Daily Security Review

In a stunning development, Taiwanese authorities have arrested six individuals suspected of stealing trade secrets from Taiwan Semiconductor Manufacturing Co. (TSMC), the world’s most advanced semiconductor producer. At the heart of the case is TSMC’s 2-nanometer (2nm) chip technology, a crown jewel in the global race for next-generation AI and high-performance computing power.This marks the first major prosecution under Taiwan’s 2022 National Security Act, underscoring the escalating risk of insider threats and economic espionage in the semiconductor industry. Prosecutors are investigating whether the stolen technology was funneled to outside entities — a potential national security risk with global repercussions.This episode examines:TSMC’s global dominance, producing over 90% of the world’s advanced chips, and why its 2nm technology is considered a strategic asset for AI, defense, and global tech leadership.The insider threat problem: how current and former employees allegedly bypassed TSMC’s defenses and why the semiconductor industry has become a prime target for espionage.China’s aggressive pursuit of chip technology, with trade secret theft playing a central role in its strategy to achieve semiconductor independence.The broader landscape of semiconductor espionage, from Google and Apple to Samsung and SK hynix, highlighting the billions lost annually to IP theft.Taiwan’s robust countermeasures, including AI-driven monitoring systems and strict new laws carrying up to 12 years in prison for offenders.The U.S. response, from the CHIPS and Science Act to export controls and supply chain diversification, as Washington seeks to reduce reliance on Taiwan while maintaining chip access.The geopolitical stakes, as the world’s economic security becomes increasingly tied to Taiwan’s semiconductor output — making any disruption a potential global crisis.With the semiconductor market projected to hit $654.7 billion by 2025, and AI fueling unprecedented demand, this case shines a harsh light on the intersection of economic power, national security, and insider espionage. The outcome could shape global tech competition for years to come.#TSMC #Semiconductors #2nm #TradeSecrets #Taiwan #NationalSecurity #AIChips #ChipEspionage #IPTheft #China #CHIPSAct #Geopolitics #AI #InsiderThreats

In a major step for mobile and API cybersecurity, Approov, the Edinburgh-based security firm specializing in real-time mobile attestation and API protection, has raised £5 million (approximately $6.7 million) in Series A funding. The round, led by the Investment Fund for Scotland with support from Souter Investments, Lanza techVentures, and Scottish Enterprise, will fuel the expansion of Approov’s research and development hub in Scotland while driving global growth.Founded in 2012, Approov has built a reputation as a pioneer in Runtime Application Self-Protection (RASP) and patented mobile app attestation technology. Their solutions block malicious activities such as emulator abuse, rooted device exploitation, tampering frameworks, and man-in-the-middle (MITM) attacks, ensuring only legitimate apps in secure environments can access backend resources.This episode dives into:Why mobile applications and APIs have become the frontline targets for cybercriminals.The role of AI-powered attacks — from deepfakes to automated malware — in shaping today’s cybersecurity landscape.How Approov’s deterministic, real-time defense model provides an edge over traditional, AI-behavioral detection approaches plagued by false positives.The explosive rise of API attacks — projected to grow nearly 1,000% by 2030 — and why app attestation is becoming essential for financial services and beyond.The broader industry trend of mobile security market growth, set to reach $18.42 billion by 2032, driven by rising demand for protection against sophisticated digital threats.Best practices for organizations, including Zero Trust adoption, continuous monitoring, schema enforcement, encryption, and proactive threat intelligence.With 9 out of 10 enterprises already experiencing API security incidents, and 74% of IT security professionals reporting major impacts from AI-driven threats, Approov’s funding marks a pivotal moment in the arms race between defenders and adversaries.This is not just about one company — it’s about defining the future of mobile and API security in an era where digital transformation and AI threats collide.#Approov #MobileSecurity #APIsecurity #CybersecurityFunding #RASP #AppAttestation #ManInTheMiddle #AIthreats #APIs #ZeroTrust #EdinburghTech #SeriesAFunding #MobileAppSecurity

