Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
Player FM - Internet Radio Done Right
Checked 4h ago
Added twenty-two weeks ago
Content provided by Daily Security Review. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Daily Security Review or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://ppacc.player.fm/legal.
Similar to Daily Security Review
Welcome to the Security Weekly Podcast Network, your all-in-one source for the latest in cybersecurity! This feed features a diverse lineup of shows, including Application Security Weekly, Business Security Weekly, Paul's Security Weekly, Enterprise Security Weekly, and Security Weekly News. Whether you're a cybersecurity professional, business leader, or tech enthusiast, we cover all angles of the cybersecurity landscape. Tune in for in-depth panel discussions, expert guest interviews, and ...
…
continue reading
Download This Show is your weekly guide to the world of media, culture, and technology. From social media to gadgets, streaming services to privacy issues. Each week Rae Johnston and guests take a fun, deep dive into how technology is reshaping our lives.
…
continue reading
Python Bytes is a weekly podcast hosted by Michael Kennedy and Brian Okken. The show is a short discussion on the headlines and noteworthy news in the Python, developer, and data science space.
…
continue reading
Africa-focused technology, digital and innovation ecosystem insight and commentary.
…
continue reading
On The Bike Shed, hosts Joël Quenneville and Stephanie Minn discuss development experiences and challenges at thoughtbot with Ruby, Rails, JavaScript, and whatever else is drawing their attention, admiration, or ire this week.
…
continue reading
An open show powered by community LINUX Unplugged takes the best attributes of open collaboration and turns it into a weekly show about Linux.
…
continue reading
1
Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
Jerry Bell and Andrew Kalat
5k
200
Defensive Security is a weekly information security podcast which reviews recent high profile cyber security breaches, data breaches, malware infections and intrusions to identify lessons that we can learn and apply to the organizations we protect.
…
continue reading
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
Tech Life discovers and explains the ways technology is changing our lives, wherever we are in the world. We meet the people with bright ideas for rethinking the way we work, learn and play, and get hands-on with the products they dream up. We hold tech giants to account for their huge power to affect our lives, and ask who wins, and who loses, in the technology transformation. Tech Life is your guide to a future being made, and remade, at lightning speed in front of our eyes.
…
continue reading
Player FM - Podcast App
Go offline with the Player FM app!
Go offline with the Player FM app!
))
Daily Deals
Podcasts Worth a Listen
SPONSORED
A
All About Change
1 Tiffany Yu — Smashing Stereotypes and Building a Disability-Inclusive World 30:23
30:23 
Play Later 
Play Later 
Lists 
Like 
Liked30:23
Play Later
Play Later
Lists
Like
LikedTiffany Yu is the CEO & Founder of Diversability, an award-winning social enterprise to elevate disability pride; the Founder of the Awesome Foundation Disability Chapter, a monthly micro-grant that has awarded $92.5k to 93 disability projects in 11 countries; and the author of The Anti-Ableist Manifesto: Smashing Stereotypes, Forging Change, and Building a Disability-Inclusive World. As a person with visible and invisible disabilities stemming from a car crash, Tiffany has built a career on disability solidarity. Now that she has found success, she works to expand a network of people with disabilities and their allies to decrease stigmas around disability and create opportunities for disabled people in America. Episode Chapters 0:00 Intro 1:26 When do we choose to share our disability stories? 4:12 Jay’s disability story 8:35 Visible and invisible disabilities 13:10 What does an ally to the disability community look like? 16:34 NoBodyIsDisposable and 14(c) 21:26 How does Tiffany’s investment banking background shape her advocacy? 27:47 Goodbye and outro For video episodes, watch on www.youtube.com/@therudermanfamilyfoundation Stay in touch: X: @JayRuderman | @RudermanFdn LinkedIn: Jay Ruderman | Ruderman Family Foundation Instagram: All About Change Podcast | Ruderman Family Foundation To learn more about the podcast, visit https://allaboutchangepodcast.com/…
Tomcat Manager Attacks: 400 IPs in Coordinated Brute-Force Attack
Manage episode 488236924 series 3645080
Content provided by Daily Security Review. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Daily Security Review or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://ppacc.player.fm/legal.
On June 5, 2025, GreyNoise flagged a massive spike in coordinated brute-force login attempts targeting Apache Tomcat Manager interfaces. Nearly 400 unique IP addresses, many traced back to DigitalOcean infrastructure, were involved in a widespread and opportunistic campaign. In this episode, we dissect the attack pattern, what makes Apache Tomcat a recurring target, and why this surge should be treated as an early warning signal—not just random noise.
We go deep into the authentication and configuration weaknesses that attackers exploit and walk through concrete hardening steps every Tomcat admin should implement—starting with strong password hashing (like Argon2id), multi-factor authentication, and locking down management interfaces. We also highlight specific Tomcat security configurations—from Realms and RemoteAddrValve tuning to disabling TRACE, SSLv3, and limiting directory listings.
The discussion also covers essential logging and incident response measures, such as setting up AccessLogValve, conducting regular log analysis, enabling secure session management, and building a living incident response plan. Whether you’re running a public-facing Tomcat server or managing multiple internal environments, this episode offers a focused breakdown of proactive defense strategies to secure against both opportunistic and targeted threats.
Tune in to learn how to defend your systems before they become someone else’s reconnaissance experiment.
200 episodes
ShareManage episode 488236924 series 3645080
Content provided by Daily Security Review. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Daily Security Review or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://ppacc.player.fm/legal.
On June 5, 2025, GreyNoise flagged a massive spike in coordinated brute-force login attempts targeting Apache Tomcat Manager interfaces. Nearly 400 unique IP addresses, many traced back to DigitalOcean infrastructure, were involved in a widespread and opportunistic campaign. In this episode, we dissect the attack pattern, what makes Apache Tomcat a recurring target, and why this surge should be treated as an early warning signal—not just random noise.
We go deep into the authentication and configuration weaknesses that attackers exploit and walk through concrete hardening steps every Tomcat admin should implement—starting with strong password hashing (like Argon2id), multi-factor authentication, and locking down management interfaces. We also highlight specific Tomcat security configurations—from Realms and RemoteAddrValve tuning to disabling TRACE, SSLv3, and limiting directory listings.
The discussion also covers essential logging and incident response measures, such as setting up AccessLogValve, conducting regular log analysis, enabling secure session management, and building a living incident response plan. Whether you’re running a public-facing Tomcat server or managing multiple internal environments, this episode offers a focused breakdown of proactive defense strategies to secure against both opportunistic and targeted threats.
Tune in to learn how to defend your systems before they become someone else’s reconnaissance experiment.
200 episodes
All episodes
×
1 Taiwan Sounds the Alarm: TikTok, WeChat, and the Chinese Data Threat 1:06:28
1:06:28 Play Later Play Later Lists Like Liked1:06:28
Play Later Play Later Lists Like LikedIn this episode, we examine Taiwan’s growing alarm over Chinese mobile applications , especially TikTok and WeChat, in light of rising global concern over data privacy and foreign surveillance. A recent inspection by Taiwan’s National Security Bureau (NSB) revealed that these apps aggressively collect personal data and transmit it to servers located in mainland China—where national laws require that user data be made available to Chinese government authorities upon request. Taiwan’s warning isn’t isolated—it echoes fears expressed by governments across the world, from the United States to India to European regulators, who see apps like TikTok, WeChat, and others as national security risks . At the center of this debate lies the Data Security Law (DSL) of the People’s Republic of China , a sweeping mandate that compels companies to store data within China and hand it over for national intelligence purposes. Taiwan’s NSB highlighted violations such as the unauthorized collection of facial recognition data, contacts, geolocation, and more—actions that could be leveraged for foreign surveillance, espionage, or influence operations. We explore: The mechanics of data collection by TikTok, WeChat, and similar Chinese-developed apps—including how these apps access sensitive personal information far beyond what's needed for their core functionality. How Chinese national laws—especially the DSL, Cybersecurity Law, and National Intelligence Law—enable state access to user data stored by any company operating in or connected to China. Taiwan’s broader national security context , including cyberattacks and espionage targeting its infrastructure, which raise the stakes for data security. Parallel concerns from other nations , including EU investigations into unlawful data transfers, India’s outright bans on hundreds of Chinese apps, and ongoing U.S. debates about TikTok's fate. The potential for foreign influence through content curation , especially via algorithmic targeting of political messages and behavioral profiling enabled by biometric data collection. Regulatory dilemmas facing democracies: how to balance free markets and open technology with the imperative to protect citizens’ data and national infrastructure. Taiwan’s alignment with global trends in confronting China-developed software—not just through advisories but also through technological countermeasures and increased cyber resilience efforts . The episode also covers what average users can do: re-evaluating app permissions, avoiding features with poor transparency, and understanding the geopolitical stakes behind seemingly innocuous mobile platforms.…
1 The Evolution of Atomic macOS Stealer: Backdoors, Keyloggers, and Persistent Threats 45:00
45:00 Play Later Play Later Lists Like Liked45:00
Play Later Play Later Lists Like LikedThis episode exposes the growing menace of Atomic macOS Stealer (AMOS) — a rapidly evolving malware-as-a-service (MaaS) platform targeting macOS users worldwide. Once seen as a simple data stealer, AMOS has matured into a potent, long-term threat featuring keyloggers , a persistent backdoor , and system-level access , all designed to exfiltrate data and maintain control over compromised systems. AMOS now enables threat actors to remotely execute commands, spy on users, and re-infect devices even after reboot , thanks to advanced macOS persistence techniques like LaunchDaemons and hidden binary scripts. Its infection chain relies on social engineering, counterfeit applications, and tampered DMG installers — making even savvy Mac users vulnerable. This episode explores: AMOS's evolution from stealer to full-platform malware with persistent remote access Key features of the latest version, including a keylogger and embedded backdoor capable of running arbitrary commands Real-world attack vectors , such as phishing campaigns, cracked software, poisoned torrents, and fake job ads targeting cryptocurrency holders and freelancers The use of macOS persistence mechanisms (LaunchDaemons, osascript, ScriptMonitor) and Gatekeeper evasion Cross-platform development in GoLang, allowing the malware to operate seamlessly across Mac architectures The global impact , with campaigns spanning over 120 countries and rising infection rates in the U.S., U.K., France, and Canada How AMOS compares to Cthulhu Stealer and North Korea-aligned tools like RustBucket and macOS BeaverTail Practical security steps to detect and mitigate AMOS, including IOC monitoring, digital signature verification, and behavioral endpoint defenses AMOS has rapidly become one of the top three most detected macOS threats , signaling a paradigm shift in Mac-targeted malware. With crypto wallets, browser data, and personal credentials at risk, this episode is essential listening for anyone in cybersecurity, IT, or using Macs in high-risk industries.…
1 CitrixBleed Returns: CVE-2025-5777 and the Exploitation of NetScaler Devices 1:02:21
1:02:21 Play Later Play Later Lists Like Liked1:02:21
Play Later Play Later Lists Like LikedIn this episode, we dissect CitrixBleed 2 —a newly disclosed and actively exploited vulnerability affecting Citrix NetScaler ADC and Gateway appliances. Tracked as CVE-2025-5777 (and possibly also CVE-2025-6543), this critical flaw mirrors the notorious original CitrixBleed by allowing attackers to extract sensitive memory content , including user session tokens , through crafted POST login requests. Despite Citrix’s claims that there’s no active exploitation, threat intelligence reports from security researchers and government agencies like CISA tell a different story: public proof-of-concept exploits are circulating , and attacks have been observed as early as mid-June. The vulnerability stems from a format string misuse involving the snprintf function, allowing memory leakage in small byte increments—enough for determined attackers to reconstruct sensitive data, hijack authenticated sessions, and potentially access administrative utilities. We cover everything from the technical mechanics of the vulnerability to the strategic mitigation steps enterprises must take. Affected systems include NetScaler MPX, VPX, SDX , and NetScaler Gateway , making the scope of risk widespread, especially in large-scale remote access and cloud deployments. In this episode, we unpack: How CVE-2025-5777 works, including the format string flaw and session token exposure Indicators of active exploitation and CISA’s inclusion of related CVEs in its KEV catalog The timeline and evidence suggesting exploitation began weeks before disclosure Why slow patch adoption is increasing risk across industries A guided breakdown of the NetScaler Secure Deployment Guide , covering: Strong authentication, MFA, and password security Role-based access control (RBAC) and session management Secure traffic segmentation, ACL configuration, and TLS hardening App-layer protections like WAF and rewrite policies for cookie security Logging, SNMP configuration, and remote syslog best practices DNSSEC and cryptographic key management How to verify patch status via the NetScaler Console and initiate remediation scans This episode delivers a clear message: Patch now, monitor aggressively, and revisit your NetScaler hardening strategy . With public exploits in circulation and attackers harvesting session tokens, this vulnerability represents a pressing concern for enterprises relying on Citrix infrastructure.…
1 SAP’s July 2025 Patch Day: Critical Flaws, CVE-2025-30012, and Ransomware Risk 1:02:01
1:02:01 Play Later Play Later Lists Like Liked1:02:01
Play Later Play Later Lists Like LikedIn this episode, we break down SAP’s July 2025 Security Patch Day—a high-stakes moment for any enterprise relying on SAP’s core business applications. With 27 new and 4 updated security notes released, including seven rated as critical , this patch cycle directly targets some of the most serious vulnerabilities seen in SAP environments in recent memory. At the center of this month’s update is CVE-2025-30012 , a critical unauthenticated command execution flaw in SAP Supplier Relationship Management (SRM). Initially classified as high priority, this vulnerability has now been escalated to critical status due to its severe impact. Also in the spotlight: a remote code execution bug in SAP S/4HANA and SCM (CVE-2025-42967) , and four insecure deserialization vulnerabilities affecting SAP NetWeaver Java systems—longtime targets for threat actors and ransomware groups alike. While there are no confirmed in-the-wild exploits for these new issues, history tells us that such gaps don’t remain unexploited for long. Just earlier this year, vulnerabilities in SAP’s Visual Composer framework were actively exploited by ransomware operators like BianLian and RansomEXX . As threat actors grow more sophisticated and supply chain targets grow more lucrative, patch speed has never been more important. This episode covers: The vulnerabilities patched in SAP’s July advisory and their real-world risk Why CVSS scoring matters —and how SAP determines what counts as "critical" The SAP vulnerability lifecycle , and how organizations can use structured frameworks for patch and incident management Key lessons from past exploits , including zero-day activity targeting SAP systems The shared security model in cloud deployments like RISE with SAP—and what you’re responsible for vs. what SAP handles Why alert fatigue and delayed patching are existential threats in SAP environments How to verify your patch level, interpret SAP Notes, and ensure you’re protected We also discuss how critical tools like SecurityBridge , NIST-aligned vulnerability workflows, and proactive community engagement can help mitigate threats and support SAP admins, DevSecOps teams, and CISOs navigating the growing complexity of ERP security.…
1 106GB Exposed? Telefónica, HellCat, and the Silent Data Breach 50:33
50:33 Play Later Play Later Lists Like Liked50:33
Play Later Play Later Lists Like LikedIn this episode, we explore a shadowy and unconfirmed—but highly consequential—data breach at Spanish telecommunications giant Telefónica. Allegedly orchestrated by the HellCat ransomware group, the breach involves a staggering 106GB of exfiltrated data, including internal communications, customer records, and employee information. Telefónica has yet to acknowledge the breach publicly, while the threat actor “Rey” released a 5GB sample to support their claim, pointing to a Jira server misconfiguration as the entry point. We unpack the evolving tactics of HellCat—a ransomware gang known for targeting Atlassian’s Jira platform—and examine how such misconfigurations continue to expose sensitive data across major organizations like NASA, Google, and Yahoo. Telefónica is no stranger to HellCat; a similar attack occurred in January, making this latest breach appear not only credible but also indicative of ongoing remediation failures. But this isn’t just a story about technical lapses—it’s also a warning shot for every organization subject to the GDPR and Spain’s national data protection laws. We dig into the regulatory implications, potential fines, and legal obligations that Telefónica could face if the breach is confirmed. You'll also hear why Atlassian’s Jira platform has become a soft target for threat actors, and what companies need to do to harden their SaaS deployments against similar threats. Finally, we explore frameworks for responsible breach response—from immediate containment to post-incident review—and what every enterprise should learn from this growing wave of misconfiguration-fueled cyberattacks. Key discussion points include: The anatomy of the Telefónica breach and the leaked data How HellCat exploits Jira misconfigurations and infostealer-compromised credentials The broader trend of Atlassian-based intrusions across multiple industries GDPR and NLOPD obligations: What counts as a notifiable breach? Regulatory fines, reputational risks, and the right to compensation Best practices for SaaS security and breach response in 2025 This episode is a must-listen for CISOs, privacy officers, IT security professionals, and legal teams navigating the intersection of cybersecurity failures and regulatory exposure.…
