscape and threat modeling or threat modeling on the threat landscape to figure out what's up. And when you're thinking about that, you have a certain number of threat actors. Number one, financially motivated cyber criminals. That's our number one concern for most of us. Number two are nation state threat actors. And you can get caught up in the collateral damage. There's only one Internet, right? Look at Mondelez and Zurich. I mean, not Mondelez and Zurich, Mandalay's and Mersk. When the not Petya attack went through, then we get a smaller group of people, and that's hacktivists, right? And this is ideologically motivated. Definitely something to be concerned with. And then finally, like, you know, Revenge people, right? You, you wronged me at work or my, you know, my, my spouse, my loved one wronged me and I'm going to like destroy their business or whatever. So much smaller population of threats you have to worry about. But just, just know for the threat landscape and threat modeling, this is a real one, especially when you start doing, dealing with hot topics. Russia, Ukraine is one, you know, Palestine, Israel is another one. Also don't sleep on things like, like Roe versus Wade politics in the United States. You know, like just, just all sorts of things that people take strong positions on. You could deal with this. Now the final thing I want to point out here, and again, I, I definitely own this one. I definitely own this. I have, I long believe that global war in 20 in, in a modern world was going to be primarily fought on the Internet. Like, like cyber capabilities would reign supreme. Obviously I had a lot of bias because of what I know, but it's proven time and time again that cyber is a complementary capability. And this right here is just another example to support that claim. They run this massive wiper attack, destroying thousands of systems and terabytes of data that is massively disruptive, while at the same time launching a kinetic drone attack into a energy system, knocking power out to thousands or tens of thousands of people. That is, for all intents and purposes, guys, that's a terror attack. It is. You basically don't have like, it disrupts communication and it takes out power. I mean, as far as I'm concerned, that's, that's a terror attack. Now again, remember this final thing. Terror attacks are the same thing as signs of patriotism, depending on your perspective. Okay, I'm sure the, the Ukrainian hacktivists do not think of themselves as terrorists. They probably think of themselves as liberators, freedom fighters, patriots. Okay. Very important to note that perspective is critical when doing these type of evaluations.

C (26:15)

Fluent Bit bugs allowed cloud disruption. Researchers from Oligo found five long standing and easy to exploit vulnerabilities in Fluent Bit, a widely used open source log collector deployed across every major cloud platform. The bugs include authentication, bypass path traversal, remote code execution, denial of service and tag manipulation. Some flaws date back to more than eight years and threaten full cluster compromise when chained. Updated versions 4.1.1 and 4.0.12 fix the issues.

A (26:54)

All right. Hey listen guys. Oh, wait, let me. There we go. If you. Well, okay, so a couple things. One fluent bit, if you're running it, it's in 15 billion deployments. So that's a problem. Again, trivial to exploit that's something that, ah, you got a patch. It's yes. Amish Runway. Yeah, it does say Jerry on the bottom. It's a gift. I'll talk about it at Tidbits Tuesday. So, open source log collection tool. It could be baked in to other products, right? So like, let's say that you're using some open source sim. It may be using this fluent bit log collection tool as part of its tech stack. And you don't know it. Pretty gross. Here you can get remote code execution, bypass authentication. These two things alone are awful. Bypass authentication. So you don't need to, you don't need to log in. You just, you just. I'll just take it from here, thank you very much. Like, look at me, look at me. I'm the captain now. Remote code execution. I can do whatever I want because I'm all up in here. I mean, the denial of service at this point is just. I mean, honestly, I'm already apathetic by this point. So doing a denial of service, like, okay, like I'm already dead laying on the ground. Now you're just kicking me. As DJ B points out in chat, this is baked into cloud. So there's no action for you. There's no action for you to take. You're just a passenger on the train, right? This, this is like basically an announcement that there's been a flaw found in train tracks. And you know, you're on the train, you're not going to get out and fix the train tracks. Like Google, Amazon or whatever, they're the ones who have to fix it.

B (28:59)

Oh.

A (29:05)

Fluid bit is in all Kubernetes nodes. Damn, dude. Let's see. What, what, what is there to do here? All right, there's multiple bugs for sure. All right, so yes, a bunch of CVEs. Thank you, thank you, thank you. Can we get to like, what to do as. As a practitioner? What you want to know is like, you know, you don't have to convince me this is bad. Give me action that I can take for resolving remediating. Dude. Dude. Okay, so the entire article takes a victory lap on how great it is that research has disclose this and everything. I. It's not quite clear to me what to do here. If you're running Kubernetes, I. I guess you should look into this. This, this is one of those gross ones. And this is why supply chain is a thing. Yo. Did we just become best friends?

B (30:12)

Yep.