This October, Pwn2Own Ireland 2025 will take over Cork with one of the most ambitious cybersecurity competitions yet. Co-sponsored by Meta and organized by Trend Micro’s Zero Day Initiative (ZDI), the event is putting record-breaking payouts on the line — including up to $1 million for a zero-click WhatsApp exploit that can deliver remote code execution.From October 21-24, elite hackers and security researchers will go head-to-head across a diverse set of categories designed to reflect today’s most pressing cybersecurity challenges. These include:Mobile & Messaging: WhatsApp takes center stage, with Meta offering unprecedented rewards to strengthen the world’s most popular messaging app.Wearables & AR Devices: Competitors will probe devices like Ray-Ban Meta smart glasses and Quest VR headsets, highlighting privacy risks in emerging tech.SOHO Smashup: Targeting home office devices — routers, NAS systems, and IoT hubs — reflecting the increased vulnerabilities created by widespread remote work.Traditional Mobile Platforms: iOS and Android remain prime targets given their ubiquity in both corporate and personal environments.The competition comes against a backdrop of escalating cyber risks tied to remote and hybrid work, with phishing, unpatched home networks, sideloaded apps, and insecure Wi-Fi fueling attacks. With AI-powered exploits accelerating the pace of discovery, the stakes for proactive defense have never been higher.We’ll explore:Why Meta is investing so heavily in zero-click exploit prevention for WhatsApp.How Pwn2Own’s unique model of ethical vulnerability disclosure is shaping global security standards.The growing threat landscape for remote work and mobile-first attacks, including AI-driven phishing and sideloaded malware.Why wearables like Ray-Ban smart glasses are becoming new privacy battlegrounds in the workplace.How competitions like Pwn2Own both spotlight vulnerabilities and drive vendors toward faster patching and security hardening.As Pwn2Own Ireland 2025 kicks off, it’s clear this event isn’t just about prize money — it’s about securing the technologies that underpin modern communication, work, and life.#Pwn2Own #Meta #WhatsApp #ZeroClickExploit #ZDI #Cork2025 #Cybersecurity #RemoteWorkSecurity #SOHOSmashup #SmartGlasses #QuestHeadset #MobileSecurity #AIphishing #ZDI #BugBounties

A major warning has hit the AI community: Nvidia’s Triton Inference Server — one of the most widely used open-source platforms for deploying and scaling AI models — has been found to contain critical vulnerabilities that could allow attackers to take complete remote control of affected systems.The discovery, made by cloud security firm Wiz, revealed a chain of flaws that escalate from information disclosure to remote code execution (RCE), enabling attackers to not only steal valuable AI models but also access sensitive organizational data. Nvidia has since released urgent patches, but the incident highlights the growing security crisis in AI infrastructure.In this episode, we break down:The Vulnerabilities: How Wiz uncovered issues like arbitrary read/write flaws in Triton that could be chained for full system compromise.The Risks: From model theft and intellectual property loss to AI pipelines being hijacked for espionage, data exfiltration, or even cryptojacking.The Bigger Picture: Why MLSecOps (Machine Learning Security Operations) is becoming mission-critical as AI adoption accelerates — and why traditional DevSecOps approaches aren’t enough for AI/ML.Other Red Flags: This disclosure follows a recent Wiz warning about a Nvidia Container Toolkit flaw, underscoring systemic weaknesses in GPU-powered AI ecosystems.Lessons from AI Security Research: How flaws in serialization, custom model layers, and shared memory APIs are creating new attack surfaces unique to AI workloads.Best Practices for Defense: Immediate patching to the latest Triton version, secure deserialization practices, sandboxed execution environments, strong IAM and MFA, dependency auditing, and proactive adversarial testing with open-source MLSecOps tools.The Nvidia Triton vulnerabilities aren’t just another bug report — they’re a wake-up call that AI deployments must adopt defense-in-depth, zero-trust security models, and proactive AI-specific security testing. As AI becomes critical infrastructure, the stakes have never been higher.#Nvidia #Triton #AIsecurity #MLSecOps #WizResearch #RemoteCodeExecution #CVE2025 #AIInfrastructure #ModelTheft #RCE #CloudSecurity #AISupplyChain #AIModelSecurity #CISA #DevSecOps #AdversarialML