1 Ingram Micro’s SafePay Ransomware Breach: Human-Operated Threats and Supply Chain Fallout 59:56
59:56 Play Later Play Later Lists Like Liked59:56
Play Later Play Later Lists Like LikedThe recent ransomware attack on Ingram Micro , a global technology distribution giant, reveals not only a sophisticated human-operated cyber assault—but also the fragile state of modern supply chain cybersecurity. In this episode, we break down how attackers, believed to be affiliated with the SafePay ransomware group , penetrated Ingram Micro’s infrastructure, reportedly by exploiting a Palo Alto GlobalProtect VPN vulnerability and leveraging stolen credentials. The breach disrupted the company’s website and order systems, impacting partners and resellers worldwide. This case is a microcosm of a much larger threat: ransomware groups are evolving, using targeted, manual operations rather than automated malware blasts. And when a company like Ingram Micro gets hit, the downstream effects ripple through entire IT ecosystems. This episode explores the deeper story behind the headlines, including: Human-operated ransomware tactics , including credential theft, privilege escalation, lateral movement, and double extortion. The critical vulnerability CVE-2024-3400 in GlobalProtect , which is being actively exploited in real-world ransomware campaigns. SafePay’s emergence in 2025 as a serious actor, using stolen VPN credentials and backdoor persistence methods to deploy ransomware discreetly. How human-operated ransomware attacks differ from commodity malware—and why they're more dangerous. The risks of supply chain dependence , as illustrated by partners experiencing delays and business interruptions from Ingram Micro’s outage. The importance of adopting a Cybersecurity Supply Chain Risk Management (C-SCRM) strategy using NIST’s framework . Key mitigation steps, including enforcing multi-factor authentication (MFA) , hardening remote access tools, implementing network segmentation , and maintaining robust offline backups . Best practices for incident response and recovery , based on guidance from CrowdStrike, Microsoft, and NCSC. How ransomware threat actors are becoming increasingly selective, strategic, and efficient—often targeting misconfigured enterprise platforms as initial entry points. The Ingram Micro attack is a reminder that resilience isn’t just about stopping the ransomware—it’s about preparing for its inevitable arrival . For organizations operating in the cloud, distributing hardware, or serving as a linchpin in digital ecosystems, the lessons from this breach are urgent and universal.…
1 The Illusion of Shutdowns: What Hunters International's Closure Really Means 42:41
42:41 Play Later Play Later Lists Like Liked42:41
Play Later Play Later Lists Like LikedIn a sudden and cryptic announcement, the notorious ransomware group Hunters International has declared its shutdown, citing “recent developments” and pledging to release decryption keys to victims. Active since late 2022 and suspected to be a rebrand of the earlier Hive ransomware gang , Hunters International has been responsible for attacks on nearly 300 organizations across various industries. Yet, cybersecurity experts believe this announcement is less about remorse—and more about reinvention. In this episode, we dissect what this “shutdown” really means. Far from disappearing, the group may already be operating under a new name: World Leaks . This episode explores the lifecycle of ransomware gangs and how rebranding, splintering, and strategic pauses are common tactics used to throw off law enforcement and improve operational resilience. Key discussion points include: The lifecycle of ransomware groups, from emergent to established , using the GRIT taxonomy. How rebranding is used to evade law enforcement pressure and manage public perception, especially after high-profile disruptions. The Hive–Hunters–World Leaks lineage , and what indicators point to continuity rather than closure. Why law enforcement actions rarely shut down ransomware permanently, often leading to splinter or successor groups . The business model of ransomware , including double extortion, data leak sites, and Ransomware-as-a-Service (RaaS). Which sectors remain most vulnerable—including manufacturing, professional services, finance, and education —and how victim selection is increasingly based on financial footprint and data value . The significance of public communications and tactics like apologies, targeting rules, and ethics messaging used to shape ransomware groups' public image. The importance of ransomware payment tracking via blockchain , with insights into Bitcoin-based laundering operations and the transparency paradox of public ledgers. The value of Ransomware Susceptibility Index™ (RSI) metrics to help organizations prioritize defenses and understand their exposure. This case study of Hunters International exemplifies the strategic fluidity of modern ransomware operations —where shutting down may simply mean rebooting under a different brand. For defenders, staying ahead means recognizing these patterns, maintaining continuity in threat intelligence, and preparing for the next iteration before it strikes.…
1 CISA Flags CVE-2025-6554: Patching Chrome’s Critical Flaw Before It’s Too Late 40:49
40:49 Play Later Play Later Lists Like Liked40:49
Play Later Play Later Lists Like LikedA newly discovered and actively exploited zero-day vulnerability in Google Chrome has sent ripples through the cybersecurity community. Known as CVE-2025-6554 , this critical type confusion flaw in Chrome’s V8 JavaScript and WebAssembly engine enables remote attackers to perform arbitrary read/write operations or execute code via a single malicious webpage. With active exploitation confirmed and inclusion in CISA’s Known Exploited Vulnerabilities catalog , organizations are under urgent pressure to patch all affected systems—immediately. In this episode, we break down what makes this vulnerability especially dangerous, why Google’s Threat Analysis Group (TAG) is paying close attention, and what this incident tells us about the state of browser security, enterprise patch management, and memory safety technologies . Though Google has released patches for Chrome and other Chromium-based browsers—including Microsoft Edge, Brave, and Vivaldi—the scale of exposure across platforms is massive. Key topics we explore include: Technical breakdown of CVE-2025-6554 : How type confusion in the V8 engine leads to total compromise. Sandboxing in V8 : How Chrome's V8 Sandbox mitigates memory corruption—and what this exploit bypassed. Indicators of nation-state exploitation : The role of Google’s TAG and what it implies about the attackers. Patching priorities : Why immediate updates to versions 138.0.7204.96/.97 (Windows/Linux) and .92/.93 (macOS) are non-negotiable. Beyond Chrome : The ripple effect on all Chromium-based browsers and Electron-based applications. Patch management best practices : From realistic testing environments and system categorization to rollback procedures, KPIs, and automation. With CVE-2025-6554 being the fourth zero-day in Chrome this year , this isn’t just a browser issue—it’s a litmus test for security readiness . As attackers grow faster and more sophisticated, your ability to rapidly detect, prioritize, and patch vulnerabilities is more crucial than ever. Whether you're managing an enterprise IT infrastructure, leading an AppSec team, or securing a fleet of endpoints, this episode will arm you with both the technical insight and operational perspective needed to respond decisively to this threat—and to the next one.…
1 ANSSI vs. Houken: France Battles Advanced Chinese Hacking Threat 33:16
33:16 Play Later Play Later Lists Like Liked33:16
Play Later Play Later Lists Like LikedIn this episode, we uncover a high-stakes cyber campaign targeting the heart of French digital infrastructure. ANSSI , France’s national cybersecurity agency, has exposed a Chinese-linked hacking group known as Houken (UNC5174 or Uteus) responsible for a widespread espionage operation since late 2024. This state-adjacent threat actor infiltrated critical sectors including government, media, transport, telecom, and finance using an arsenal of sophisticated tactics—blending zero-day exploits, rootkits, and stealthy post-exploitation tools. The Houken group leveraged multiple zero-day vulnerabilities in Ivanti Cloud Service Appliances (CSA) —CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380—to gain initial access. But this wasn’t just about intrusion; Houken’s operators dug in deep: stealing credentials, moving laterally , and deploying a rare Linux kernel-mode rootkit capable of hijacking any inbound TCP traffic while remaining virtually invisible to traditional defenses. What sets this campaign apart isn’t just its technical sophistication—it’s the hybrid nature of the threat. ANSSI suggests Houken may be a cyber mercenary group , simultaneously working in the service of China’s Ministry of State Security (MSS) and pursuing financial gains , such as cryptocurrency mining and reselling system access. This “multiparty approach” signifies a dangerous evolution in cybercrime—where espionage and monetization coexist within a single operational framework. We delve into: The attack chain : from zero-day exploitation to credential harvesting and stealth persistence. The rootkit sysinitd.ko : a kernel module granting root-level command execution while avoiding detection. Defense evasion tactics : including timestomping , log deletion , and self-patching vulnerabilities to lock out rival threat actors. Houken’s toolkit : a mix of commodity utilities (Nmap, Netcat, Fscan) and custom implants (PHP webshells, SparkRAT, Neo-reGeorg). Operational clues that tie activity to China Standard Time (UTC+8) and highlight probable MSS alignment. This is more than a breach. It’s a signal that cyber mercenary operations are maturing , and European states are squarely in the crosshairs. The Houken campaign forces a reconsideration of perimeter defenses, zero-day management, and detection strategies for advanced persistent threats. Whether you’re a security architect, CISO, or public sector technologist, this episode provides a deep and essential briefing on one of the most sophisticated cyber espionage efforts uncovered in 2025.…
1 Psychological Manipulation and AI Fraud: How Spain Exposed a $12M Scam 17:21
17:21 Play Later Play Later Lists Like Liked17:21
Play Later Play Later Lists Like LikedIn this episode, we examine a growing threat reshaping financial crime in Europe: sophisticated, technology-driven investment fraud. Spanish law enforcement has recently dismantled a fraud operation that spanned multiple years, deceived over 300 victims, and resulted in more than $11.8 million in losses. What made this case particularly notable was the use of high-pressure call centers inside Spain , supported by strategic psychological manipulation , to drive fraudulent investments advertised across social media platforms. The scheme, launched in 2022, mimicked the playbook of larger international fraud networks—slick branding, convincing digital ads, and seemingly personalized pitches to lure in unsuspecting investors. Behind the scenes, victims were connected to well-trained fraud agents posing as investment advisors who used scripted tactics to manipulate emotional trust and urgency. This case, however, is just one node in a much broader web of financial crime being actively investigated across Spain: Authorities arrested 21 individuals and seized luxury vehicles, stacks of cash, and other high-value assets linked to the scheme. In a separate crackdown, Spanish police disrupted a ring that laundered over €500 million , highlighting the scale and integration of illicit finance operations within legitimate economic channels. Another scam exploited AI-generated advertisements and deepfakes to lure cryptocurrency investors into fake opportunities, netting €19 million. We unpack the evolving tactics used by fraudsters , including: Social engineering techniques that exploit emotional triggers and authority bias. The use of AI and deepfakes to create authentic-looking investment platforms and personalities. Affinity fraud , where scammers target members of specific communities or shared identity groups to exploit trust. The integration of cryptocurrency and decentralized finance (DeFi) to obscure money trails and enable rapid laundering. This episode also dives into the regulatory landscape , including how the EU’s Anti-Money Laundering Directive (AMLD) and organizations like FATF and Moneyval are attempting to curb these activities through stricter oversight, risk-based frameworks, and obligations for financial and non-financial intermediaries to report suspicious transactions. As these fraud rings adopt increasingly advanced tools—ranging from Telegram social engineering to metaverse impersonations—Spain’s efforts signal a broader shift: financial crime is becoming cybercrime , and law enforcement must keep pace. Whether you’re a financial compliance professional, cybersecurity lead, or simply someone navigating digital investments, this episode is your briefing on where the threat landscape is heading—and what can be done to stay one step ahead.…
1 CVE-2025-20309: Critical Cisco Root Access Flaw Threatens VoIP Security 41:32
41:32 Play Later Play Later Lists Like Liked41:32
Play Later Play Later Lists Like LikedA devastating vulnerability— CVE-2025-20309 —has been discovered in Cisco’s Unified Communications Manager (Unified CM) and its Session Management Edition (SME), threatening the security of over a thousand internet-exposed VoIP systems globally. In this episode, we break down this critical flaw , which scores a perfect CVSS 10.0 , and explore why it's one of the most dangerous telecom vulnerabilities in recent memory. The vulnerability stems from unchangeable hardcoded SSH root credentials inadvertently left in production code during development. Exploitable without authentication, this flaw grants remote attackers full root access to affected systems—an open door to full system takeover , VoIP eavesdropping , lateral movement , and even ransomware deployment . We discuss: What is CVE-2025-20309? A look at the hardcoded credential flaw impacting versions 15.0.1.13010-1 to 15.0.1.13017-1 of Cisco Unified CM. How bad is it? Full root access, unauthenticated, with over 1,000 vulnerable instances publicly exposed—especially in critical sectors across the U.S. and Asia. Threat actor implications : APT groups like APT28, APT41, and MuddyWater are known to exploit similar flaws. CloudSEK warns that access brokers may soon target and monetize these systems on darknet forums. What’s at stake : VoIP traffic manipulation : Intercept SIP/RTP streams for surveillance or disruption. Call log and voicemail exfiltration . Deployment of persistent malware and ransomware . Lateral movement to other enterprise systems . Mitigation roadmap : Patch immediately using Cisco’s released patch file: ciscocm.CSCwp27755_D0247-1.cop.sha512. Upgrade to 15SU3 when released. Monitor logs for root access attempts (/var/log/active/syslog/secure). Restrict administrative access , isolate Unified CM systems, and enforce VPN/firewall segmentation. No workarounds : This is not a flaw you can firewall away. Cisco has confirmed that there are no viable workarounds—patching is the only fix. The bigger picture : This incident also highlights the ongoing risks of default credentials , poor credential hygiene , and overreliance on perimeter defenses in VoIP and UC systems. It’s a reminder that VoIP isn’t just about call quality—it’s a core part of your network infrastructure that demands zero-trust scrutiny . Additional Cisco vulnerabilities : We also briefly touch on two related medium-severity flaws—CVE-2025-20308 (Spaces Connector privilege escalation) and CVE-2025-20310 (stored XSS in Cisco Enterprise Chat)—which, while not yet exploited, reinforce the need for robust Cisco infrastructure hygiene. This episode is essential listening for VoIP admins, network engineers, CISOs , and anyone managing unified communication platforms. Don’t wait for signs of compromise— patch now and audit your exposed assets . Security for voice systems is no longer optional; it’s foundational.…
1 macOS Under Siege: NimDoor Malware Targets Telegram, Wallets, and Keychains 43:09
43:09 Play Later Play Later Lists Like Liked43:09
Play Later Play Later Lists Like LikedA new, highly advanced malware strain— NimDoor —has emerged as the latest cyber weapon in the arsenal of North Korean state-sponsored hackers, specifically targeting macOS systems used by cryptocurrency and Web3 organizations. This episode explores the complex tactics and alarming capabilities of NimDoor, a malware family showcasing a blend of C++ and Nim programming , stealthy persistence mechanisms, and an intense focus on stealing digital assets . First identified in early 2025, NimDoor marks a significant evolution in North Korean cyber operations. Delivered through social engineering on Telegram , the attack chain begins with a deceptive fake Zoom SDK update. Once executed, the malware installs multiple payloads—including GoogIe LLC and CoreKitAgent —designed to establish persistence, exfiltrate data, and communicate with command-and-control servers using TLS-encrypted WebSocket connections and layered RC4 encryption . This episode covers: Anatomy of the NimDoor Infection Chain : How Telegram lures and fake SDKs lead to multi-stage infections on macOS. Advanced Persistence via Signals : A rare signal-based persistence mechanism enables NimDoor to reinstall itself if terminated—an unusually resilient feature for macOS malware. Targeted Data Theft : NimDoor steals sensitive browser data, cryptocurrency wallet credentials, Telegram's encrypted databases, macOS Keychain items, and even command histories. Why Nim Matters : The use of Nim , a lesser-known and rarely detected language in malware development, allows attackers to evade traditional antivirus and EDR solutions while enabling sophisticated binary construction. North Korea’s Cyber Objectives : The Lazarus Group and its affiliated APTs are not just stealing information—they are funneling stolen cryptocurrency to fund the North Korean regime , bypassing sanctions. macOS as a Target : This attack busts the myth of Apple’s invincibility, illustrating how macOS is now firmly in the crosshairs of nation-state threat actors. Modular Payloads and Exfiltration Tools : From C++ loaders to Nim-compiled components and Bash scripts like upl and tlgrm, the malware’s design is optimized for flexibility and maximum data theft. How to Defend : Don’t trust third-party cryptocurrency tools—especially if shared via chat platforms like Telegram. Train teams to recognize fake software prompts and suspicious update requests. Apply the principle of least privilege, and implement strict application allowlists. Patch aggressively and monitor for unexpected outbound connections over wss (WebSocket over TLS). Understand that malware written in Nim is no longer exotic—it's active and dangerous . The NimDoor campaign represents a convergence of nation-state strategy, programming innovation, and cryptocurrency exploitation . For Web3 builders, crypto investors, and cybersecurity professionals, it’s a wake-up call that threat actors are not just evolving—they're innovating faster than ever.…
