Daily Cyber Threat Brief – Ep 1013
Date: November 25, 2025
Host: Dr. Gerald Auger (“Jerry”), Simply Cyber Media Group
Special Segment: Tidbits Tuesday
Co-Host (Jawjacking): Eric Taylor, Barricade Cyber Solutions
Episode Overview
This episode delivers the top cybersecurity news stories relevant to practitioners, GRC professionals, and business leaders. Jerry, with his characteristic humor and expert perspective, not only breaks down the technical details but also highlights practical actions and career guidance. The episode features insights on major vulnerabilities, impactful breaches, threat actor trends—including hacktivism and the abuse of AI infrastructure—and new community resources.
Key Discussion Points & Takeaways
1. Oracle Identity Manager Zero-Day – Immediate Patch Required
[09:01]
- Context: CISA orders federal agencies to patch a critical vulnerability (OIM zero-day) by Dec 12.
- Technical Impact: Allows unauthenticated attackers to take over OIM with a single HTTP request (trivial exploitation).
- Evidence of Risk: Attacks seen in the wild before patch release; exploitation called "trivial" by researchers.
- Urgency:
“If you're running Oracle Identity Manager, you absolutely have to patch it.” – Jerry [09:54]
- Actionable Advice:
- Patch OIM immediately per CISA guidance.
- Engage your IAM/IT teams if you’re in a larger org; Team Solo folks likely not affected.
- Conduct threat hunting for signs of compromise before patch was applied; indicators of compromise available from SANS Internet Storm Center.
- EPSS data: 71% chance of exploitation in next 30 days; “This is all sorts of bad.”
- Actively exploited = 10/10 urgency.
- Memorable Quote:
“If you work in GRC, you know damn well a 98 means really bad but not exploited. 10 out of 10 means active exploitation, which this one absolutely is.” – Jerry [14:54]
2. Delta Dental of Virginia Data Breach
[17:06]
- Incident: Compromised email account exposes data of ~146,000 individuals (SSNs, IDs, PHI).
- Discovery: April 23; exposed emails dating back to March 21.
- Response: Offering identity protection, though “no evidence of misuse.”
- Tone:
“Nothing quite fits under the tree like identity theft protection... Bundle it up, put a bow on it.” – Jerry [18:22]
- Practical Note: Highlights the frequency and uniformity of such health/insurance sector breaches.
3. Ukrainian Cyber Alliance Disrupts Pro-Russian Postal Service
[18:51]
- Event: Cyberattack wipes 1,000+ workstations, VMs, terabytes of data at Donbas Post (Russian-occupied eastern Ukraine).
- Coincidence: Attack aligned with drone strike on energy infrastructure; speculation of coordination.
- Analytical Insight:
“Cyber is a complement to kinetic attacks—not a replacement. This is just another example of that.” – Jerry [24:00]
- GRC Lesson:
- Review threat modeling—recognize hacktivism as a viable, increasingly destructive threat actor class.
- Understand threat landscape extends beyond financial/nation-state actors.
4. Fluent Bit Vulnerabilities – Cloud & K8s Exposure
[26:15]
- Discovered: Five long-standing bugs in Fluent Bit—by Oligo researchers.
- Impact: Path traversal, RCE, auth bypass, DoS; some bugs 8+ years old, affecting log collector on all major clouds and Kubernetes nodes.
- Action:
- If you control deployments: Patch to 4.1.1/4.0.12 promptly.
- If cloud-hosted: “You’re a passenger on the train”—cloud/SaaS vendors must patch.
- Supply Chain Reminder:
“Don’t sleep on bug hunting in open source—‘no reason to look here’ is how 8-year-old bugs persist.” – Jerry [30:12]
5. Hacklore.org – Debunking Cybersecurity Myths
[41:37]
- New Project: Led by Bob Lord (ex-Yahoo/DNC), supported by 80+ cyber experts.
- Purpose: Replace outdated, unsupported security truisms (e.g., force frequent password changes, public WiFi panic) with evidence-based, practical advice.
- Resource Value:
- Use Hacklore.org to educate yourself and assist family/friends/community.
“This is a ground zero resource that’s free to support those wanting to educate end users. Bookmark it.” – Jerry [44:00]
- Practical Tips:
- Focus on MFA, passkeys, up-to-date software.
- Password vault onboarding remains a user adoption hurdle.