A (30:12)

John V. Hold on. Let's take the. Let's show this in the chat. My man. John V. Getting Promoted. Gonna. Thanks for the super chat too, by the way, John B. Gonna call it a wrecking ball because it's a new job. John V. Our lo. One of our resident AI ML security experts had a chance to high five this dude in Vegas last year. Congratulations, dude. Who knew? Who knew that Tuesday, November 25th was going to be promotion and new job central? My man. Love it, love it, love it. All right, guys, the. The final thing I want to point out to everybody is listen, guys, if you're trying to get a CVE and you're like, oh, fluent PIT is used by the biggest companies in the world, no reason to look there. No reason to look at this open source tool. I got another thing coming for you. There's a bug that's been sitting there for years waiting to be. Well, five bugs waiting to be discovered. So don't sleep on bug hunting, guys. Really quickly, DJ B Sec went. Dj, hold on one second. There's a lot of. There's a lot of, a lot of nonsense happening in Mod Chat right now. So. So DJ B Sec found this article where this was for the Oracle identity manager and I said threat hunting. You patch it, but then what? Right? Looks like there is some, Some additional ins. Oh my God. Some additional insights in here. Oh, here, here's the IOCs. Right? So if you want to go threat hunting. There you go. Check it out. All right.

C (32:09)

Huge thanks to our sponsor, Nob4. Cybersecurity isn't just a tech problem. It's a human one. That is why Know Before's human risk management platform. Platform allows you to measure, quantify and actually reduce human risk across your organization with AI powered risk scoring, automated coaching and reporting. HRM helps you surface your highest risk users and reduce the risk of data breaches and cyber attacks. Proactively ready to move from awareness to action. Request a demo of hrm today@nobe4.com all.

A (32:49)

Right, we are at the mid roll. Which means only one thing. I would love a Simple minds, don't you forget about me. Cover for Christmas. That's what I would like. All right guys, holla, holla, holla. Here we are. We are at the mid roll. A lot of great news today, John V. Celebrating we got a couple new jobs. Love it. Bruising hacks for the Super Chat. Bruising axe saying it's become best friends. Yep. If anyone's Traveling through the DMV area, DC, MD, VA over the weekend, they're having their Simply Cyber locals meet up at Vanish in Leesburg, Virginia at 1 to 5. Contact me for more details, that's at Bruise and Hacks. At Bruise and Hacks, you can get him in the discord. Wonderful community member. Thanks Bruise and Hacks for doing that. And for those who are involved in the locals, I know there's only a small subset of you here, but I do want to get the flags wider distributed and provided to you guys as a, as an opportunity to, to have some fun. Guys, thank you to the stream sponsors again for supporting. It is an absolute privilege to be able to get up every morning and come serve this community and I wouldn't be able to do it without the stream sponsors support because they essentially enable me to pay the bills. Right. Shout out to Threat Locker, Anti Siphon Flare and Barricade Cyber Solutions. Guys, you know Barricade Cyber Solutions, Eric Taylor and the team over there are doing all sorts of great things, but they are also providing a bi weekly webinar series for you to level you up as a practitioner. Guys, if you are managing an M365 environment or you're interviewing for a company that runs M365, which many of us do tomorrow, tomorrow you can attend a one hour session from 1 to 2pm and get unbelievable value in just one hour. Eric's gonna be running through how to set external sharing defaults for new and existing guests, how to. How to have guest access expire by itself, how to apply retention policies for OneDrive, how to basically make sure that every employee in your company that has OneDrive that can hold sensitive files, that, that is properly secured and hardened both from an external and insider threat perspective. So great value here. Go to webinars.barricadecyber.com to check it out and sign up. I'm going to. Dude, it's free to register. So you can register and then if you can't make it, it's fine. But at least it's on your schedule really quickly. We have a submission in chat right now. Oh, guys, it is a Tidbits Tuesday where I share a little bit about myself. Now who is this DJ B Sec, of course, the dj. He has provided two different options for. Don't you forget about me. I. I don't know what this is. This could be a Rick roll. But let's hear it. Let's see what he's got for us today. He's got a couple options. Ninja Sex Party. What? Let's try first to 11. Here we go. All right, it's a little. It's a little aggressive. All right, we'll give it a shot. So Ladies and gentlemen, this is first to eleven. Don't you forget about me. I don't know. We'll see. All right, hold on. Let's see. I've never heard of ninja sex party. Let's try it. Oh, my God. Hold on now. Hold on. Hey, if you're a first timer here, this is not normal. But ninja sex party, you have my attention.

C (36:53)

Okay?