1 Cisco Unified CM Vulnerability: Root Access Risk for Enterprise VoIP Networks 56:02
56:02 Play Later Play Later Lists Like Liked56:02
Play Later Play Later Lists Like LikedA newly disclosed vulnerability— CVE-2025-20309 —in Cisco's Unified Communications Manager (Unified CM) and Session Management Edition has sent shockwaves through enterprise VoIP and IT security teams. The flaw stems from hardcoded root SSH credentials that could allow unauthenticated remote attackers to gain full control of affected systems. In this episode, we unpack the gravity of this vulnerability and its broader implications for VoIP security. Cisco has issued a patch to remove the backdoor account from affected versions, but the vulnerability’s CVSS score of 10.0 underscores the risk to organizations still running unpatched systems. A successful exploit could enable attackers to manipulate network topology, execute denial-of-service attacks, intercept VoIP traffic via port mirroring, or even erase logs and implant persistence mechanisms. While no active exploitation has been reported, the risk is far from theoretical. This episode explores both the technical and strategic dimensions of VoIP security, including: Understanding CVE-2025-20309 : How static root credentials opened the door to full system compromise and why this vulnerability is especially dangerous in a Unified CM context. VoIP-Specific Security Risks : The inherent architectural vulnerabilities of VoIP, including its tight QoS constraints, encryption-induced latency, NAT complications, and its integration with dynamic, open networks. Protocol-Level Complexity : Challenges introduced by SIP, H.323, and NAT traversal protocols like STUN, TURN, and ICE—and how attackers can exploit these for interception or disruption. Encryption Dilemmas : Why SRTP, IPsec, and key management schemes like MIKEY offer needed protection but also introduce latency, jitter, and crypto-engine bottlenecks that VoIP networks struggle to absorb. Hardening VoIP Systems : Change default device passwords and audit all endpoints, including phones and switches. Separate voice and data networks where possible to reduce attack surface. Apply VoIP-aware firewalls and intrusion detection tools. Encrypt both signaling and media streams with SRTP or H.235 where feasible. Use Session Border Controllers (SBCs) or Application Layer Gateways (ALGs) to manage NAT traversal securely. Legal and Compliance Considerations : Interception laws, call record retention, and regulatory requirements differ for VoIP—organizations must consult legal counsel to avoid unintended violations. What Cisco Admins Must Do Now : Guidance for patching, log review for potential indicators of compromise, and securing remote access to Unified CM environments going forward. VoIP systems are increasingly integral to enterprise communications—and increasingly targeted. This episode stresses that security must evolve with functionality , and that modern communications infrastructure cannot afford to overlook foundational flaws like hardcoded credentials.…
1 Forminator Flaw Exposes WordPress Sites to Takeover Attacks: Vulnerability Threatens 600,000+ Sites 50:32
50:32 Play Later Play Later Lists Like Liked50:32
Play Later Play Later Lists Like LikedA critical new WordPress vulnerability— CVE-2025-6463 —has been discovered in the widely used Forminator plugin , affecting over 600,000 active installations and putting hundreds of thousands of websites at risk of full compromise. In this episode, we dive deep into the mechanics, risks, and remediation of this arbitrary file deletion flaw and explain what every WordPress administrator, developer, and security professional needs to know. At the heart of this issue is improper validation in how the Forminator plugin handles file paths when deleting form entries. This allows unauthenticated attackers to inject file paths into form submissions—even in fields not meant to accept files—and trick the system into deleting critical WordPress files like wp-config.php. The result? A full site reset , granting attackers an opportunity to seize control of the site . Here’s what we unpack in this episode: The CVE-2025-6463 Vulnerability : How the exploit works, which function is flawed (entry_delete_upload_files), and why unsanitized file arrays in form fields make this so dangerous. Real-World Impact : Deleting wp-config.php can reset a WordPress site, giving an attacker a window to install a fresh site under their control . Scope of Exposure : Over 400,000 sites remain unpatched , and many administrators may not even be aware they’re running outdated versions of the Forminator plugin. The Fix in Version 1.44.3 : We discuss how the patch restricts deletions to specific field types, limits file deletions to safe directories, and enforces path normalization and filename sanitization. Why WordPress Sites Are Frequent Targets : A broader look at WordPress security—including why abandoned plugins, weak file permissions, brute force attacks, and poor update hygiene continue to lead to compromises. Best Practices to Secure WordPress : Always keep core, themes, and plugins up to date Remove unused plugins and themes completely—not just deactivate them Set secure file permissions (755 for directories, 644 for files, and 400 or 440 for wp-config.php) Use activity logs , 2FA , and limit login attempts Disable file editing in wp-config.php Turn off PHP error reporting in production environments Use reputable security plugins like Jetpack or Wordfence for real-time protection The Role of Hosting Providers : Why choosing a secure hosting platform with automatic backups, patching, and server-level firewalls makes a huge difference in your site’s security posture. Mitigating Plugin-Related Risks : We explain how to monitor plugins using services like WPScan and how to respond swiftly to new CVEs. This is a wake-up call for the WordPress community: A single vulnerable plugin can bring down an entire website . Whether you manage one site or hundreds, understanding this threat and acting fast can be the difference between a minor maintenance task and a full-blown compromise.…
1 Kelly Benefits Breach: Over 550,000 Victims and the Rising Identity Theft Crisis 1:08:04
1:08:04 Play Later Play Later Lists Like Liked1:08:04
Play Later Play Later Lists Like LikedIn one of the latest large-scale data breaches to hit the U.S. private sector, Kelly Benefits , a provider of payroll and benefits administration services, disclosed a significant cybersecurity incident impacting over 553,000 individuals . The breach, which occurred in December 2024 but was only revealed in April 2025 , exposed sensitive personal information—including names, Social Security numbers, financial data, and even medical records —of employees linked to over 40 partner organizations , such as Aetna Life Insurance and United Healthcare . This episode explores what really happened, why this breach matters, and how it fits into the growing wave of identity theft driven by third-party vendor compromises. We take you through: The Scope of the Kelly Benefits Breach : What data was stolen, how many entities were affected, and why the delayed disclosure has legal and ethical ramifications. The Invisible Cost of Vendor Vulnerabilities : How breaches at service providers can cascade downstream, exposing thousands of individuals tied to organizations with no direct involvement in the original breach. The Growing Identity Theft Epidemic : With over 500,000 individuals exposed in this incident alone, we look at how breaches like this contribute to financial fraud, medical identity theft , and long-term privacy violations. Common Identity Theft Tactics : From phishing and spoofing to malware and physical document theft, threat actors exploit every avenue to steal and monetize personal information. Warning Signs of Identity Theft : Unfamiliar accounts, strange billing activity, and credit applications you didn’t submit—learn what to look for and when to act. What Victims Can Do Now : We provide a step-by-step recovery roadmap: Freeze your credit at all three bureaus Monitor all financial and health accounts Use the FTC's IdentityTheft.gov to file official reports Replace compromised IDs and secure your digital identity Organizational Responsibilities : What companies like Kelly Benefits (and those they serve) should have in place: risk assessments, vendor security audits, encryption policies, and phishing-resistant multi-factor authentication (MFA). Best Practices for Prevention : Use strong, unique passwords and MFA Keep devices patched and software up to date Secure personal Wi-Fi and avoid public networks for sensitive access Beware of phishing, spoofing, and suspicious attachments Periodically check your credit reports for unfamiliar activity We also spotlight the legal rights of breach victims , including placing fraud alerts, disputing fraudulent accounts, and demanding removal of bad information from credit reports. The episode underscores a critical point: identity theft is no longer a matter of “if,” but “when” —and preparation is your best defense. Whether you're an affected individual, an employer relying on third-party benefit providers, or a cybersecurity professional tasked with securing sensitive PII, this episode offers critical insights and practical takeaways .…
D
Daily Security Review
1 FileFix, HTA, and MotW Bypass—The Alarming Evolution of HTML-Based Attacks 46:04
46:04 Play Later Play Later Lists Like Liked46:04
Play Later Play Later Lists Like LikedA newly disclosed exploit dubbed FileFix is redefining how attackers bypass Microsoft Windows' built-in security protections—specifically the Mark-of-the-Web (MotW) mechanism. Developed and detailed by security researcher mr.d0x , this attack takes advantage of how browsers save HTML files and how Windows handles HTA (HTML Application) files . The result? Malicious scripts can execute without warning, bypassing the very safeguards designed to flag untrusted code. In this episode, we break down how FileFix works, why it’s effective, and what makes it uniquely dangerous. Unlike many malware campaigns, FileFix doesn’t rely on zero-day exploits or complex payloads—instead, it exploits the weakest link in the chain: human behavior. Key topics include: Understanding FileFix Mechanics : How a simple rename from .html to .hta can convert a saved webpage into a launchpad for malicious code execution— without triggering MotW protections . Social Engineering at the Core : FileFix depends on user interaction. By designing convincing phishing lures, attackers guide users to unknowingly bypass their own defenses— a modern twist on old tricks . The Role of mshta.exe : This deprecated Windows binary remains powerful and dangerous. We examine how attackers use it to execute scripts and why defenders should consider disabling or removing it entirely. MotW Bypass Techniques : Beyond FileFix, we dive into container-based bypasses (.iso, .img), and how utilities and encoding tricks (e.g., RLO, double extensions, invisible Unicode) help malware evade detection. Masquerading and Human Blind Spots : From fake filenames like Invoice.pdf.exe to Unicode manipulation, attackers exploit user assumptions and default system behaviors to hide malware in plain sight. Detection and Mitigation Strategies : We offer a practical set of defenses: Disable or restrict mshta.exe through AppLocker or WDAC Block or quarantine .html, .htm, and .hta email attachments Enable file extension visibility across endpoints Train users to recognize suspicious file behaviors and social engineering lures Implement behavioral detection—e.g., alert when mshta.exe spawns powershell.exe Why FileFix Matters Now : With the rise of AI-generated content and increasingly polished phishing infrastructure, low-tech, high-impact attacks like FileFix are gaining new relevance . The simpler the technique, the broader its reach. As Windows continues to harden its systems, attackers are shifting focus to user-driven execution paths . FileFix exemplifies this shift—blending psychological manipulation with deep technical understanding of system behaviors. For defenders, the challenge is clear: technical controls must be matched by human-aware defenses . This is a must-listen for enterprise defenders, SOC analysts, and red teamers tracking the latest in Windows exploitation tactics. If your security strategy still assumes technical exploitation is the biggest threat, FileFix is your wake-up call .…
D
Daily Security Review
1 Sophisticated Cyberattack on the International Criminal Court: Justice in the Crosshairs 19:37
19:37 Play Later Play Later Lists Like Liked19:37
Play Later Play Later Lists Like LikedThe International Criminal Court (ICC), the world’s foremost tribunal for prosecuting war crimes, genocide, and crimes against humanity, has confirmed yet another sophisticated cyberattack , highlighting the persistent threat facing high-profile global institutions. This marks the second targeted intrusion against the ICC in recent years , and although the organization successfully detected and contained the attack, critical questions remain—who was behind it, what data may have been compromised, and how can institutions like the ICC defend against increasingly complex threats? In this episode, we examine the June 2025 cyber incident targeting the ICC’s internal systems. While the technical specifics remain undisclosed, the context is telling: mounting geopolitical tensions, high-profile arrest warrants for global leaders, and a growing wave of politically motivated cyber intrusions. Key insights include: The strategic targeting of international justice institutions and how the ICC’s sensitive caseload (including cases involving heads of state) may drive cyber interest from state-aligned actors. A review of the ICC’s cyber resilience measures and how their swift containment of the breach reflects a mature security posture—but also underscores the limits of transparency in cyber disclosures. The critical need for integrated resilience strategies , merging business continuity, disaster recovery, cybersecurity, and incident response into a unified framework. The lifecycle of a well-structured incident response: from identification and containment to post-incident forensics and recovery. Lessons for international organizations and government agencies , particularly those engaged in politically sensitive or human rights-related work. A discussion on common organizational gaps —such as siloed planning, inadequate testing, or lack of senior leadership engagement—that can weaken cyber preparedness even in highly secure institutions. The escalating geopolitical risk of cyber conflict, where disinformation, sabotage, and espionage become tools of statecraft targeting justice systems, election infrastructures, and human rights advocates. This incident reinforces the reality that even the most globally respected institutions must constantly evolve their cyber defenses. As the line between geopolitics and cyberspace continues to blur, organizations like the ICC are not just administering justice—they're operating on the front lines of global cyber warfare. For CISOs, risk leaders, and those in public international service, this episode is a call to action: build resilience not just for business continuity, but for mission continuity in a world where digital systems are both your greatest strength—and your greatest vulnerability.…
D
Daily Security Review
1 Critical Flaws in Microsens NMP Web+ Threaten Industrial Network Security 43:40
43:40 Play Later Play Later Lists Like Liked43:40
Play Later Play Later Lists Like LikedIn a major red flag for the industrial cybersecurity community, three newly disclosed vulnerabilities in Microsens NMP Web+ , a popular network management solution used across critical infrastructure, have revealed just how fragile many ICS environments remain. The flaws—two rated critical and one high—allow unauthenticated attackers to bypass authentication , generate forged JWTs , and execute arbitrary code , potentially enabling full system compromise with no credentials required. Discovered by security researcher Noam Moshe, the vulnerabilities demonstrate how a combination of weak authentication mechanisms and insecure file handling can open the door to devastating attacks. While patches have now been released, some vulnerable systems remain internet-exposed , prompting urgent warnings from CISA—especially for those in the critical manufacturing sector . In this episode, we dive into what went wrong, why these bugs are so dangerous, and how this incident reflects a deeper and systemic challenge in ICS security. Topics covered include: The technical anatomy of the vulnerabilities (CVE-2025-49151, CVE-2025-49153, CVE-2025-49152) and how attackers can chain them for full remote access. Why ICS systems—unlike traditional IT—face unique challenges around patching, downtime tolerance, and legacy software dependencies. The dangerous rise of internet-exposed ICS systems , with over 145,000 devices globally found accessible via public scans. The critical role of vendor patching , network segmentation, and compensating controls when downtime prevents immediate updates. Strategic best practices like: Building dedicated ICS test environments for patch validation Using firewalls and virtual patching to buy time when updates can’t be applied Adopting zero-trust architecture and isolating OT from business IT networks The persistent convergence of IT and OT networks , creating new attack surfaces if not tightly managed Real-world consequences of ICS vulnerabilities: from ransomware shutting down production lines to malware causing device malfunction and downtime Microsens isn’t the only vendor in the spotlight—this episode sheds light on an industry-wide problem where security is often deprioritized in favor of uptime , and vendors may still use outdated design practices like hardcoded credentials or unexpired tokens. For CISOs, OT engineers, and asset owners in manufacturing, energy, and industrial sectors , this is a critical wake-up call. Patching can’t be reactive—it must be strategic, tested, and integrated with operational priorities. Because when ICS systems go down, it’s not just data at risk—it’s the infrastructure behind national economies and physical safety.…
D
Daily Security Review
1 Qantas Data Breach: Third-Party Hack Exposes Millions of Frequent Flyers 24:36
24:36 Play Later Play Later Lists Like Liked24:36