6. Amazon’s AI-Driven Security Agent System
[46:59]
- Announcement: Amazon deploys Autonomous Threat Analysis (ATA)—AI agents seeking vulnerabilities, variant analysis, and remediation suggestion across Amazon infra.
- Security Arms Race:
“If I write software, I should be trying to use AI agents to help uncover bugs. If I’m a threat actor, I’m definitely thinking about it too.” – Jerry [47:35]
- Industry Takeaway:
- “The TLDR is that AI is a very powerful tool, and both sides (defend/attack) are racing.”
7. ShadowRay 2.0 Botnet – AI Clusters Mining Crypto
[50:14]
- Incident: Exploitation of unpatched Ray clusters; self-propagating botnet mines crypto, steals models/credentials, hits over 230k exposed environments.
- Trend Highlight:
- “Cloud-based infrastructure that is exploitable is going to get exploited.”
- Attackers use GitHub/GitLab as C2, bot designed to throttle usage to avoid detection.
- Mitigation:
- Patch your cloud/AI orchestration environments—and threat hunt for persistent compromise.
- CVE involved is two years old, underscoring patch urgency.
8. Real Estate Data Breach Involving Major Banks
[56:46]
- Breach: Citus AMC exposes banking client data (confidential accounting records, contracts).
- Trend: No ransomware—just classic data exfiltration and extortion (increasingly common as ransomware mitigations improve).
“Anyone can get popped. It’s all about vigilance and resiliency.” – Jerry [57:30]
Notable Quotes & Moments
- “This field is collaborative in nature... you can think of the Simply Cyber community as your extended workforce. You don’t have to do it alone.” – Jerry [07:05]
- On Hacktivism:
“Terror attacks are the same thing as signs of patriotism, depending on your perspective.” – Jerry [25:08]
- Career Celebrations:
- Tony NBA gets a risk analyst job—community outpouring of support and “wrecking ball” emotes [15:00].
- John V. promoted—“Who knew Tuesday was going to be promotion and new job central?” [30:12]
Tidbits Tuesday & Community Notes
[36:54]
- Jerry shows off prized Air Force mug, shares Battlefield 6 gaming plans with the community, and promotes a new video on breaking into SOC careers.
- Resource plug: Let’s Defend platform video for SOC analyst résumé and interview strategy [38:00].
- Community Meetups: Announced local Simply Cyber meetup (Leesburg, VA), with encouragement to connect via Discord.
JAWJACKING (AMA Segment with Eric Taylor, Barricade Cyber)
[62:57+]
- ClickFix/ClearFake Malware Trend:
- New “clear fake” phishing technique posing as Windows Update screens; uses malvertising and fake UIs to trick users.
- Cyber Ranges in Education:
- Rhode Island College building cyber range—a strong bridge between classroom and hands-on practical skills.
- CMMC Level 2 Q&A:
- “187 controls... lots of documentation, self-attestation, then an independent audit.”
- Holiday Note:
- “I am on call 24/7/365 because cyber incidents never, ever stop. And the holidays are when they ramp up.” – Eric Taylor [84:40]
- Final thanks to sponsors, mod team, and community for ongoing support.
Timestamps for Key Segments
- [09:01] – Oracle Identity Manager zero-day breakdown
- [17:06] – Delta Dental data breach
- [18:51] – Ukrainian Cyber Alliance attack on Donbas Post
- [26:15] – Fluent Bit vulnerabilities in cloud/K8s
- [41:37] – Hacklore.org launches: debunking security myths
- [46:59] – Amazon’s ATA AI bug-hunting system
- [50:14] – ShadowRay botnet abuses AI infrastructure
- [56:46] – Real estate firm breach affecting major banks
- [36:54, 38:00] – Tidbits Tuesday & SOC career resources
- [62:57+] – Jawjacking: phishing trends, CMMC, Cyber Ranges
Episode Summary
An episode marked by urgent patching needs (Oracle Identity Manager, Fluent Bit), ongoing threats from both hacktivists and profit-driven cybercriminals, and growing synergy between cyber and kinetic warfare. The emergence of powerful AI—used both for defense and offense—underlines the escalating security arms race. Jerry’s signature blend of clear advice, risk awareness, and community celebration makes for a lively, actionable daily briefing.
For more news, resources, and community connection, visit:
Simply Cyber: https://simplycyber.io
Discord & Socials: https://simplycyber.io/socials