A (36:54)

Okay. The dude abides. All right, all right, all right, guys. Every single day of the week has a special segment. And Tuesdays is Tidbits Tuesday, where I share a little bit about myself. See if we vibe on it really quickly. Here in Charleston, we have an Air Force base that flies DC3s, I think, or DC10s. Josh Mason would know it's the big ones. It's the big ones that look like that. Like the flying pickup trucks, whatever they're called. Anyways, a family member was one of the pilots, and as a gift, she got me one of these. I guess all of the pilots run around with these things, but because they all have the same one, they put their name on the bottom so you know whose is whose. This is like one of my favorite mugs. Unbelievable weight. It can hold half a French press. It's got Charleston and South Carolina stuff on it. Yes, sir. Do you have. Oh, all right. Also, Tidbits Tuesday, James McQuiggin is getting into Battlefield 6. My handle is Jerry Guy. I. I'm pretty sure it's Jerry Guy. I'm like, really? Really? James McQuigen. I'll tell you what, because it's a holiday week, I'm going to take it a little bit easier this week. So maybe we get some. Maybe we get some Battlefield 6 action today. There is a hobbies channel in the Discord server. We can sync on there. So let's do it. Hey, guys, who wants a Battlefield 6 party on Thanksgiving? Let's do it. Dude, I'm loving this song. Hey, really quick. That's the Tidbits Tuesday. I do have something kind of big I want to share with you guys, and I'm kind of asking for some support. I don't do this very often. Hopefully you guys know that I just released this video last night on the channel. This is a produced video. I'm gonna send a link to it if you guys would check it out and share it if you think it adds value. I partner with let's defend. But in this video, I do three things. Number one, I show you how to get SoC analyst experience, like practical, hands on, real experience without having the job. I Give you three resume bullets that if you do the first thing I tell you the resume bullets are accurate and then I tell you exactly the the most optimal path to go find a SOC analyst job using the resume bullets I gave you that you got from doing the first part of what I told you in the video. To me it adds. It's an incredibly valuable video in my opinion. It's currently the top performing video on my channel that like which is awesome. So I'm gonna drop a link to that. Please check it out and if you don't want to, that's okay. I don't really ask very often for much, but this is one I'm gonna, I'm gonna go on to. I just dropped it in chat. Trying to buy some time right now. Where's my. All right, Alpha Sierra, let us know if this one's gonna work. Let's go, let's go. How's the la la la la on this one? Give me the la la la la. Let's see. Let's stand la. God. Yes sir. Hell yeah. Hell yeah, man. Also really quickly at Cyber Kavi walked her graduation this weekend at Cyber Kavi. Congratulations, Cyber Kavi. Awesome. And thank you Mod Chat for providing this ninja sex party version. If it doesn't flag the copyright strike, I think we found our new mid roll delicious. Hey guys, I asked for it for Christmas and Mod Chat delivered. If you're a squad member. If you're a squad member, please go into the emo tray if you will for a minute and give some mod. Love that there's an emote for it. Absolutely unbelievable. Thank you. It takes a village and I'm so grateful to have the mod team.

C (41:37)

Hacklore to tackle security myths. A new initiative called hacklore.org launched to push back against long standing cybersecurity myths like frequently changing passwords or avoiding all public wi fi. Created by former Yahoo and DNC security chief Bob Lord, the project promotes simple evidence based practices like passkeys and MFA password managers and keeping software updated. More than 80 cybersecurity experts signed the open letter urging a shift toward practical guidance and support for secure by design and secure by default approaches. Amazon.

A (42:19)