Play Later Play Later Lists Like LikedIn a stark reminder of the aviation industry's growing exposure to cyber threats, Australian airline Qantas recently confirmed a serious data breach—this time not from its own systems, but from a third-party platform used by one of its customer contact centers. The breach exposed personal data for up to six million customers , including names, dates of birth, contact details, and frequent flyer numbers. Although financial and passport information were not affected , the scale and nature of the compromise have sent shockwaves through the sector. This episode unpacks what happened, why it matters, and what the broader aviation and cybersecurity communities can learn from this breach. We examine: The anatomy of the Qantas breach —how attackers infiltrated a call center platform, bypassing internal security safeguards. The suspected involvement of Scattered Spider , a notorious cybercrime group adept at vishing, MFA bypass, and social engineering tactics. Why third-party risk is the aviation industry’s Achilles’ heel , with many airline vendors holding poor cybersecurity ratings and limited defenses. The rising tide of ransomware, DDoS attacks, and nation-state aggression aimed at aviation networks. How the aviation industry’s focus on physical security has historically come at the expense of digital resilience—and why that must change. The Qantas breach also surfaces urgent regulatory, reputational, and operational questions: Under Australia’s updated Privacy Principle 11 , what constitutes “reasonable steps” to protect customer data? Are airlines truly ready for evolving mandates from regulators like the U.S. TSA, the EU, and ICAO? How do communication failures during cyber incidents amplify public distrust, and what does Qantas’s response tell us about effective crisis management? With billions flowing into aviation cybersecurity and cyber insurance costs climbing , industry stakeholders must address the weakest links—especially vendor ecosystems and human-centric attack vectors. That includes upgrading to phishing-resistant MFA, simulating real-world social engineering attacks, and implementing rigorous access controls across third-party platforms. Whether you're a CISO at an airline, a cybersecurity leader in transportation, or a vendor in the aviation supply chain , this episode offers critical insights into managing cyber risk in one of the world’s most high-stakes industries.…
D
Daily Security Review
1 Berlin Regulator Targets DeepSeek AI Over Data Transfers to China 43:41
43:41 Play Later Play Later Lists Like Liked43:41
Play Later Play Later Lists Like LikedGermany’s battle over digital sovereignty and data privacy has intensified, with the Berlin Commissioner for Data Protection formally requesting that Google and Apple remove the DeepSeek AI application from their app stores. The move stems from allegations that DeepSeek, a Chinese-developed generative AI platform, violates the EU’s General Data Protection Regulation (GDPR) by unlawfully collecting data from German users and transferring it to Chinese servers—beyond the EU’s legal jurisdiction and outside GDPR’s protections. This episode explores the broader implications of this takedown request under Article 16 of the EU Digital Services Act (DSA) and unpacks what this means for AI platforms, app store governance, and global data flows. We go beyond the headlines to examine: How GDPR governs cross-border data transfers , and why transfers to China often fall short of EU legal adequacy requirements. The clash of data philosophies between the EU’s GDPR and China’s PIPL , revealing a deeper regulatory rift grounded in individual rights versus state sovereignty. Why DeepSeek’s refusal to comply voluntarily triggered enforcement escalation , and how this signals a tougher European stance on foreign AI apps operating in the single market. The role of the Digital Services Act (DSA) in compelling app platforms like Google and Apple to act on national regulatory concerns—even when raised by a single EU state authority. The risk of fragmenting global data flows and creating incompatible governance zones, hindering both trade and innovation. What this action reveals about the “Brussels Effect” —the EU’s growing influence on global digital regulation—and how that’s reshaping how tech firms build and deploy AI. We also situate the DeepSeek case within broader global dynamics, including: Rising tensions around AI regulation, national security, and data localization How multinational firms struggle to comply with competing privacy frameworks The environmental and economic costs of fragmented data governance Regulatory uncertainty around AI tools' collection, training data use, and transparency This is a must-listen episode for privacy professionals, compliance officers, digital policymakers, AI developers, and global tech executives navigating today’s increasingly territorial data landscape.…
D
Daily Security Review
1 CISA Flags Citrix NetScaler Flaws: What CVE-2025-6543 Means for Federal and Private Networks 56:41
56:41 Play Later Play Later Lists Like Liked56:41
Play Later Play Later Lists Like LikedThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple Citrix NetScaler vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog—an urgent signal for federal agencies and private enterprises alike. At the center of this update is CVE-2025-6543 , a memory overflow flaw affecting NetScaler ADC and Gateway appliances, which could lead to Denial of Service attacks under specific configurations. This joins earlier additions from 2023, including CVE-2023-6548 and CVE-2023-6549, covering code injection and buffer overflow vulnerabilities. In this episode, we explore why NetScaler vulnerabilities are drawing heightened attention, how they are actively being exploited, and what organizations must do to stay ahead of increasingly sophisticated cyber threats. But the scope of this episode goes far beyond Citrix. We delve into the latest intelligence on: Active APT campaigns like Swan Vector , which leverages OAuth abuse, DLL sideloading, and Cobalt Strike to infiltrate institutions across Taiwan and Japan The rise of “Shadow AI” in enterprises , where unsanctioned GenAI tools introduce hidden risks like data exfiltration, training leakage, and geopolitical exposure A roundup of critical vulnerabilities , including high-severity flaws in Cisco ISE (CVE-2025-20281/20282), Veeam Backup, Roundcube Mail Server, and Trend Micro PolicyServer—all being actively targeted or at high risk Key insights from the episode: Why CISA’s KEV catalog should be a top priority for every organization’s patch management strategy How vulnerabilities like CVE-2025-6543 can be weaponized in real-world attacks , and why even memory overflows in peripheral configurations matter Best practices for hardening Citrix NetScaler environments , including RBAC, TLS restrictions, session timeouts, and audit logging The strategic implications of APT groups abusing legitimate services like Google Drive and PrintDialog.exe to remain stealthy How organizations can shift from blocking to secure AI enablement , using real-time browser monitoring and open-source LLMs tuned for enterprise context The consequences of lagging on patches: RCE, privilege escalation, SQL injection, and OS command execution across enterprise infrastructure The episode also covers TWCERT/CC’s alerts on actively exploited vulnerabilities in ASUS routers, Acer software, Zyxel devices, and SAP systems—underscoring the truly global and cross-sector nature of the threat landscape. This episode is essential listening for security architects, IT managers, CISOs, and vulnerability management teams trying to cut through the noise and act on what truly matters. With mandated remediation deadlines (like July 21, 2025, for CVE-2025-6543) now baked into CISA advisories, the time to act is now.…
D
Daily Security Review
1 Cato Networks Secures $359M to Fuel AI-Powered SASE Expansion 17:12
17:12 Play Later Play Later Lists Like Liked17:12
Play Later Play Later Lists Like LikedCato Networks just raised $359 million in Series G funding , pushing its valuation past $4.8 billion and its total funding beyond the $1 billion mark—a milestone that cements its place as one of the most formidable players in the rapidly expanding Secure Access Service Edge (SASE) market. In this episode, we unpack what this massive investment means for the future of enterprise cybersecurity, AI integration, and network transformation. Founded in 2015, Cato has built a cloud-native platform that seamlessly unifies SD-WAN, security services, and a global private backbone across more than 85 Points of Presence. With over 3,500 customers already on board, Cato offers a tightly integrated, single-vendor solution that simplifies operations while delivering enterprise-grade security and network performance. This funding round is more than just a headline—it’s a validation of Cato’s unique vision in a market projected to exceed $28.5 billion by 2028 . We explore how Cato is using this capital to scale its AI-powered threat detection, expand its global infrastructure, and accelerate feature innovation across its SASE stack. Key topics covered: Why investors are pouring hundreds of millions into SASE—and why Cato is leading the pack The advantages of Cato’s single-vendor architecture vs. multi-vendor patchworks How Cato’s AI-driven engine enhances threat detection and incident response Enterprise customer success stories from Elkjøp, Häfele, Swissport, Carlsberg, and others The shift from legacy MPLS to Cato’s converged, cloud-native model—and the cost savings that come with it Cato’s performance advantages in global markets, including China The strategic importance of Zero Trust Network Access (ZTNA), XDR, and integrated CASB/DLP features A comparison of Cato with major competitors like Zscaler, Netskope, and Palo Alto Networks The operational simplicity enabled by “plug-and-play” Cato Sockets and a true single-pane-of-glass dashboard What this round means for Cato’s roadmap, customer reach, and long-term vision As enterprises face mounting pressure to secure increasingly complex hybrid and global infrastructures, Cato Networks is emerging as the go-to platform for organizations seeking agility, performance, and security—all in one place.…
D
Daily Security Review
1 Chrome’s Latest Zero-Day: CVE-2025-6554 and Remote Code Execution Risks 54:24
54:24 Play Later Play Later Lists Like Liked54:24
Play Later Play Later Lists Like LikedA new high-severity zero-day vulnerability in Google Chrome— CVE-2025-6554 —has sent shockwaves across the cybersecurity landscape. This episode dives into the technical details, real-world impact, and broader implications of this actively exploited flaw. Tracked as a type confusion bug in Chrome’s V8 JavaScript engine , the vulnerability allows attackers to remotely execute code by luring users to malicious HTML pages—a powerful vector for surveillance, espionage, or criminal exploitation. We break down the story behind the vulnerability, discovered by Google’s own Threat Analysis Group, and examine what it reveals about the state of browser security today. Chrome users across all platforms have been urged to update immediately to patched versions, as threat actors are already leveraging this exploit in the wild. In this episode, we cover: What CVE-2025-6554 is and how it works : A type confusion bug that opens the door to remote code execution via a malicious webpage. Why this matters : This is the fourth actively exploited Chrome vulnerability in 2025—part of a disturbing trend in targeted, zero-day browser attacks. The evolving threat landscape : Cybercriminals and state-sponsored actors alike are embracing ransomware-as-a-service , phishing campaigns, and social engineering to exploit browser flaws. The hidden complexity of browser security : IT teams face a logistical nightmare patching browsers across diverse devices, configurations, and hybrid work environments. Misconfigured browsers become open doors for attackers. Type confusion explained : We break down how dynamic typing in JavaScript can be manipulated to bypass security controls—and why it’s so dangerous. Enterprise implications : With over 2 billion users relying on Chrome, organizations must take proactive steps: patch promptly, configure securely, segment work and personal browsing, and monitor emerging threats. Remote Code Execution (RCE) : Why this class of vulnerabilities remains one of the most feared in cybersecurity, with the potential for full system compromise. We also explore best practices and future-forward strategies , including: Implementing Zero Trust policies Adopting AI-driven browser isolation and threat detection Using segmented browser profiles for corporate and personal use Educating users on phishing and social engineering tactics Investing in enterprise-grade secure browsing solutions Chrome’s latest zero-day is more than just a technical footnote—it’s a signal flare for the growing complexity and urgency of browser-based security. Whether you're a security architect, IT manager, or just trying to keep your organization protected in an increasingly dangerous web environment, this episode offers critical insights and actionable takeaways.…
D
Daily Security Review
1 Russia’s 16KB Curtain: Cloudflare Throttling and the Future of the RuNet 1:45:31
1:45:31 Play Later Play Later Lists Like Liked1:45:31
Play Later Play Later Lists Like LikedRussia has entered a new phase of digital authoritarianism. In a sweeping move, Russian Internet Service Providers (ISPs) have begun systematically throttling access to Cloudflare and other Western-backed services, including infrastructure giants Hetzner and DigitalOcean. This throttling is so severe that it restricts downloads to just 16 kilobytes per connection—effectively rendering affected websites unusable. It’s a chilling technical development dubbed the “16KB Curtain.” In this episode, we explore Russia’s strategic effort to isolate its internet from the global web—a campaign known as digital sovereignty. This isn’t just a geopolitical talking point. It’s an active campaign of infrastructure control, information censorship, and aggressive filtering. We examine: The mechanics of the 16KB throttle : How it works, what it breaks, and why it’s so effective. Cloudflare’s position : The company has confirmed it cannot mitigate the throttling—this is not a technical glitch, it’s a political weapon. The broader pattern : Throttling is only part of a sweeping campaign to restrict VPNs, disrupt anti-censorship tools like Psiphon, and elevate domestic tech over foreign services. But this isn't just about website access. It’s about the future of RuNet —a Russian internet fenced off from global influence. The Kremlin’s vision includes a national DNS system, deep packet inspection at scale, and mandates for domestic apps and cloud infrastructure. Yet, behind this ambition lies a critical weakness: Russia’s ongoing dependence on Western and Chinese technologies , from chips to software. We also unpack: The expansion of mobile internet blackouts across over 30 regions—even those far from conflict zones. The illusion of self-sufficiency : Despite homegrown efforts in CPUs and software, Russia still lacks foundational capabilities in 5G, storage, and OS development. Impact on Russian citizens and international companies : Users are increasingly isolated. Businesses are forced to exit or adapt to a tech landscape dictated by the state. In a world where censorship increasingly masquerades as cybersecurity, Russia is pioneering an extreme model of network control—one that may be replicated elsewhere. Whether you work in global IT infrastructure, cybersecurity, or international policy, this episode reveals the high-stakes intersection of technology, politics, and freedom of information .…
D
Daily Security Review
1 Ahold Delhaize Data Breach: 2.2 Million Employee Records Exposed 37:44
37:44 Play Later Play Later Lists Like Liked37:44
Play Later Play Later Lists Like LikedAhold Delhaize, one of the world’s largest food retailers, is now the subject of one of the most significant ransomware breaches in recent U.S. history. Affecting over 2.2 million current and former employees , this incident—claimed by the cybercrime group INC Ransom —highlights the rising threat posed by ransomware-as-a-service operations targeting enterprise systems across critical sectors. In this episode, we unpack the breach, its long-delayed public disclosure, and the sensitive data exposed—including Social Security numbers, financial accounts, health records, and employment data. While customer payment information appears unaffected, the breach underscores systemic vulnerabilities in enterprise cybersecurity, especially around internal systems and employee data. We also explore the evolving tactics of modern ransomware groups , such as: Double extortion : stealing and threatening to leak sensitive data in addition to encrypting systems Initial access via known vulnerabilities (e.g., Citrix NetScaler) and social engineering Skipping encryption altogether , focusing solely on pure extortion Targeting soft spots like IT help desks and internal apps, rather than traditional perimeter defenses INC Ransom, a relatively new but increasingly active ransomware group, has used these methods in over 250 attacks , including hits on government and healthcare systems. The Ahold Delhaize incident represents their largest breach by data volume to date. We also examine the legal and regulatory implications of the breach: Potential class action lawsuits for negligence and delayed notification Risks under HIPAA if health data is involved Compliance issues under state breach notification laws and privacy regulations Impacts of international frameworks like GDPR for global operations As ransomware attacks grow in scale and sophistication, this breach signals broader challenges for enterprise resilience. We'll discuss what went wrong, how businesses can prepare, and what steps every organization should consider now: Implementing Zero Trust architectures Strengthening employee training and phishing defenses Enhancing vendor and internal app security Regular resilience audits and incident response testing This episode is essential listening for CISOs, IT leaders, legal teams, and anyone involved in protecting sensitive data across large, distributed enterprises. The Ahold Delhaize breach isn’t just a warning—it’s a roadmap of how today’s attackers are bypassing yesterday’s defenses.…
D
Daily Security Review
1 Why Canada Banned Hikvision: National Security vs. Geopolitics 52:07
52:07 Play Later Play Later Lists Like Liked52:07