All right, hold on. I'm sorry. Myths. Myths. Having multi factor authentication is a myth. What are we talking about here? James McQuiggin, 35 months. Blue Badge, almost three years. The mods are awesome. We aren't here without your continued support and this amazing community. Guys. 100 true. 100 true. And James of course with the 10 gifted subs. Thank you, James. Guys, I am, I gotta tell you, like, bonus tidbits Tuesday. Right now I am like frothing at the mouth to play Battlefield 6 with a. With a squad members. Oh, it's gonna be good. We're gonna have to get on a group chat. All right, dude. Hacklore.org includes the launch of a website and a letter signed by more more than 80 cyber pros. Buddy, send it to me. I'll sign it too. Are you kidding me? Like, who doesn't think that multifactor authentication is a good idea? The. The goal is to help everyday people and small orgs fa. Okay, guys. Yes. Like, Okay, so I will say there are a lot of myths. This is true. So guys, here's some myths. Number one, never scanning QR codes. Yes, QR codes can be weaponized, but it doesn't happen this often. Marcus Kyler. James McQuiggin just reminded me I didn't post this yesterday. Best community ever, 35 months. Thank you very much, Marcus Kyler. It's always nice to have you here. Here, let me. I might have a squad. Do I have one of the. No. Oh, here's another myth that should not be promoted. Never charging devices from public USB ports. Guys, this has become so dominant a myth that's busted that anytime someone. You know, Caitlyn Syrian, the cyber security girl, I think she. She's, you know, She. When she posts advice to not charge a public USB ports. Look at the comments on that one. People lose their mind. This. This is definitely one of those polarizing security tips that people in our community get crazy about. Regularly deleting cookies. I mean, that's not necessarily a myth. I mean, it's not a bad idea. It does screw you over because it makes your experience worse. But as Nick Escoli from Flair mentioned it simply cyber firesides last Thursday in 2026. Cookies and session tokens are going to be so hot in 2026 that Hansel. So hot right now. Okay, so hacklore.org let's check this website out. Okay. What is this? I will tell you, this is pretty cool. Listen, if you are. Hey, squad member, 37 months. Haircut fish. Let's go. Simply cyber community. Guys, hey, listen, we've. We do get this from time to time and people mention it wanting to help out in their community, wanting to volunteer, wanting to educate end users. Guys, this is a ground zero resource that's free to help support that. Go check this out. I would. I would seriously bookmark this. Now. You can't send these resources like you don't Send this website to your aunt Dorothea and say, oh hey, read this and make yourself better. This is an opportunity for you to get educated and get like dialed in on how you're going to help your aunt Dorotheas of the world. Yeah, I mean there's just a bunch of resources here. They talk about VPNs for sure. I don't know. I like Proton VPN personally. It's some good advice for me guys. The things that I would tell my hey, thanks for the squad membership. The things that I would tell my aunt Dorotheas of the world is multi factor authentication. All the things like they can non tech end users can wrap their head around mfa. A lot of services require MFA at this point, so people have normalized it so it's easy to get that adoption. Password vaults I think are amazing, but they're very difficult to get onboarded to, especially for non tech users.

C (46:59)

AI agents hunt deep bugs Amazon announced it's developed an internal system called Autonomous Threat Analysis or ATA to to help its security teams proactively detect vulnerabilities across its platforms. ATA uses specialized AI agents to identify weaknesses, perform variant analysis to find similar flaws and propose remediations before attackers can exploit them. The system comes from an internal hackathon and is now part of Amazon's effort to manage the growing complexity of software security. Shadow.

A (47:35)

Oh, we got a first timer in chat. What's up? Mad Max AI. Mad Max AI squad members, you know what to do. Welcome to the party at Mad Max. All right. Amazon's using AI agents for debug hunting. Yep. Yeah, is as excited as I am about playing Battlefield 6 with squad members. Don't, please don't talk to me about what my thoughts on AI and where we're going. Let's see. Yes, AI is doing all sorts of speed debug hunting, writing secure code, finding vulnerabilities, making exploits. Let's see what else they've done here. I mean, dude, this is a great use case for AI. Frankly, there's so much software out there, it's very difficult. I mean we just talked a little bit a minute ago about this fluent bit open source tool that's been around for years with bugs that have been, you know, trivial to exploit, that cause massive problems, bypass auth remote code execution that have been there for years and people haven't discovered them. Except a threat actor recently discovered it. Right. So AI is a great use case for finding these type of vulnerabilities. Also, don't be, don't be naive, don't be a spring Chicken or spring child, don't be green. Threat actors are using the same capabilities to find bugs. Okay, so it's a, it's an arms race essentially between, you know, good and bad to uncover these things and then fix them. I don't think there's any really action for you here. If anything, as a cyber practitioner, what I take out of this is that if I have tech I should be thinking about using or if I write software at my company, if my company writes software, I should be trying to use AI agents to help uncover bugs. If I'm a threat actor, I'm thinking about using this. But seriously, if you're a pen tester, red teamer, this could be really nice for you to level up your capabilities and you know, be faster, find bigger bugs and stuff like that. If you're doing pwned owner bug bounties type things, definitely an opportunity there. The TLDR is that AI is a very powerful tool.

C (50:14)

2.0 turns AI clusters into crypto botnets shadow ray 2.0 is hijacking exposed ray clusters to run a self propagating crypto mining and data theft. Botnet researchers say that the group Iron Earn440 is abusing Ray's disputed RCE flaw to seize AI infrastructure, steal models and credentials and spread autonomously across some to 230,000 exposed environments. After GitLab shut down their C2, the attackers shifted to GitHub and started targeting at large GPU clusters without a formal patch. Misconfigured ray deployments can be easy targets.