Play Later Play Later Lists Like LikedCanada has taken a definitive stance in the escalating global scrutiny of Chinese technology, ordering surveillance giant Hikvision to cease all operations within its borders. Citing national security concerns and acting on the advice of intelligence agencies, the Canadian government has banned the use of Hikvision products across its public sector, initiated reviews of existing installations, and aligned itself with a growing international movement to curtail the influence of Chinese state-linked tech. This podcast unpacks the details of Canada’s decision and places it within the broader geopolitical, regulatory, and cybersecurity context. Hikvision, already the subject of U.S. sanctions due to its alleged role in surveillance activities in China’s Xinjiang region, now finds itself at the center of a new wave of Western pushback. The ban raises serious questions about the intersection of security, foreign investment, human rights, and technology policy. In this episode, we explore: The Canadian government's justification for banning Hikvision, based on classified intelligence and national security assessments Hikvision's rebuttal and China’s diplomatic protest, framing the ban as a politically motivated and discriminatory act The growing body of restrictions against Chinese technology in the U.S., including NDAA §889, CFIUS interventions, and state-level bans Concerns over Hikvision’s alleged role in surveillance of Uyghur populations and its connection to broader human rights issues The tactics used by Chinese tech firms to circumvent restrictions, such as “white-labeling” of devices Key risks associated with Chinese-made surveillance equipment, including backdoors, weak encryption, and remote server control How Canada’s updated Investment Canada Act (ICA) is reshaping the foreign investment landscape with pre-closing reviews, enhanced penalties, and increased focus on SOEs The trend of “de-risking” versus “decoupling” from Chinese tech and what this means for Canada’s digital infrastructure strategy The geopolitical fallout of the ban, especially as it relates to Canada-China relations and ongoing concerns about cyberespionage campaigns targeting Canadian networks Strategic considerations for critical infrastructure, public procurement, and private sector organizations in response to the shifting regulatory terrain This episode is essential for anyone tracking global technology policy, cybersecurity, and national security in the digital age. As nations wrestle with balancing innovation, economic cooperation, and the imperative to secure their critical systems, Canada’s Hikvision ban signals a decisive step—and a broader trend of growing friction between Western democracies and Chinese state-linked technology providers.…
D
Daily Security Review
1 Scattered Spider Takes Flight: Inside the Cybercrime Group’s Move into Aviation 43:38
43:38 Play Later Play Later Lists Like Liked43:38
Play Later Play Later Lists Like LikedAs the aviation industry becomes more digitally interconnected, its exposure to sophisticated cyber threats continues to grow. One of the most dangerous actors in this space— Scattered Spider , a financially motivated and technically skilled cybercrime group—has recently shifted its focus to target the aviation sector. With recent incidents involving Hawaiian Airlines , WestJet , and others, global concern is rising over the safety of airline IT systems, vendor infrastructure, and the broader aviation supply chain. This episode unpacks how Scattered Spider operates, why the aviation industry is increasingly at risk, and what this means for cybersecurity readiness in one of the world’s most critical sectors. Known for its deep social engineering tactics , the group bypasses MFA, exploits IT help desks, abuses third-party vendor trust, and deploys ransomware in record time. As the FBI, CISA, and leading cybersecurity firms like Mandiant and Palo Alto Networks sound the alarm, airlines and their partners are being forced to rethink how they defend against these agile, persistent attackers. In this episode, we cover: The evolving cyber threat landscape facing the aviation industry A breakdown of Scattered Spider’s tactics, including phishing, SIM swapping, and help desk impersonation How the group maintains persistent access using federated identity and RMM tools Suspected links between Scattered Spider and recent incidents at Hawaiian Airlines and WestJet The aviation supply chain as a prime vulnerability—why low-scoring vendors pose high risks Why airlines face a 2.9x greater breach risk when they fall below an 'A' cybersecurity rating ICAO's cybersecurity strategy pillars and what global coordination could look like in practice CISA’s mitigation guidance: offline backups, phishing-resistant MFA, patching, and more The role of third-party risk management and “security by design” in preventing future breaches Why the FBI discourages ransom payments—and what alternatives exist This episode isn’t just a cautionary tale for airlines—it’s a wake-up call for any sector that relies on sprawling digital ecosystems and third-party providers. With Scattered Spider expanding its target footprint, now is the time for the aviation sector and its partners to elevate their defenses, harden human factors, and embrace a security culture built for the borderless age of cyberwarfare.…
D
Daily Security Review
1 Fortnite and the FTC: How Epic Games Misled Players into Unwanted Purchases 54:56
54:56 Play Later Play Later Lists Like Liked54:56
Play Later Play Later Lists Like LikedIn a landmark case that reshapes the conversation around digital ethics, the Federal Trade Commission’s $520 million settlement with Epic Games over its Fortnite monetization tactics highlights a critical issue facing the modern digital economy: the weaponization of interface design to manipulate users . Central to the case is the use of “dark patterns”—subtle yet deceptive design strategies intended to steer users, including children, into making unintended purchases. This episode dissects how Epic’s design choices—like omitting purchase confirmation screens and placing critical purchase functions adjacent to navigation buttons—led to millions in unauthorized transactions. We examine how these practices violated consumer trust and triggered a massive regulatory backlash, resulting in a historic payout, ongoing refund distributions, and industry-wide scrutiny of monetization practices. In this episode, we explore: The specifics of the FTC’s case against Epic Games and the broader legal context How interface design was manipulated to encourage accidental or unwanted in-game purchases The psychological mechanisms behind dark patterns and how they exploit user behavior Real-world consequences: unauthorized purchases by minors and account lockouts for users who disputed charges A breakdown of the refund process and what affected players can expect Common types of dark patterns—from roach motels and confirm shaming to hidden costs and privacy “zuckering” Why these tactics are so effective, and how they’ve quietly shaped modern digital platforms Regulatory response and future enforcement—how the FTC and other agencies are adapting What companies must do to comply with emerging standards around user consent and interface transparency The role of consumer awareness in pushing back against exploitative game design This case isn’t just about Fortnite—it’s a cautionary tale for the entire tech industry. As digital experiences become more immersive and monetization models more aggressive, the Epic Games settlement is a watershed moment in defining ethical boundaries for user interface design, especially when the audience includes minors. For developers, regulators, and consumers alike, this episode offers a timely, in-depth look at the shifting landscape of digital rights and design accountability.…
D
Daily Security Review
1 Microsoft 365 Direct Send Exploited: How Phishing Emails Masquerade as Internal Messages 41:44
41:44 Play Later Play Later Lists Like Liked41:44
Play Later Play Later Lists Like LikedPhishing has long been a favored weapon of cybercriminals, but a recent revelation about Microsoft 365’s Direct Send feature has elevated the threat to a new level— from inside the firewall . Designed for internal systems to send notifications without authentication, Direct Send can be abused by malicious actors to spoof emails that appear to originate from trusted internal sources. Without compromising a single user account, attackers can craft phishing messages that bypass standard defenses like DMARC and SPF, exploiting an organization’s own email infrastructure against it. In this episode, we dive deep into how this vulnerability is being exploited, why it remains a blind spot in many organizations’ security architectures, and how to effectively defend against it. Drawing on insights from security researchers and real-world abuse cases, we explore the technical mechanics and organizational gaps that make this attack vector so potent. What you’ll learn: How Microsoft 365’s Direct Send works—and why it lacks proper authentication controls The mechanics of the exploit: Using PowerShell and smart host predictability to impersonate internal users Why SPF, DKIM, and DMARC checks fail to stop these spoofed internal emails Header and behavioral indicators that reveal Direct Send abuse in action The critical role of DMARC policy enforcement (moving from monitoring to reject mode) Best practices to disable or restrict Direct Send usage without disrupting hybrid Exchange environments How attackers leverage trusted internal appearances to gain user trust and credentials Broader email security protocols—SPF, DKIM, and DMARC—and how they function together The importance of phishing-resistant MFA, continuous user training, and strong password policies How small and medium businesses can close these gaps even without large cybersecurity teams This case serves as a stark reminder: cybercriminals are constantly looking for ways to subvert legitimate features in everyday software. Without holistic security strategies, including behavioral analysis and protocol enforcement, even built-in functionality can become a backdoor for credential theft, malware deployment, and lateral movement within corporate networks.…
D
Daily Security Review
1 Open VSX Registry Flaw Exposes Millions of Developers to Supply Chain Risk 47:26
47:26 Play Later Play Later Lists Like Liked47:26
Play Later Play Later Lists Like LikedA critical flaw in the Open VSX Registry—an open-source alternative to the Visual Studio Code Marketplace—recently put over 8 million developers at risk of mass compromise. This vulnerability, discovered in the platform’s GitHub Actions workflow, exposed a super-admin publishing token that could have enabled malicious actors to overwrite or inject malware into any extension in the registry. Given the widespread use of Open VSX in platforms like Gitpod, Google Cloud Shell, and Cursor, the consequences could have been devastating. This episode explores the depths of this security lapse and the broader risks posed by extension marketplaces and IDE plugin ecosystems. Drawing parallels with SolarWinds and other landmark supply chain attacks, we examine how trusted development tools can become covert delivery mechanisms for sophisticated intrusions. You'll learn: How GitHub workflow misconfigurations enabled access to a powerful OVSX_PAT token What could’ve happened: full control over extensions, silent malware injection, and compromised developer machines Why IDE plugins are now a preferred attack vector for adversaries, and how they bypass traditional defenses Common methods of plugin compromise, from trojanized forks to dependency confusion and hijacked update mechanisms Why MITRE added “IDE Extensions” as a formal attack technique in its ATT&CK framework in 2025 Best practices for marketplace providers—like sandbox testing, verified publishers, and extension signature verification What developers and enterprises can do to defend: plugin audits, runtime permission monitoring, and network segmentation Why software supply chain trust must shift toward Zero Trust principles for IDEs and extension ecosystems As the developer environment becomes a frontline target, this case underscores the urgency of treating every plugin, dependency, and update path as a potential threat vector. The patch may have arrived in time—but the lessons remain vital for every organization that relies on open developer tooling.…
D
Daily Security Review
1 CitrixBleed 2: Critical NetScaler Vulnerability Enables Session Hijacking and MFA Bypass 18:41
18:41 Play Later Play Later Lists Like Liked18:41
Play Later Play Later Lists Like LikedA new critical vulnerability in Citrix NetScaler ADC and Gateway systems, dubbed CitrixBleed 2 (CVE-2025-5777), has emerged as a serious threat to remote access infrastructure. This memory exposure flaw allows unauthenticated attackers to extract session tokens directly from device memory — enabling session hijacking and even bypassing multi-factor authentication (MFA). With early evidence of exploitation in the wild and eerie similarities to the original CitrixBleed (CVE-2023-4966), the risk to enterprise environments is substantial. The vulnerability is caused by insufficient input validation, leading to out-of-bounds memory reads when NetScaler is configured as a Gateway or AAA virtual server. Once session tokens are exfiltrated, attackers can impersonate legitimate users and gain persistent access — often without triggering alerts or violating login controls. Cybersecurity researchers, including ReliaQuest, assess with medium confidence that active exploitation is underway. This episode breaks down the mechanics of CitrixBleed 2 and explores how it fits into the broader landscape of session hijacking threats and identity-centric attacks. Topics include: How CVE-2025-5777 enables unauthorized access via session token exposure Technical comparisons with the original CitrixBleed vulnerability Session hijacking techniques at both network and application levels, including TCP desynchronization and token theft The second NetScaler vulnerability disclosed (CVE-2025-6543) and its denial-of-service impact Mitigation steps, including patching to versions 14.1-43.56, 13.1-58.32, or 13.1-37.235 Defense-in-depth recommendations, including phishing-resistant MFA, endpoint detection and response (EDR), and token revocation protocols Incident and vulnerability response strategies aligned with CISA playbooks CitrixBleed 2 is more than a software bug — it’s a gateway for attackers to silently bypass identity safeguards and establish footholds in enterprise networks. Rapid patching is essential, but long-term protection depends on layered controls, resilient MFA design, and disciplined incident response planning.…
D
Daily Security Review
1 OneClik Cyberattack Campaign Targets Energy Sector Using Microsoft ClickOnce and AWS 1:18:25
1:18:25 Play Later Play Later Lists Like Liked1:18:25
Play Later Play Later Lists Like LikedA sophisticated cyber-espionage campaign named OneClik is actively targeting energy, oil, and gas organizations using a combination of legitimate cloud infrastructure and novel attack techniques. The campaign, attributed to an unknown but likely state-affiliated actor, leverages Microsoft's ClickOnce deployment technology to deliver custom Golang-based malware known as RunnerBeacon . The use of AWS APIs for command-and-control (C2) communications allows OneClik to operate within trusted cloud environments, making detection by traditional tools extremely difficult. The campaign reflects broader trends in critical infrastructure cyber threats — particularly the abuse of legitimate services to “live off the land” and the use of advanced anti-analysis techniques to avoid detection. RunnerBeacon exhibits environment-aware behavior, anti-debugging checks, and is compiled in Golang to evade traditional antivirus scanning. While attribution remains inconclusive, indicators suggest a potential link to China-affiliated actors. This episode explores how OneClik fits into the evolving threat landscape and what defenders should know: How Microsoft’s ClickOnce technology is abused in phishing emails for stealthy malware deployment The use of AWS cloud services as a trusted C2 infrastructure to bypass detection RunnerBeacon’s anti-debugging and sandbox-evasion mechanisms, including RAM and domain checks The targeting of nuclear and energy facilities as part of broader geopolitical cyber pressure Recent ransomware trends in the energy sector, with attacks up 80% year-over-year The rise of Golang malware in cyber campaigns and its impact on defensive tooling The critical importance of supply chain and credential monitoring in energy networks OneClik underscores a modern cyber warfare model: sophisticated, cloud-native, and evasive. As threat actors move deeper into the supply chains and IT layers of critical infrastructure, defenders must evolve beyond perimeter controls to emphasize behavioral detection, threat attribution, and real-time intelligence. For cybersecurity leaders in energy and utilities, understanding this campaign is essential to preparing for what comes next.…
D
Daily Security Review
1 Central Kentucky Radiology’s 2024 Data Breach Affects 167,000 51:40
51:40 Play Later Play Later Lists Like Liked51:40
Play Later Play Later Lists Like LikedIn October 2024, Central Kentucky Radiology (CKR), a Lexington-based imaging provider, became the latest victim of a growing trend in healthcare cyberattacks. An unauthorized actor accessed CKR’s systems over a two-day period, compromising sensitive data for approximately 167,000 individuals. The stolen information includes names, Social Security numbers, birth dates, addresses, insurance details, and medical service records — a deeply invasive breach, though no fraud has yet been confirmed. While the nature of the attack has not been publicly confirmed, the system disruption and timing strongly suggest a ransomware event — part of a broader wave of escalating cyber threats against the healthcare sector. The breach wasn’t fully investigated and confirmed until May 2025, with notification letters mailed out to affected individuals in June. CKR is now offering 12 months of complimentary credit monitoring and guidance on identity theft protection, though many patients are left questioning how such a critical breach went undetected for months. In this episode, we examine the CKR breach in the wider context of the healthcare cybersecurity crisis. Topics include: The data compromised in the CKR incident and how it may be exploited The suspected role of ransomware and why healthcare is a top target Systemic vulnerabilities across the sector: outdated software, misconfigured devices, and staffing shortages The financial, operational, and reputational consequences of a breach, including regulatory exposure Actions affected individuals should take immediately — from freezing credit to enabling two-factor authentication How healthcare organizations can improve defenses, including IoT segmentation, EDR deployment, secure cloud storage, and patch management Broader lessons from this incident that apply across all healthcare systems, regardless of size CKR’s experience is a reminder that even small-to-midsize medical providers must adopt enterprise-grade cybersecurity practices. As patient data becomes more valuable — and cybercriminal tactics grow more sophisticated — the margin for error is disappearing.…
D
Daily Security Review
1 Bonfy.AI Launches $9.5M Adaptive Content Security Platform to Govern AI and Human Data 1:09:30
1:09:30 Play Later Play Later Lists Like Liked1:09:30