A (50:58)

Hey, you know what, again I'm not promoting cybercrime but whoever the threat actor is behind this, well done sir. I mean this is clever. So AI, you know, obviously AI uses a ton of power. The fact that it's AI is irrelevant. I mean this could have been like, you know, graphics, you know, GPU clusters, whatever. But basically some threat actor discovered a vulnerability in Shadow Ray which you know, runs on top of these large, large supercomputers and he basically exploited it to do crypto mining. It's also self propagating. So it's a, it's more of a worm style bug. I mean a worm style malware and I mean the data theft is just extra. I don't even know why they're bothering that they're crypto mining now of course with the crypto miner it's got to go to some wallet and they'll be able to track that. So that's interesting but dude, cloud based infrastructure that is exploitable is going to get Exploited. See, Dude, like think about how like this crypto miner I would. I actually am kind of curious to see if we can. JAKE J. Crypto is the wallet. Is there any way we can find the wallet that's being fed in by this crypto miner? Because I would love to see how much they're making, if they're making anything, because that's, you know, really where the rubber hits the road. But dude, these AI, these large AI models are massive power sinks to the point where I don't know if you guys have been noticing, but like they're turning nuclear power plants back on. Like, I think Three Mile Island's about to get reactivated and basically there's going to be data center, nuclear plant, and then re, you know, AI humans in a bunker underneath the nuclear plant. Like, that's the future kind of rollout. Yeah, I mean, I don't know what to say here. I mean, if you're running shadow ray in your environment, you should probably patch it. I. I can't imagine. There's too many people running it. All right, let's do DJ B sex EPSs tool. Since we did barricades earlier and we'll have to. It's spitting up Docker. We'll have to come back to this. All right. Oh, Elliot, Matice is saying that there's a company making mini nuclear reactors. All right, so the way this attack works, it comes in two waves. They use GitLab for their C2 infrastructure hosting the malware payloads. Okay, which makes sense. They're using AI to generate the recon payloads. XM rig miners. XM rig miners are really well known miners. Like I, I've seen XM rig for a while, like years, and they're deliberately making sure that they're not using all the CPU resources in order to hide. Right. If, if you have a machine that's pegging out at 100%, it's going to be sluggish. You're going to see it, it's going to call your attention to the problem. All right, hold on. DJ B sec. I don't even know what are we doing here? DJP sec. Why am I getting different results from you? All right, so that, oh my God. Oh, why is mine. So DJ B says 2023. The CVE from 2023, but the one that I'm pulling up is 2025. Let me see. 4, 8, 0 CVE 2023. So this is actually a two year old bug. That's very interesting. Like why would you be running. Why would you be Running like would you not patch it? Ah, you gotta patch it. So check it out again. This is a, this is a, what do they call it? A bumper crop a, a banner year for EPSS today. This vulnerability, the Shadow Ray one that threat actors are leveraging to get crypto miners going whole hog. 91 percentile. Like you're basically guaranteed to get exploited if you're running this. So number one, fix it. As far as how bad is it? We don't see this. This is in the 99.65% tile. This is almost the worst vulnerability in the entire EPSS database. And then 9.8 out of 10, like, please bump that. As I mentioned earlier in the show, this is a 10 out of 10. This is actively being exploited. So if you're running Shadow Ray, if you're involved with AI infrastructure, I know many of us are doing AI stuff but this is a very specific type of environment. You know, running AI at scale in kubernetes, you probably are popped. Okay, or you're going to be in the next 30 days.

C (56:46)

Real estate intrusion concerns big banks Real estate finance services firm Citus AMC reported a cyber intrusion earlier this month that exposed confidential client data and including accounting records and legal agreements. The FBI says it's investigating. The company has notified potentially affected customers which may include major banks like Citi, JP Morgan Chase and Morgan Stanley. No ransomware was involved. Citus AMC has since added security measures like resetting credentials, disabling remote access, updating firewalls and monitoring systems while processing the full scope of the breach. Remember.

A (57:30)

Okay, so a couple things here. This real estate company, obviously they're big, they have big banks as customers. Threat actor got in there, did data xville Nick Escoli from Flair came on last Thursday As I mentioned a couple times already, the show to simply cyber firesides and he was talking about threat actors and looking at 20, 25, 2026 guys for multiple reasons. Ransomware threat actors are not. Many of them are not, I shouldn't say many. There is a good faction of them that are not encrypting your data. Number one, there's like what is, what am I trying to say here? Businesses have backups really well figured out at this point. Businesses have tech that can detect when files are being encrypted en masse and intervene. So like the ransomware encryption payload, I'm not saying that they aren't doing it, but there's a lot of. We've had seven, eight years to learn from it and threat actors are realizing that. So they're just exfilling data in mass and then putting it on their extortion site. This is another example of that. Obviously this is bad news for the bank, but what else did they say here? Oh, I do find it funny that they. They say all the words that sound really, really smart. But for me, I mean, I'm sure they did these things, but for me and you, like, you know, it's like, yeah, they said, oh, after finding out about it, we updated firewalls and turned off remote access and. Or disabled remote access and changed passwords. It's like, yeah, okay, like these are standard things. This is like updated firewalls. Okay, so it sounds like they're doing a whole bunch of stuff, but just goes to show you, man, anyone can get popped. It's all about vigilance. It's all about resiliency. But with major banks, I guess the thing is, what kind of data did they have? Accounting records and legal agreements were stolen. I mean, that doesn't compromise the banks, right? It's not like they're getting in and stealing money from the banks. All right, let's go. We are at 9am Exactly. Someone call Nick Barker and let him know we're crushing it. All right, y', all. We did it. We did the thing. We just crushed an hour of Simply Cyber's daily cyber threat brief podcast episode 1012. Now don't go anywhere because we're doing Jawjacking. Jawjacking is a 30 minute AMA show on Tuesdays. Eric Taylor from Barricade Cyber Solutions runs the ama. What is this? Okay, cool. He runs the ama. I hope you got value. Congratulations, John, on the promotion and managing director. That's amazing. James McQuiggin will get our Battlefield 6 on. If you would like to play Battlefield 6 with us, like in a clan, I think is the right term. Holler at us in the Discord server. We'll be screwing around. We'll be back tomorrow. Wait, hold on. Really quick. Let me, let me see if we have a show today. What's today? Tuesday. Simply Offensive. Yes, we do. All right, so check it out really quickly at 9:30am so you got 9930 jawjacking with Eric and then at 9:30am, Phil, Philip Wiley's taking us on a bit of a an adventure here as we talk with an offensive security professional about AI versus Pen testers. Guys, man versus machine. John Henry Challenge. AI versus pen testers. You'll definitely want to hear this conversation. I'm gonna give it a like right now. And as I mentioned earlier, if you could do me a solid. I don't. I don't typically ask. I don't typically ask, but if you could do a solid, check out this video. I think it has a lot of value. Obviously, it's a sponsored video, but I do think it has a lot of value. I. Anytime I do a sponsored video, I try to put extra into it because, you know. Bro, what the hell? What is this, Reddit? Wink. All right, all right, guys. Thank you so very much. I'm Jerry from Simply Cyber. Don't go anywhere, because we're going Jawjacking. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered, and totally free. Let's level up together. It's time for some jawjacking.

B (62:57)

It would help if I had the right microphone over here. Good morning, good afternoon, good evening. How is everybody doing? If for some reason my chat is not showing. Chat is not showing in restream. I don't know if that's a me issue. Let's see if I push it. Okay. It will show there. All right. Let me log into YouTube while we're doing this. If you don't know who I am, my name is Eric Taylor. As Dr. Joe Dozer said, I am the few friends that can operate here over here at Barricade Cyber. That is very weird that the chat is not showing up. So unfortunately, I will not be able to highlight anything, but as soon as my chat window shows up in YouTube, I don't know. Something's been going funky with my workstation lately, but, like, can I even send a message in chat? I cannot. I wonder if it's a permissions issue. It shouldn't be, because I think Jerry. So we were having some problems earlier where I couldn't even get in here, and then Jerry had to remove me and add me back. The screenshot he sent over. I am an admin. I. I don't know. There we go. So I'm now seeing the chat in my YouTube feed. The dolphin got the chat. Yep, exactly, Steve Young. But we'll talk about this for a second. No, I'm. I am definitely not hacked. I can promise you that. I do not subscribe to the. The mindset. It's either you have been compromised or you just don't know you've been compromised. I just don't subscribe to that mentality. I am very uber, uber paranoid. So I'll post in as myself. So there's something That a new term called Click Fix is then our Jack Fix has been. Been coined. Let's see. Can I bring this up on screen without doing a whole bunch of goofiness?

A (65:39)

Let's see.

B (65:40)