Play Later Play Later Lists Like LikedIn a major development at the intersection of cybersecurity and AI governance, Israeli startup Bonfy.AI has officially launched its adaptive content security platform, backed by $9.5 million in seed funding. The company’s mission is bold and timely: to secure content generated by both humans and AI across modern SaaS ecosystems — including high-risk environments like Slack, Salesforce, and AI chatbots such as ChatGPT. As organizations increasingly rely on generative AI tools for productivity and automation, the risks to data privacy, intellectual property, and regulatory compliance have grown sharply. Bonfy.AI’s platform addresses these issues head-on. Unlike traditional DLP (Data Loss Prevention) tools, Bonfy.AI uses self-learning algorithms and contextual analysis to detect and mitigate risks in unstructured content without relying on pre-labeled data or signature-based detection. It analyzes content in real time, flags violations of security policy, and integrates with incident response platforms to provide dynamic remediation — making it a foundational component for enterprises adopting AI tools at scale. This episode dives into: How Bonfy.AI uses business logic and AI to detect risks across human and GenAI-generated content The platform’s capabilities in monitoring outputs from tools like ChatGPT, Copilot, and SaaS platforms The legal and operational risks posed by AI tools, including IP leakage, privacy breaches, and regulatory non-compliance The shift from static, rules-based security to adaptive content controls based on context and behavior Use cases including email content review, IP enforcement, and pre-send filters for confidential material Bonfy.AI’s positioning within a rapidly growing landscape of AI governance tools and global regulatory frameworks With AI-generated content now permeating enterprise workflows, Bonfy.AI offers a much-needed architecture for managing emerging risks without compromising innovation. The platform’s launch signals a broader shift toward adaptive, AI-native security solutions that move beyond outdated DLP models to confront the real threats facing modern organizations.…
D
Daily Security Review
1 Zero-Day Level Cisco ISE Flaws: Urgent Patch Required for Enterprise Security 54:30
54:30 Play Later Play Later Lists Like Liked54:30
Play Later Play Later Lists Like LikedCisco has disclosed two critical security vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) products, both earning a maximum CVSS severity score of 10.0. These flaws—CVE-2025-20281 and CVE-2025-20282—allow unauthenticated remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The vulnerabilities are unrelated but equally severe, highlighting urgent concerns for organizations relying on Cisco ISE for network access control and identity policy enforcement. CVE-2025-20281 is caused by insufficient input validation in a public-facing API, while CVE-2025-20282 stems from improper file validation that allows malicious file uploads and execution. Cisco has issued patches for both flaws and urges immediate action. Although no public exploits have been reported, the nature of these vulnerabilities makes them highly attractive targets for threat actors seeking initial access, privilege escalation, or lateral movement within enterprise environments. In this episode, we break down the details of these critical flaws, including: How CVE-2025-20281 and CVE-2025-20282 work and what distinguishes them Which software versions are affected and what patches are available The risks associated with remote code execution, including system compromise, data theft, cryptojacking, and ransomware deployment The patching process for Cisco ISE and how organizations can verify successful installation Broader RCE mitigation strategies including input validation, network segmentation, and zero-trust architecture These vulnerabilities underscore the critical importance of timely patching and rigorous software lifecycle management. Cisco’s advisory offers clear instructions, but given the risk profile, security teams should treat remediation as an emergency priority. Even in the absence of confirmed exploitation, the potential impact is equivalent to a full system compromise. For enterprise security professionals, network architects, and incident response teams, this episode delivers actionable intelligence on the nature of the flaws, mitigation pathways, and why RCE in network infrastructure should never be underestimated.…
D
Daily Security Review
1 U.S. Government Pushes Back on Meta: WhatsApp Labeled a High-Risk App 45:38
45:38 Play Later Play Later Lists Like Liked45:38
Play Later Play Later Lists Like LikedThe U.S. House of Representatives has officially banned the use of WhatsApp on all House-managed devices, citing significant data security risks. This move places WhatsApp alongside other restricted applications like TikTok, ChatGPT, and Microsoft Copilot, reflecting an intensifying government focus on digital security and the reliability of consumer platforms used in official contexts. The House Chief Administrative Officer (CAO) raised several concerns: the lack of transparency in WhatsApp's data protection practices, the absence of stored data encryption, and potential vulnerabilities—particularly in light of a recent spyware attack exploiting a WhatsApp vulnerability. The CAO has instead recommended using alternatives such as Microsoft Teams, Signal, and Wickr. Meta, WhatsApp's parent company, has sharply pushed back against the decision, asserting that WhatsApp provides industry-leading end-to-end encryption by default—security that many of the approved alternatives do not offer. The company also highlighted its swift action against the Paragon Graphite spyware campaign, which exploited a zero-click vulnerability to target civil society members and journalists. Meta blocked the campaign, alerted affected users, and is pursuing legal action. At the center of this debate are critical questions about how communication platforms should be evaluated for government use, and whether default encryption alone is sufficient when transparency and incident history are also factored into risk assessments. In this episode, we explore: The specific reasons behind the House ban and how it aligns with broader tech restrictions Meta’s defense of WhatsApp’s security model, including its encryption and incident response protocols The implications of the Graphite spyware attack and Meta’s response The contrast between public perception and institutional cybersecurity standards What this move signals for future tech scrutiny in U.S. government operations This discussion goes beyond WhatsApp. It’s about how governments assess the balance between usability, encryption, transparency, and risk in digital tools—and what the growing list of banned apps reveals about shifting cybersecurity priorities.…
D
Daily Security Review
1 How Cyberattacks on Mainline Health and Select Medical Exposed Over 200,000 Patients 45:10
45:10 Play Later Play Later Lists Like Liked45:10
Play Later Play Later Lists Like LikedThe healthcare industry is facing a relentless wave of cyber threats, as demonstrated by two recent breaches impacting Mainline Health Systems and Select Medical Holdings. In April 2024, Mainline Health experienced a direct ransomware attack by the Inc Ransom group, compromising sensitive data for over 101,000 individuals. Select Medical’s breach, in contrast, occurred through a third-party vendor—Nationwide Recovery Services—exposing records of nearly 120,000 patients. These incidents illustrate the growing vulnerability of healthcare organizations, whether from direct attacks or through weaknesses in their extended vendor networks. As healthcare organizations digitize records, adopt connected medical devices, and rely on cloud services and third-party vendors, the risk landscape grows more complex. Ransomware, hacking, and third-party vendor compromises are now the leading causes of healthcare data breaches—often with serious implications for patient care, financial stability, and organizational reputation. In this episode, we examine: How the Inc Ransom group operates, and why healthcare is a prime target The increasing financial and operational impact of ransomware and third-party breaches Common attack vectors including hacking, phishing, and supply chain vulnerabilities Why third-party risk management is becoming a critical element of healthcare cybersecurity The direct impacts of breaches on patient safety, care delivery, and mortality rates Recommended mitigation strategies, from multi-factor authentication and privileged access management to continuous monitoring of vendor ecosystems The role of national cybersecurity frameworks, HHS initiatives, and information sharing platforms in building sector resilience These recent breaches serve as a wake-up call: healthcare cybersecurity can no longer be reactive or siloed. A comprehensive approach—addressing both internal defenses and third-party risks—is essential to protect sensitive patient data and maintain uninterrupted care.…
D
Daily Security Review
1 The Siemens-Microsoft Antivirus Dilemma Threatening OT Security 1:23:55
1:23:55 Play Later Play Later Lists Like Liked1:23:55
Play Later Play Later Lists Like LikedThis episode examines a serious conflict between Siemens’ Simatic PCS industrial control systems and Microsoft Defender Antivirus. The absence of an "alert only" mode in Defender has created a significant operational risk for plants running Siemens’ systems. Without this functionality, operators must choose between ignoring potential malware detections—remaining unaware of infections—or allowing Defender to quarantine or delete critical files, potentially destabilizing control processes or halting operations entirely. Siemens is actively working with Microsoft to resolve the issue. Until a fix is available, Siemens advises customers to perform risk assessments and carefully configure Defender to minimize the risk of unplanned outages. The incident underscores broader challenges in applying IT security tools within OT environments, where uptime and system availability are paramount. The episode explores key elements of industrial cybersecurity in this context, including: The role of system hardening and reducing attack surfaces Implementing role-based access and password policies Using network segmentation to limit the impact of intrusions Adapting malware protection strategies for OT systems Managing updates through controlled patching processes Building effective incident response capabilities This ongoing conflict between antivirus behavior and operational reliability highlights the complex balancing act required to secure ICS/OT systems. The episode draws from Siemens’ recommendations, industry best practices, and current threat intelligence to provide clear, actionable insights for professionals responsible for securing critical infrastructure.…
D
Daily Security Review
1 Prometei Botnet’s Global Surge: A Threat to Linux and Windows Systems Alike 41:20
41:20 Play Later Play Later Lists Like Liked41:20
Play Later Play Later Lists Like LikedPrometei is one of the most persistent and sophisticated botnet threats in circulation today. First identified in 2020—and active since at least 2016—this modular malware continues to evolve rapidly, targeting both Windows and Linux systems across the globe. Originally designed for cryptocurrency mining, Prometei has expanded its capabilities to include credential theft, lateral movement, command execution, and stealthy persistence, making it an adaptable and resilient threat for enterprise environments. In this episode, we examine the latest developments in Prometei’s operations. Recent updates to the malware include a fully integrated backdoor, self-updating features, dynamic domain generation for command-and-control, and a wide range of evasion techniques to bypass detection. The botnet’s architecture allows operators to deploy new modules at will, giving Prometei flexibility typically seen in nation-state campaigns, though researchers currently attribute its activity to a financially motivated Russian cybercriminal group. Prometei’s modules enable it to: Mine Monero cryptocurrency using compromised CPU and GPU resources Steal user credentials from memory and the registry Move laterally using exploits like EternalBlue, brute-force attacks, and SMB-based credential reuse Maintain persistence through cron jobs, custom services, and scheduled tasks Communicate over Tor and I2P networks and use domain generation algorithms for resilient C2 communication Deploy web shells and covert Apache services on compromised hosts Evade static and dynamic analysis through packing and obfuscation techniques With more than 10,000 infections observed worldwide since late 2022—and an expanding geographic footprint—Prometei demonstrates how financially driven threat actors are leveraging advanced techniques to maximize profits while evading security defenses. The malware’s continual adaptation makes detection and mitigation a challenge, even for well-defended networks. This episode offers a deep dive into Prometei’s architecture, capabilities, and evolution. It also covers detection strategies, effective mitigation techniques, and how organizations can strengthen defenses against similar modular threats. For cybersecurity practitioners, threat hunters, and SOC teams, understanding Prometei is essential to improving resilience in today’s threat landscape.…
D
Daily Security Review
1 Patient Trust on the Line: The Fallout from McLaren Health Care’s 2024 Breach 44:50
44:50 Play Later Play Later Lists Like Liked44:50
Play Later Play Later Lists Like LikedIn this episode, we dive into the 2024 McLaren Health Care data breach that compromised the sensitive information of over 743,000 individuals—just one year after a similar ransomware attack impacted 2.2 million. We’ll unpack the timeline of the attack: how cybercriminals gained unauthorized access between July 17 and August 3, exploiting vulnerabilities in McLaren’s network to steal personally identifiable information (PII) and protected health information (PHI)—including Social Security numbers and medical records. But this is about more than one hospital system. We’ll explore why the healthcare sector has become a prime target for ransomware: a dangerous blend of valuable data, critical infrastructure, underfunded IT security, and human factors. You'll hear why hospitals are often willing to pay ransoms to keep life-saving services online, and how this creates a vicious cycle for attackers to exploit. We’ll also cover broader insights from EU and US sources, including: The prevalence of ransomware in healthcare — 54% of all attacks in recent years The systemic vulnerabilities — from outdated IT and legacy systems to insufficient staff training and third-party risks The impact on patient trust and care delivery — including delayed treatments and fear around sharing health details Why robust cybersecurity measures, Zero Trust Architecture, and regular employee training are critical mitigation strategies Finally, we’ll discuss what patients can do if their data is compromised — from understanding credit monitoring’s limits to knowing their legal rights and potential for class action. Whether you're in healthcare, cybersecurity, or simply concerned about data privacy, this episode offers a timely look at how ransomware is reshaping the healthcare landscape—and what must be done to fight back.…
D
Daily Security Review
1 NeuralTrust’s Echo Chamber: The AI Jailbreak That Slipped Through the Cracks 56:30
56:30 Play Later Play Later Lists Like Liked56:30
Play Later Play Later Lists Like LikedThis podcast dives deep into one of the most pressing vulnerabilities in modern AI — the rise of sophisticated "jailbreaking" attacks against large language models (LLMs). Our discussion unpacks a critical briefing on the evolving landscape of these attacks, with a spotlight on the novel “Echo Chamber” technique discovered by NeuralTrust. Echo Chamber weaponizes context poisoning, indirect prompts, and multi-turn manipulation to subtly erode an LLM's safety protocols. By embedding "steering seeds" — harmless-looking hints — into acceptable queries, attackers can build a poisoned conversational context that progressively nudges the model toward generating harmful outputs. We'll explore how this method leverages the LLM’s "Adaptive Chameleon" nature, a tendency to internalize and adapt to external inputs even when they conflict with training, and how the infamous "Waluigi Effect" makes helpful, honest models more vulnerable to adversarial behavior. Listeners will gain insight into: The lifecycle of an Echo Chamber attack and its alarming success rates (90%+ for hate speech, violence, and explicit content). Emerging multi-turn techniques like Crescendo and Many-Shot jailbreaks. The growing arsenal of attacks — from prompt injection to model poisoning and multilingual exploits. The race to develop robust defenses: prompt-level, model-level, multi-agent, and dynamic context-aware strategies. Why evaluating AI safety remains a moving target, complicated by a lack of standards and the ethical challenges of releasing benchmarks. Join us as we dissect the key vulnerabilities exposed by this new wave of AI jailbreaking and what the community must do next to stay ahead in this ongoing arms race.…
D
Daily Security Review
1 AT&T, Verizon, and Beyond: How Salt Typhoon Targets Global Telcos 44:06
44:06 Play Later Play Later Lists Like Liked44:06
Play Later Play Later Lists Like LikedIn this episode, we dive deep into the alarming revelations about Salt Typhoon—a Chinese state-sponsored advanced persistent threat (APT) actor, also known as RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286. Backed by China’s Ministry of State Security (MSS), this group has been running extensive cyber espionage operations since at least 2023, with a focus on telecommunication giants, government agencies, technology firms, and academic institutions around the world. We’ll unpack how Salt Typhoon leveraged critical vulnerabilities, like CVE-2023-20198, and custom malware such as GhostSpider and Demodex, to gain deep, persistent access to telecom infrastructure in the U.S., Canada, and dozens of other nations. Despite being publicly exposed, sanctioned, and highly scrutinized, this APT remains entrenched in networks due to the fragmented, legacy-heavy state of telecom systems. The discussion will cover: ✅ The strategic objectives of Salt Typhoon—ranging from intelligence collection on political figures to geolocation tracking around Washington, D.C. ✅ The scope of compromise, with intrusions affecting major telecoms like AT&T, Verizon, T-Mobile, and Canadian infrastructure—earning the label from Sen. Mark Warner as “the most serious telecom hack in our nation’s history.” ✅ The tactics and techniques that enable persistence—GRE tunnels, credential theft, lateral movement, and stealthy malware designed to evade detection across LTE/5G networks. ✅ The challenges of defense—why eradicating Salt Typhoon is nearly impossible in an industry described as a “Frankenstein’s monster” of outdated and incompatible technologies. ✅ What can be done—improving network visibility, hardening systems, fostering intelligence sharing, and why “secure by design” is more critical than ever. Finally, we’ll examine what this ongoing cyber espionage campaign means for national security, individual privacy, and the future of global communications infrastructure—as the FBI calls for public help to fully map the scope of this unprecedented threat.…
D
Daily Security Review
1 Fake Microsoft, Netflix, & Apple Support: The Scam Lurking in Google Search 32:40
32:40 Play Later Play Later Lists Like Liked32:40