We'll talk about this window Jack fix. All right. Yeah. Once leave me down in the corner. That's cool. So you'll probably hear about this a little bit. This literally just came off into my CTI fee RSS feed earlier. Let me blow this up because when I'm looking here, it's definitely a little small. Okay, so new spin on click fix. So okay, let's talk about this for one second. You have Click Fix, you have File Effects which uses the File Explorer. And then there's a couple different variations and they've been calling it clear fake. A lot of the influencers and AI that are, you know, writing stories about this have been calling this clear fake. And it's been around a while to the point where they are. It's starting to become a coined term. So. Not 8k homework folder. I don't understand J I and Michael. I don't understand that. But now it's being called clear fake as part of all of that. So. So this story is a new spin on the click fix which is going after mostly Spotify and Cloudflare to make you do the execution. I haven't had a chance to really dig into this, but the Jack fix fishing lore. This is a traditional click fix attacks victims are presented with a new kind of fake technical issue. The this does not give context to the task they are they have to fulfill. Copying pasting code they don't understand, but necessarily getting the heart rate blah blah blah through malvertising. They soon interact and they hit a Windows blue screen. The screen is fake, but it does a solid job of recreating a critical Windows Update. Ah, this consumes the entire screen and includes both a fake progress bar and the loading animations for dots traveling in a circle. What's the point of that? So downloads URL is. Popular. Info stealers at the end there are quick fix mitigations that Jack Fix doesn't address. Okay, so you get a Windows Update screen or a fake Windows Update screen. Unless it's like dropping malware in the back end of it. Oh, that's just a bug report. Yeah. All right, now let's see. Is there anything else on my in my RSS feed worth talking about? AI and deep fake powered fraud skyrockets. Okay, This might be political again. You know, much like the daily site the. The show, you know I don't do any research on a lot of this stuff but you know, mounting cyber threats prompt calls for economic security. Bill. Okay, so this is in the uk. All right, whatever though there is. Oh, oh, oh. There is a. Something I seen this morning. Hold on a second. This is really, really cool. I saw this come across. I'll put this in Ch. So Rhode Island College is building out a cyber range for their students. This is a great bridge between learning from books and learning more core concepts of IT and cyber, but then actually putting them into practice. This is exactly what we need, ladies and gentlemen. This is exactly what we need. You know, putting real world situations up in, you know, at play here. So you know, definitely look at this. Yeah. Woo. Live threat feed which is that looks like Mandiant life threat feed page. One of the monitors range. All right, whatever. So it'd be cool to see. All right. Because again I'm not able to. I'm gonna pivot over to Mod chat and see there's any questions over there. Bear with me one second because for some reason I don't know why I can't see chat. All right, scroll down. All right, I'm not seeing any questions. Oh, djs b6 tool. That looks like it may be an update epss in show dance cve lookup. Interesting. I don't know if dj b sec had shodan in his original epss tool. Interesting. So can't believe says no questions yet. Okay, Let me actually take my screen off. No, there's no way for Ms. CI. There's no way for me to pin that article. I just post it in chat as myself again because I can't open up chat in restream, I don't know. And maybe some of the new security field. So we are going through level two of cmmc and when you're going through a lot of these higher end security frameworks, you can do one of two things. You can either create an enclave of, you know, a separate environment and put that under the scrutiny or you can just make your entire organization that way. So I have gone through the painful distinction to say, you know what, we're just all going to be that way. That way I don't have to worry about, about am I in an enclave in my, in protected space. Everything is just protected space. So. And there's a lot of stuff that's going on in the, in our industry right now. But Misty, I. If there's a, if there is a link that I'm missing or I have not put in chat Let me know. Another dreary day here in the Tri State from Count Luca La Luke, you have some crazy names. You know what? This actually reminds me of a question. When did YouTube start putting freaking numbers after our name? It's like YouTube became Discord for some reason. I don't understand that. I really need to spend some time to figure out how do I fix that because I really don't like the numbers behind my name. I don't get it. It's really stupid to me. Well, here, let me for the sake. This one is dark. The dark reading for the Jack fix. This one looks like it's going to be whatever this is the UK Bill Prompting for economic security Mounting cyber threats Prompt for calls for economic security bill and this third one is for the cyber ranges in Rhode island college. Sorry, Eric, 8k homework folder is keyword for hap Happy time some malicious links activated messing up your YouTube chat. Oh yeah, sure. Y' all are very quiet today. Question do you have a webinar, Eric, or did I miss it? We do have we had one that was supposed to happen last week for the Fortify365 and I am past due on our podcast. We have a web the last week's webinar Fortify is scheduled for tomorrow Wednesday at 1pm and I'm going to be trying to get pick up the brutally honest podcast again next week. A little bit of work situations, but a lot of family situations going on right now. So it's been been trying to focus on some other stuff at the moment. So sorry. Last week I had to push off the Fortify because we were on a status update call with about 13 people and I knew that call was going to run long. It's one of those engagements where everybody kind of talks a lot. So I was like, yep, this call is going to butt up right up against the webinar. These guys are going to talk a while and it's going, you know, we're going to miss the webinar. So unfortunately I had to ping Kimberly last minute. Like we just need to reschedule. FedEx. I'm still trying to wake up. It's too early. FedEx, you're on the East coast, right? And it's 9:18am Right now. Wake up. If you go to go, I see multiple people talking about it. But if you literally go to webinars, I think.barricade cyber.com I believe it's plural. Yep. So webinars.barricadecyber.com Let me put this in chat. You'll see the ransomware, you'll see the Fortify. I probably need to do a podcast.barricadecyber.com so that way that will go to really Honest. I don't know. Is there. Kimberly may already have this. Hear that it's going to be. We also are launching our new site as well. And we got phase two done. And if I understand it correctly, There's. We're gonna have a. I think services are gonna be split out. It's gonna be like resources or something. And then the webinar links and the podcast and all that are gonna be there. So that'd be a good easy place to, you know, be able to view everything. So, You know, got our Personas built out here. You know, you could. I'm really happy about the new Fortify 365 website really does a lot of great explanations and the old one did not do. So. I know the. The firm that's doing ours, our overhaul, the Steven. And I forget his last name off the top of my head, but he used to work at Sans and there's several Sans folks that are helping put this thing together and really overhaul this thing. And Kimberly and Lisa have pretty much been the point people working with them on design because, you know, I've learned a long time ago I need to stay out of design. So, you know, I kind of. I got to go through and proofread it, but I think Kimberly's been doing an awesome job just going through it. So it's been one massive task that's been taken off of my plate. So I can't be happier. So a lot of the credit goes to, you know, Kimberly and Lisa with Barricade working with Steven and the team over there to get, you know, the site up and running. So could be happier. Let's see. Well, guys, if you guys are. I mean, I know the viewership has dropped down to 171, but I don't remember how many viewers were here when this. When we picked up Jawjacking. But maybe it's just a slow week for four questions. People are geared up for Turkey Day. That reminds me, I forgot to ask my question. I'll make sure to do that next time. What is everybody saying? FedEx looks says the website looks sick. Thank you. Appreciate your time. Regardless. Yeah, man. Stephen Hart. That's his last name. For some reason I keep forgetting his last name. But yeah, he's doing the heavy lift. Kim, I. You are right there with them. Yeah, I mean, they're doing the design but you're keeping them straight and you know really going through everything, you know with a fine tooth comb. So. Carrie, Jason says I will have the brisket in the oven soon. Heck yeah. I have never had brisket in the oven cuz to me that kind of defeats the purpose. The concept the same though you still have the stall, you still have to wrap it. It's just, it just won't have that smoke which is fine. I know there's some YouTube people that now that you say that I remember seeing some videos where in the oven they would put like a aluminum foil filled with some water and then another aluminum foil put some wood chips that may been marinated in some stuff to help put that smoke flavor in there. So foreign from the crow risk real Chris Young do you get time off over the holiday weekend or are you on call even on Thanksgiving? Chris Yes I AM on call 247365 because cyber incidents never ever stop. And you know as I stated before the holidays are here and this is when they're going to ramp up.

A (84:10)

So.

B (84:21)

I'm crashing your Thanksgiving. Eric from Misty Died there's really nothing special going on. I'm not even smoking a turkey this year. We're doing a real, real low key this year. Question From Jem Michael CMMC Level 2 what's that all entail with controls and permissions? It's 187 controls if I remember correctly and a lot, a lot, a lot of documentation. And then you got to, you go through what's called self assertation. You have your supporting documentation. Then you go through a C3APO C3AP I'm always butchering it but there's an independent auditor that comes and verifies everything that you do. Question from FedEx how's the 3D project print a project going? You know my 3D printer is goofed up so I've got the Anycubic Cobra 3 I think it's called and there's some filament that's in stuff stuck in the injector and I got to figure out a way all the guides I've been looking at do not are not applicable to my printer. And when I take the COVID off and I take the the warmer nozzle and all that stuff whatever it's called, you know I can see in the the clear case that there is fill white filament in there and that's what the printer is complaining about. But you know kind of going through that process of get that fixed because I need to finish printing my shelves. They're just sitting here on my desk.

A (86:22)

Foreign.

B (86:31)

So we are coming up to the bottom of the hour, so it is time for the Simply Offensive podcast. Yeah. Yeah. All right. So just stick around. We will end this show and the YouTubes will automatically pump you over to the the next podcast. And if I don't talk to y' all before, Sorry, I'm a little off. I feel a little off. I feel a little off today. But if I don't talk to y' all beforehand, y' all have a very safe and happy Thanksgiving. Hopefully y' all eat a bunch of turkey and stuffing and cranberry and whatever your favorites are. Safe travels out there. I know roads are hectic. I know flights are still problematic even though the government's back up. So I wish everybody happy and safe travel times and being able to enjoy some family time. So with that, y' all take yourself and stay curious, my friends.

A (87:39)

Hey everybody. I hope you enjoyed that content. Keep the cyber security train going by connecting with the other Simply Cyber community resources. Resources. We have the Discord server that's lively and always keeps the conversation going. You can connect with me directly on LinkedIn and also every single weekday morning on the Simply Cyber channel. We're doing live daily cyber threat briefings 8am Eastern time, as well as Thursday at 4:30pm we're doing live stream interviews with industry experts and we produce videos that we push out every Wednesday morning. I'm Jerry from Simply Cyber. I hope you enjoyed the content and we'll see you in the next one.