Play Later Play Later Lists Like LikedIn this eye-opening episode, we break down a sophisticated new trend in tech support scams (TSS) that’s catching even the most cautious users off guard. Scammers are now hijacking Google Ads and manipulating search results to funnel users—who are simply looking for help—to malicious phone numbers injected directly into legitimate websites like Apple, Microsoft, Netflix, and major banks. Clicking on what appears to be an official Google Ad can land you on a real brand page — but with a fake tech support number secretly inserted into the URL path or internal search results. We’ll dive into: How scammers use Google Ads as a primary conduit for distributing rogue tech support ads. The alarming tactic of injecting fraudulent phone numbers into real company websites. Why even Fortune 500 companies are vulnerable to these attacks — with 86% of the top 50 companies affected. The shift from “aggressive” pop-up-based scams to “passive” professional-looking scam pages that evade detection for longer. How black hat SEO and support domains are driving long-lived scam infrastructure. The persistent financial motivation behind these scams — and why many victims end up giving remote access to their devices or sharing sensitive banking details. We’ll also cover what law enforcement and cybersecurity experts are doing to counter this new wave of scams, why detection remains so challenging, and practical tips that users and defenders can take to protect themselves. If you’ve ever searched for tech support online — or know someone who has — this is an episode you won’t want to miss.…
D
Daily Security Review
1 From Malware to Court: Qilin Ransomware’s ‘Call a Lawyer’ Tactic 43:58
43:58 Play Later Play Later Lists Like Liked43:58
Play Later Play Later Lists Like LikedIn this episode, we take a deep dive into the Qilin ransomware group — now regarded as the world’s leading ransomware-as-a-service (RaaS) operation — and explore how it’s reshaping the cybercrime landscape in 2025. Qilin, also known as Agenda, burst onto the scene in 2022 with a Go-based ransomware. It has since evolved into a highly evasive Rust-based malware platform targeting both Windows and Linux environments, including critical VMware ESXi servers. The group uses aggressive double extortion tactics — encrypting data while also threatening public exposure of stolen information — with ransom demands ranging from $50,000 to $800,000. But what truly sets Qilin apart is its transformation into a full-service cybercrime platform, offering affiliates advanced tooling, data storage, spam and DDoS services, and — most controversially — a “Call Lawyer” feature designed to pressure victims with legal consultation during ransom negotiations. While some experts dismiss this legal counsel angle as a mere recruitment stunt, it has proven effective in unnerving corporate victims, especially in sectors like healthcare, manufacturing, and energy. In 2024 alone, Qilin has amassed over $50 million in ransom payments from more than 60 attacks, shifting its targeting to critical infrastructure and operational technology companies worldwide. The group's high-profile assaults — such as the $50 million ransom attack on Synnovis, a major UK healthcare provider — have caused severe disruptions, even impacting critical patient care. We’ll unpack: Qilin’s evolution from a simple RaaS to a global cybercrime platform The unique legal pressure tactic and why it’s alarming defenders How Qilin’s affiliates, including groups like Scattered Spider, are exploiting the platform The malware’s sophisticated TTPs mapped to MITRE ATT&CK The shift toward targeting healthcare and critical OT systems Key defense and mitigation strategies organizations must adopt to combat this growing threat If you want to understand how ransomware has morphed into a professionalized business model — and what comes next — don’t miss this episode.…
D
Daily Security Review
1 Zero-Click, Zero-Warning: The FreeType Flaw Behind a Spyware Surge 57:15
57:15 Play Later Play Later Lists Like Liked57:15
Play Later Play Later Lists Like LikedIn this episode, we dive deep into the story behind CVE-2025-27363, a critical zero-click vulnerability in the widely used FreeType font rendering library. Initially discovered by Facebook’s security team and patched by Google in May 2025, this flaw allowed attackers to execute arbitrary code on Android devices—without any user interaction—by exploiting how FreeType parsed certain font structures. This seemingly obscure bug became a key attack vector for Paragon Solutions’ "Graphite" spyware, an Israeli-made surveillance tool capable of taking near-total control of compromised smartphones. Through forensic analysis, it was revealed that Paragon’s spyware leveraged CVE-2025-27363 to infect targets via WhatsApp: malicious PDF files sent through groups triggered the vulnerability, which then deployed Graphite and escaped Android’s sandbox protections. The spyware could then exfiltrate encrypted chats, enable microphones and cameras, and track real-time GPS—without the user’s knowledge. Our discussion also explores: The technical nuances of the vulnerability—how a signed/unsigned integer mismatch led to a dangerous heap overflow. The patching timeline, and Google’s move toward replacing FreeType with the safer Rust-based Skrifa library. How governments in countries like Australia, Canada, Italy, and Israel are suspected of deploying this spyware. The role of The Citizen Lab in uncovering evidence of targeted attacks against journalists, activists, and civil society members—despite Paragon’s public claims of safeguarding human rights. Practical advice for detecting spyware infections and why hybrid detection strategies offer the best protection. Finally, we examine the broader implications for software supply chains, surveillance ethics, and why even basic libraries like font parsers must be designed with security in mind. Tune in for an eye-opening look at how a small coding bug cascaded into a global espionage tool.…
D
Daily Security Review
1 The Insurance Industry Under Fire: Anatomy of the Aflac Cyber Incident 53:58
53:58 Play Later Play Later Lists Like Liked53:58
Play Later Play Later Lists Like LikedIn this episode, we take a deep dive into the June 2025 cyberattack on Aflac, one of the latest strikes in a growing wave of sophisticated, AI-driven cyber campaigns targeting the insurance industry. On June 12, Aflac detected suspicious activity within its U.S. network—a breach attributed to a highly organized cybercrime group and part of a larger pattern of targeted attacks against financial and insurance providers. Our discussion goes beyond Aflac’s rapid response to explore the broader cybersecurity landscape of 2024-2025: a time marked by an explosion in third-party supply chain vulnerabilities, the resurgence of ransomware, and the growing use of AI-powered phishing and polymorphic malware. We examine how ransomware payloads are evolving to evade detection, why SMBs and mid-market firms are increasingly in the crosshairs, and how credential theft and sophisticated phishing are driving the majority of breaches. We also break down: How real-world cases like Marks & Spencer, Victoria’s Secret, and UNFI show the cascading impacts of third-party risks. The strategic importance of Zero Trust and proactive supply chain management. What companies can learn from the Aflac incident about preparing for coordinated industry-specific campaigns. Practical steps organizations can take today—layered defenses, threat monitoring, employee training, and incident response planning—to build resilience in this new threat environment. If you want to understand the tactics modern attackers are using—and what your organization can do about it—don’t miss this episode.…
D
Daily Security Review
1 The Nucor Cyberattack: How Ransomware Threatens American Steel 58:40
58:40 Play Later Play Later Lists Like Liked58:40
Play Later Play Later Lists Like LikedIn May 2025, a ransomware attack forced Nucor — one of America’s largest steel producers — to halt its metal production operations. This wasn’t just a corporate IT incident: it disrupted a critical link in the nation’s industrial supply chain. In this episode, we take an in-depth look at the Nucor attack: how cybercriminals targeted operational technology (OT) systems, why manufacturers like Nucor are becoming prime ransomware targets, and what this means for national security. We analyze the escalating tactics of ransomware groups, including sophisticated loader chains, abuse of legitimate tools, and emerging delivery methods that can take down even hardened industrial environments. We also examine why the attack on Nucor marks a new chapter in the ransomware threat landscape — one where physical production and critical infrastructure are increasingly at risk. Most importantly, we discuss how organizations can defend against these evolving threats: leveraging the NIST Cybersecurity Framework, adopting proactive detection and incident response strategies, and addressing growing vulnerabilities in the cyber supply chain. If Nucor’s shutdown taught us anything, it’s that no manufacturer can afford to ignore the ransomware threat. Tune in to learn what your organization can do to prepare.…
D
Daily Security Review
1 Inside the $225M Crypto Seizure: How Law Enforcement Traced Illicit Funds Across Borders 1:01:32
1:01:32 Play Later Play Later Lists Like Liked1:01:32
Play Later Play Later Lists Like LikedA staggering $225 million in illicit cryptocurrency was recently seized by U.S. authorities in what has become the largest digital asset recovery in Secret Service history. This episode unpacks the mechanics, methods, and forensics that made this possible—and how a sprawling network of scams, labor compounds, and fake identities in Southeast Asia unraveled under blockchain scrutiny. We explore how cryptocurrency is being used in modern money laundering operations—from intermediary wallet “hops” and high-frequency rounded transactions, to tumblers like WasabiWallet and Tornado Cash, and privacy coins like Monero. You'll hear how these laundering methods are structured, and why they’re no longer enough to stay hidden. We also break down how U.S. and international regulators are leveraging blockchain transparency, stablecoin issuer cooperation, and advanced forensic tools to trace and freeze funds. From court orders served via NFT, to mandatory injunctions forcing smart contract code edits, enforcement is evolving—and fast. Finally, we discuss tax implications, cost basis methods, and upcoming IRS rules that will redefine crypto accounting in 2025. Whether you’re in compliance, enforcement, or just trying to understand how illicit actors move money through crypto, this episode offers a detailed look into the shifting balance of power between criminals and regulators in the digital asset space.…
D
Daily Security Review
1 Inside CVE-2025-23121: Veeam RCE Flaw Opens Door to Ransomware 47:43
47:43 Play Later Play Later Lists Like Liked47:43
Play Later Play Later Lists Like LikedRansomware groups are no longer just encrypting data — they're going straight for the backups. And if those backups aren’t properly protected, recovery becomes impossible, and ransom payouts more likely. In this episode, we dive deep into how threat actors are exploiting critical vulnerabilities in widely used backup systems, focusing on the recently disclosed CVEs affecting Veeam Backup & Replication. We explore CVE-2025-23121 , a critical remote code execution flaw already being weaponized in the wild, and CVE-2025-24287 , a privilege escalation vulnerability that opens the door for deeper compromise. These aren't theoretical risks — these are the exact tactics used by ransomware groups like Cuba and FIN7 to dismantle organizations’ last lines of defense. The discussion goes further into why backup hardening isn't optional anymore. We break down what it means to implement the 3-2-1-1-0 backup strategy effectively and why immutability, offsite storage, and automated testing are the bare minimum for survival. You’ll also hear hardening best practices — directly from real-world sysadmins — including isolating Veeam servers from the domain, restricting access with the principle of least privilege, and enforcing MFA. But protection doesn’t end at backups. We unpack broader ransomware defense strategies: network segmentation, browser isolation, file integrity monitoring , and behavioral logging through SIEM and EDR platforms. Learn how honey files , malware detonation environments , and strict firewall rules are helping defenders detect and contain attacks before they spread. This isn’t about theory. This is about what ransomware operators are doing right now — and what it takes to stop them. If you’re running backups without verification, hosting Veeam on a multi-role domain-joined server, or delaying critical patches, this episode is your wake-up call.…
D
Daily Security Review
1 Fasana’s Collapse: How One Ransomware Attack Crippled a German Manufacturer 41:37
41:37 Play Later Play Later Lists Like Liked41:37
Play Later Play Later Lists Like LikedRansomware just bankrupted a 100-year-old manufacturer—and the world should take notice. In this episode, we dissect the cyberattack that brought down Fasana , a German paper napkin producer, and pushed it into insolvency. On May 19, 2025, employees arrived to find printers ejecting extortion notes. By the end of the week, systems were paralyzed, €250,000 in daily orders went unprocessed, and the company hemorrhaged €2 million in under 14 days. Fasana couldn’t pay salaries, couldn’t ship products, and now has just eight weeks to find a buyer or shut down for good. We explore how this happened—and why it could happen to almost any manufacturing company operating today. This isn’t just a story of one company—it’s a cautionary tale about the growing frequency and impact of ransomware , especially in industries where IT and OT environments are merging . From indirect attacks on connected IT systems to direct strikes against operational machinery, manufacturers are being hit hard. In 2023 alone, over 500 physical sites were disrupted by cyberattacks—more than half in manufacturing. We examine how ransomware exploits vulnerable systems like ERP platforms, SCADA controls, and HMIs—and why systems without clear IT/OT segmentation are now high-risk. Then, we look at what Fasana lacked : a functioning Business Continuity Plan. No backup delivery system. No fast recovery options. No clear incident response framework. You'll learn: Why even small manufacturers are now prime ransomware targets. What a robust Business Continuity Plan actually includes—from impact assessments to cloud and off-site backups, endpoint defense, and RPO/RTO strategies. Why regular testing, employee training, and disaster simulation drills are just as critical as having the right technology. The operational, legal, and reputational risks of sensitive data loss in manufacturing. How financial pressure compounds risk—and why companies already under strain are often one cyberattack away from collapse. We also break down key defense strategies: network segmentation , encryption, EDR, multi-factor authentication, vendor access controls, and the emerging role of cyber insurance in helping companies weather these storms. This episode is more than a post-mortem of a cyberattack. It’s a call to action for manufacturers: ransomware is escalating, and so must your resilience. Fasana didn’t have time to prepare—but you do.…
D
Daily Security Review
1 Inside the 16 Billion Credential Leak: The Infostealer Engine Behind the Biggest Breach Yet 54:27
54:27 Play Later Play Later Lists Like Liked54:27
Play Later Play Later Lists Like LikedIn this episode, we break down the true scale and mechanics behind the largest credential leak ever recorded— over 16 billion login credentials , most of them exfiltrated by infostealer malware. We dive into how this happened: from the malware-as-a-service (MaaS) model enabling even low-skill threat actors to deploy powerful stealers, to how credentials are harvested from infected systems, bundled into "logs", and sold on dark web marketplaces. You'll learn about the rise of credential stuffing attacks that use these logs to hijack user accounts at scale, bypassing traditional defenses with distributed botnets and evasion tactics. We examine the ecosystem behind it all—how groups like Nova Sentinel operate, where data gets hosted, and how anti-analysis methods help them stay hidden. We also detail the best current defenses —multi-factor authentication (MFA), fingerprint-based detection, rate-limited login systems, and how organizations should handle suspicious IPs and user agent anomalies. You'll hear mitigation tactics sourced from OWASP, CISA, and expert threat research from Gatewatcher, DataDome, and more. This isn't just about malware. It's about how credential theft has become a billion-dollar economy—automated, distributed, and dangerously efficient.…
D
Daily Security Review
1 Over 1,500 Minecraft Users Infected in Stargazers Ghost Malware Campaign 55:17
55:17 Play Later Play Later Lists Like Liked55:17
Play Later Play Later Lists Like LikedA malware distribution network hiding in plain sight — on GitHub. This episode unpacks the Stargazers Ghost Network , a massive Distribution-as-a-Service (DaaS) infrastructure run by a threat actor known as Stargazer Goblin . Using over 3,000 GitHub accounts , this operation pushes dangerous information-stealing malware disguised as legitimate game mods and cracked software, particularly targeting communities like Minecraft players . At the center of the campaign are well-known infostealers such as Atlantida , Rhadamanthys , RisePro , Lumma , and RedLine . The delivery mechanism? Sophisticated Java-based loaders , GitHub phishing repositories , and links embedded across platforms like Twitch, TikTok, YouTube, and Discord . Key insights we explore: 🎯 Targeted deception: Modded Minecraft downloads hiding Java loaders that drop multiple stealers 💸 Financial motivation: An estimated $100,000 earned by Stargazer Goblin through stolen data 🧠 Social engineering: Repository stars, forks, and watchers used to appear trustworthy 🧪 Anti-analysis: Malware designed to evade detection with anti-VM and anti-sandbox techniques 🔐 Data exfiltration: Passwords, cookies, crypto wallets, VPN credentials, Discord tokens, and more 🌍 Attribution: Russian-language artifacts and UTC+3 activity suggest a Russian-based operator We also explore how GitHub’s platform was exploited , the use of password-protected archives to bypass scans, and the tiered account structure that allows malicious repositories to reappear even after bans. With GitHub being abused at this scale — and over 1,500 Minecraft users already infected — this case is a wake-up call for both platforms and end users. The combination of malware-as-a-service (MaaS) and DaaS delivery is lowering the bar for cybercriminals and increasing the risk for everyone online. #StargazersGhost #GitHubMalware #Infostealers #StargazerGoblin #MinecraftMalware #RedLine #Rhadamanthys #LummaStealer #AtlantidaStealer #JavaMalware #MalwareCampaign #CybersecurityPodcast #DaaS #MaaS #InfoSec #GamingCyberThreats #DiscordMalware…
D
Daily Security Review
1 Weaponized GitHub Repositories: How Banana Squad and Water Curse Are Hitting Devs 45:59
45:59 Play Later Play Later Lists Like Liked45:59
Play Later Play Later Lists Like LikedCybercriminals are increasingly turning GitHub into a malware distribution network. In this episode, we unpack two of the most alarming recent campaigns: Water Curse and Banana Squad — both targeting developers, red teams, and security professionals through poisoned open-source projects. Water Curse, a financially motivated group, used at least 76 GitHub accounts to deliver multistage malware hidden inside project configuration files of tools like Sakura-RAT. These payloads deploy obfuscated VBS and PowerShell scripts , perform system reconnaissance , and disable recovery mechanisms like shadow copies. The malware, tracked as Backdoor.JS.DULLRAT.EF25 , allows long-term remote access and data exfiltration via services like Telegram. Banana Squad, meanwhile, deployed over 60 fake repositories containing trojanized Python scripts masked as ethical hacking tools. Using visual obfuscation tricks, they pushed malicious code off-screen in the GitHub UI to avoid detection — a tactic that worked until automated tools caught the behavior. Both groups are part of a broader trend: cybercriminals leveraging Malware-as-a-Service (MaaS) platforms to outsource infrastructure, scale their operations, and target critical parts of the software supply chain . Developers, security teams, and even gamers are now at risk — not through phishing emails, but by trusting what they download from legitimate platforms. We also explore how MaaS lowers the technical barrier for attackers and discuss the critical need for secure software development, SBOM transparency , and active code validation. This isn’t a theoretical threat. It’s a shift in the way malware is built, delivered, and scaled — and it’s already compromising environments in plain sight. #GitHubMalware #WaterCurse #BananaSquad #SoftwareSupplyChain #MaaS #OpenSourceSecurity #PythonMalware #BackdoorJS #Cybersecurity #DeveloperSecurity #Infosec #VisualStudioMalware #TrojanizedCode #GitHubSecurity #CodeTrustCrisis…
D
Daily Security Review
1 Chain IQ Breach Exposes UBS & Pictet Employee Data: A Supply Chain Failure 1:05:22
1:05:22 Play Later Play Later Lists Like Liked1:05:22
Play Later Play Later Lists Like LikedA single vendor was compromised — and suddenly, internal records from UBS, Pictet, Manor, and Implenia were leaked. The Chain IQ cyberattack is a textbook example of how fragile the digital supply chain has become. This episode dissects the breach that exposed names, roles, phone numbers, even CEO contact details of over 137,000 UBS employees, and 230,000 lines of internal billing data from Pictet, including expenses ranging from hotel stays to pottery purchases. While client data remained untouched, the exposure of employee and operational data is alarming. The attack was carried out by World Leaks — formerly known as Hunters International — a group known for data theft and public extortion, not encryption. Their tactics reflect the evolving nature of supply chain threats, where trust in vendors is weaponized and internal data becomes a high-value target. We go beyond the breach and explore: 🔹 How 62% of supply chain attacks exploit trust in third-party providers 🔹 Why 66% of suppliers don't even know how they were compromised 🔹 The massive industry ripple effect, with Chain IQ’s clients including FedEx, IBM, Swiss Life, AXA, Swisscom, and KPMG 🔹 What organizations should be doing now — from vendor due diligence and access minimization to continuous risk monitoring 🔹 Why employee data security must be treated as business-critical We also break down essential defense and recovery strategies — including zero trust access, contractual audit clauses, IAM, vulnerability patching, and a Plan-Do-Check-Act cycle for full-spectrum supply chain security. The Chain IQ breach isn’t just a warning — it’s a case study in what happens when your cybersecurity depends on someone else's. #ChainIQBreach #UBSLeak #SupplyChainAttack #PictetBreach #WorldLeaks #Cybersecurity #VendorRisk #DataLeak #ThirdPartySecurity #CyberAttack #EmployeeDataExposure #InfoSec #IncidentResponse #FinancialSectorSecurity #DigitalTrust…
D
Daily Security Review
1 Oxford City Council Breach Exposes 21 Years of Data 35:51
35:51 Play Later Play Later Lists Like Liked35:51
Play Later Play Later Lists Like LikedState and local governments are under cyber siege. In this episode, we break down how and why these public institutions have become top targets for attackers — and why the threats are getting worse. Digitization is expanding public access to services, but it's also opening new doors for threat actors. Many local authorities still rely on legacy IT systems, outdated operating systems, and unsupported software — leaving them vulnerable to ransomware, phishing, impersonation, and supply chain exploits. The rise in attacks isn’t hypothetical: cyber data breaches in UK local councils have surged by nearly 400% in just three years. We examine key reasons for the surge: 🔸 Outdated infrastructure and tight budgets 🔸 Rampant phishing and email impersonation 🔸 Ransomware that paralyzes city services and steals citizen data 🔸 Weak oversight of third-party vendors and digital service providers 🔸 A lack of board-level responsibility and incident response planning The consequences aren’t just operational. Citizens are losing jobs, facing housing instability, and experiencing long-term harm due to the exposure of sensitive personal data. In the case of Oxford City Council, 21 years of historical data were compromised — impacting both current and former council employees. Although no large-scale data extraction has been confirmed, investigations are ongoing. Across the UK, councils have reported more than 12,700 breaches in three years, with over £260,000 paid in legal claims and compensation. High-profile incidents, such as the Capita breach and the Metropolitan Police supplier compromise, highlight a growing trend: third-party vendors are becoming major points of failure. We also discuss the lack of proactive cybersecurity measures. Most public bodies don’t regularly assess supply chain risks or re-evaluate vendor contracts. In many cases, cybersecurity is still not a board-level priority, especially for smaller agencies operating with limited resources. This episode explores what needs to change — from upgrading legacy systems to enforcing third-party risk management and creating a culture of privacy and accountability. Cybersecurity isn’t just a technical issue anymore. It’s public safety, trust, and governance at stake. #CyberSecurity #DataBreach #PublicSectorSecurity #Ransomware #OxfordDataBreach #CapitaBreach #LocalGovernment #InfoSec #DigitalTrust #PrivacyMatters #CyberAttack #SupplyChainRisk…
D
Daily Security Review
1 Citrix NetScaler Flaws Expose Enterprise Networks: CVE-2025-5349 & CVE-2025-5777 38:12
38:12 Play Later Play Later Lists Like Liked38:12
Play Later Play Later Lists Like LikedTwo newly disclosed critical vulnerabilities— CVE-2025-5349 and CVE-2025-5777 —have put Citrix NetScaler ADC and Gateway deployments at serious risk, exposing enterprise environments to potential data breaches and service disruptions. These flaws underscore the persistent challenges facing infrastructure teams, especially when balancing security patching with service availability. We dive deep into: 🔍 The technical mechanisms behind the NetScaler vulnerabilities and why they’re considered high risk ⚙️ The real-world difficulties of patching Citrix environments , including long installation times, session disruption concerns, and HA strategy failures 🛠️ Staged patching techniques , including gold image refresh for MCS, traffic redirection using VIP isolation, and Citrix’s official upgrade flow 🔒 A breakdown of the AAA (Authentication, Authorization, Accounting) model and its relevance for secure VPN access 🧠 Broader lessons from CWE-125 (Out-of-Bounds Read) and how SAST, SCA, and code reviews help developers catch software vulnerabilities before they reach production This episode ties together software security principles with enterprise infrastructure reality , highlighting how missteps in either domain can leave organizations exposed. Whether you're managing Citrix infrastructure or building secure software, this conversation bridges the gap between theory and practice.…
D
Daily Security Review
1 GerriScary: How CVE-2025-1568 Threatened Google’s Open-Source Supply Chain 35:21
35:21 Play Later Play Later Lists Like Liked35:21
Play Later Play Later Lists Like LikedCVE-2025-1568, dubbed "GerriScary" , has shaken the open-source ecosystem by exposing a fundamental weakness in Google’s Gerrit code review system—one that could have enabled attackers to infiltrate 18 of Google’s most widely used open-source projects, including Chromium, ChromiumOS, Dart , and Bazel . This episode breaks down how the vulnerability was discovered by researchers at Tenable using a subtle but powerful HTTP status code fingerprinting technique . A simple 209 response exposed whether a user had the “addPatchSet” permission on a given project. That small indicator opened the door to a potentially massive software supply chain compromise , allowing malicious patchsets to be injected silently into production workflows. We also explore the broader threat landscape with critical and actively exploited vulnerabilities , such as: 🔓 CVE-2023-0386 – A Linux kernel flaw exploited for root access 🧨 CVE-2025-23121 – Remote code execution on Veeam Backup Server 💣 CVE-2025-2783 – A Google Chrome zero-day used by the Trinper backdoor 📡 CVE-2023-33538 – Command injection in TP-Link routers, actively exploited 🔥 CVE-2024-1086 – Use-after-free in Linux netfilter, leading to system takeover From hardcoded keys in enterprise tools to command injections in home routers, we highlight how poor development practices continue to fuel real-world threats. But this isn't just about reacting to flaws. We dissect the NIST Secure Software Development Framework (SSDF) , now more relevant than ever. You’ll learn how the SSDF’s four core areas— Prepare, Protect, Produce, and Respond —provide a practical roadmap to building secure software, preventing flaws like GerriScary, and rapidly responding when the next critical CVE emerges. Whether you’re a software engineer, CISO, or security architect, this episode offers a grounded and urgent look at the real-world risks of unpatched systems, insecure third-party dependencies, and weak DevSecOps discipline —and how to fix them.…
D
Daily Security Review
1 Cisco & Atlassian Under Fire: High-Severity Flaws and What’s at Risk 53:38
53:38 Play Later Play Later Lists Like Liked53:38
Play Later Play Later Lists Like LikedCisco and Atlassian have both released urgent security advisories in response to newly discovered high-severity vulnerabilities—and the implications are serious. Cisco’s firmware flaws impact Meraki MX and Z Series devices running AnyConnect VPN. A bug in the SSL VPN process allows authenticated attackers to crash the VPN server, causing repeated denial-of-service conditions. Cisco ClamAV also contains heap-based buffer overflow vulnerabilities that could crash antivirus defenses simply by scanning a malicious file. Proof-of-concept exploit code is already circulating—making exploitation only a matter of time. Atlassian isn’t faring much better. Their June 2025 bulletin disclosed 13 high-severity vulnerabilities across Bamboo, Bitbucket, Confluence, Jira, Crowd, and Service Management. Many of these are rooted in third-party dependencies like Netty, Apache Tomcat, and Spring Framework. From improper authorization to remote code execution and denial of service, the risks span multiple vectors. This episode breaks down: 🔧 Cisco CVEs (2025-20212, 2025-20271, 2025-20128, 2025-20234) 🛑 How malformed VPN attributes trigger a system crash 🧪 The risk of crashing ClamAV with OLE2 content 📦 Atlassian’s dependency-driven vulnerabilities (CVE-2025-22228, CVE-2024-47561, CVE-2024-39338 and more) 🔁 The challenges of managing firmware updates across Meraki networks 💣 The broader danger of unpatched systems and third-party bloat 📉 Real-world fallout: from Equifax to ProxyShell ☁️ Shared responsibility in cloud environments and how institutions often misinterpret it If you're running Cisco hardware, using Atlassian platforms, or relying on open-source libraries, this episode shows why you must have a clear patching strategy, strong third-party oversight, and internal security validation—before attackers find the gaps for you.…
D
Daily Security Review
1 Double Extortion, Biometric Data, and Donuts: How Play Ransomware Hit Krispy Kreme 50:51
50:51 Play Later Play Later Lists Like Liked50:51
Play Later Play Later Lists Like LikedA deep dive into one of the most aggressive ransomware groups operating today— Play —and their latest high-profile target: Krispy Kreme . Operating since 2022, the Play ransomware group has become notorious for its double extortion model , where sensitive data is exfiltrated before systems are encrypted. Victims are pressured not just by digital ransom notes but also through direct phone calls to company lines, creating a highly aggressive and disruptive extortion cycle. Play has targeted over 900 entities globally , from government institutions to media outlets and, most recently, the food industry. In November 2024, Krispy Kreme was forced to shut down online ordering in parts of the U.S. after detecting unauthorized access to its systems. The Play group claimed responsibility. Stolen data reportedly included names, Social Security numbers, banking credentials, biometrics , and even military IDs —a scale and sensitivity that elevates this attack far beyond typical retail breaches. We break down: 📛 The origins and global targeting footprint of Play ransomware 📤 Their TTPs: dynamic compilation, intermittent encryption, WinRAR compression, and data exfiltration via WinSCP ☎️ Their use of direct communication, including threatening phone calls to corporate numbers 🧠 Their links to Russian-affiliated cyber actors and similarities to other ransomware variants like Hive and Nokoyawa 🧬 The specific operational and reputational damage inflicted on Krispy Kreme 💥 The unique risks of biometric data exposure in ransomware cases 🛡️ Critical cybersecurity recommendations from CISA, including segmentation, offline backups, EDR, and least-privilege access 🧪 How businesses—regardless of industry—must rethink cybersecurity resilience in the face of industrialized extortion models Whether you're in tech, retail, or public infrastructure, this is a wake-up call: ransomware doesn’t discriminate by sector—it hunts for scale, pressure points, and poor preparation . #Ransomware #PlayRansomware #KrispyKremeHack #CyberSecurity #DoubleExtortion #DataBreach #InfoSec #CISA #HunterInternational #BiometricDataBreach #RetailSecurity #PodcastCybersecurity #CyberAttack #RansomwareTTPs #MITREATTACK…
D
Daily Security Review
1 Archetyp Market Seized: €250M Drug Empire Toppled by Operation Deep Sentinel 54:53
54:53 Play Later Play Later Lists Like Liked54:53
Play Later Play Later Lists Like LikedIn this episode, we unpack the dramatic takedown of Archetyp Market , a darknet marketplace that dominated the online drug trade since its launch in May 2020. With over €250 million ($290 million) in drug transactions, more than 600,000 users , and 17,000 listings , Archetyp wasn’t just another darknet forum—it was the largest dedicated drug market on the Tor network by 2024. The operation that brought it down, Operation Deep Sentinel , was a five-nation law enforcement effort led by Germany’s BKA , coordinated by Europol and Eurojust , and supported by the United States. Between June 11–13, 2025, authorities arrested the alleged German administrator in Barcelona , one moderator, and six top vendors. They also seized €7.8 million in assets , including crypto wallets, luxury vehicles, and the market’s backend infrastructure hosted in the Netherlands. This was the culmination of years of cyber-forensics, financial tracing, and cross-border intelligence work . But the story doesn’t stop with the arrests. We explore the deeper implications: how digital drug markets continue to evolve, why users easily migrate after shutdowns, and how operations like this shape law enforcement’s long-term cybercrime strategy. We’ll also touch on the philosophical roots of Archetyp’s founder—who modeled the site after Silk Road , with the aim of supporting drug liberalization in Europe—and why this ideological undertone didn't stop the authorities from dismantling the platform piece by piece. Tune in as we analyze the fall of Archetyp, the future of darknet markets, and the growing role of international cybersecurity cooperation in this high-stakes game of cat and mouse.…
Welcome to Player FM!
Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.
Daily Deals
Daily Deals
Similar to Daily Security Review
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
Welcome to the Security Weekly Podcast Network, your all-in-one source for the latest in cybersecurity! This feed features a diverse lineup of shows, including Application Security Weekly, Business Security Weekly, Paul's Security Weekly, Enterprise Security Weekly, and Security Weekly News. Whether you're a cybersecurity professional, business leader, or tech enthusiast, we cover all angles of the cybersecurity landscape. Tune in for in-depth panel discussions, expert guest interviews, and ...
…
continue reading
Download This Show is your weekly guide to the world of media, culture, and technology. From social media to gadgets, streaming services to privacy issues. Each week Rae Johnston and guests take a fun, deep dive into how technology is reshaping our lives.
…
continue reading
Python Bytes is a weekly podcast hosted by Michael Kennedy and Brian Okken. The show is a short discussion on the headlines and noteworthy news in the Python, developer, and data science space.
…
continue reading
Africa-focused technology, digital and innovation ecosystem insight and commentary.
…
continue reading
On The Bike Shed, hosts Joël Quenneville and Stephanie Minn discuss development experiences and challenges at thoughtbot with Ruby, Rails, JavaScript, and whatever else is drawing their attention, admiration, or ire this week.
…
continue reading
An open show powered by community LINUX Unplugged takes the best attributes of open collaboration and turns it into a weekly show about Linux.
…
continue reading
1
Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
Jerry Bell and Andrew Kalat
5k200
Defensive Security is a weekly information security podcast which reviews recent high profile cyber security breaches, data breaches, malware infections and intrusions to identify lessons that we can learn and apply to the organizations we protect.
…
continue reading
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
Tech Life discovers and explains the ways technology is changing our lives, wherever we are in the world. We meet the people with bright ideas for rethinking the way we work, learn and play, and get hands-on with the products they dream up. We hold tech giants to account for their huge power to affect our lives, and ask who wins, and who loses, in the technology transformation. Tech Life is your guide to a future being made, and remade, at lightning speed in front of our eyes.
…
continue reading
Player FM - Podcast App
Go offline with the Player FM app!
Go offline with the Player FM app!