The U.S. Department of Homeland Security, through CISA and FEMA, has announced over $100 million in new cybersecurity grant funding for Fiscal Year 2025 — a critical investment aimed at protecting America’s most vulnerable digital frontlines. The funding is split between the State and Local Cybersecurity Grant Program (SLCGP), allocating $91.7 million, and the Tribal Cybersecurity Grant Program (TCGP), providing $12.1 million.In this episode, we explore how these funds will be used to bolster defenses for state, local, and tribal governments (SLTT) — key operators of public services and critical infrastructure that face mounting threats from ransomware, nation-state attacks, and insider risks.We’ll break down:The Objectives of the Grants: Governance and planning, cybersecurity workforce development, threat mitigation, and continuous assessment of cyber readiness.Eligible Uses: From hiring qualified cybersecurity staff and acquiring new tools like EDR platforms and VPNs to launching training and awareness programs, conducting tabletop exercises, and even migrating to the .gov domain.Unique Challenges for SLTT Entities: Limited resources, legacy systems, and the difficulty of balancing 24/7 operations with patching and security updates.The Tribal Cybersecurity Grant Program: Direct funding for federally recognized tribes, requiring approved cybersecurity planning committees and participation in CISA’s Cyber Hygiene Services.CISA’s Internal Strains: Ongoing staffing losses within the Joint Cyber Defense Collaborative (JCDC) may affect the agency’s ability to fully support grant recipients.Best Practices from the Cybersecurity Guidebook for Local Government 2.0: Including the “Necessary Nine” checklist — from offline backups and MFA to patch management and clear incident response plans.With $1 billion allocated through the Bipartisan Infrastructure Law over four years, this latest round of funding marks a major step in the U.S. government’s strategy to reduce cyber risk and build long-term resilience. But questions remain: Will SLTT governments move fast enough to implement these measures? And can CISA maintain the capacity to oversee and support these initiatives effectively?#CISA #FEMA #CybersecurityGrants #SLCGP #TCGP #StateCybersecurity #TribalCybersecurity #RansomwareDefense #CriticalInfrastructure #CyberResilience #ZeroTrust #CyberHygiene #CybersecurityWorkforce #DHS #CISAGrants

In this episode, we examine the rapidly growing threat of AI jailbreaks — a cybersecurity challenge reshaping the landscape of large language models (LLMs) and enterprise chatbots. According to the IBM 2025 Cost of a Data Breach Report, 13% of all data breaches now involve AI systems, with the vast majority stemming from jailbreak attacks that circumvent developer-imposed guardrails.A highlight of our discussion is Cisco’s “instructional decomposition” jailbreak technique, which shows how attackers can extract original training data — even copyrighted material — by manipulating conversational context and using incremental requests that evade security protocols. We’ll break down how this method works, why it’s so difficult to detect, and what it means for the future of enterprise AI.Topics we cover include:How Jailbreaks Work: From direct prompt injections to hidden instructions embedded in documents, images, or even ultrasonic audio signals.Data Exfiltration Risks: LLMs trained on proprietary business data can leak PII, intellectual property, or sensitive corporate knowledge.Real-World Cases: From Samsung’s 2023 ChatGPT data leak to the DeepSeek-R1 vulnerabilities and Cisco’s new demonstration of instructional decomposition, proving that what goes into LLMs can come out again.The Human Factor: With 97% of breached organizations lacking proper AI access controls, internal misuse and poor governance remain critical risks.Why Prevention is Hard: Experts warn it’s “very unlikely that LLMs will ever fully prevent jailbreaks,” meaning organizations must shift focus to access control and monitoring.Mitigation Strategies: Multi-factor authentication, strict input/output filtering, network isolation, Zero Trust models, and employee training.Regulatory Pressure: With GDPR, HIPAA, and the EU AI Act enforcing stricter compliance, failure to secure AI systems could mean not only data loss but also severe legal and financial repercussions.As enterprises accelerate AI adoption, the line between innovation and vulnerability is razor-thin. Jailbreaks prove that guardrails alone are not enough. To safeguard sensitive data and prevent catastrophic breaches, organizations must adopt layered defenses, continuous monitoring, and robust governance frameworks.#AIJailbreak #LLMSecurity #Cisco #InstructionalDecomposition #ChatbotRisks #DataExfiltration #GenerativeAI #Cybersecurity #AICompliance #IBMDataBreachReport #PromptInjection #EnterpriseAI #SamsungDataLeak #DeepSeekR1 #ZeroTrustAI #AIRegulation

In this episode, we investigate the Northwest Radiologists data breach, a devastating cyberattack that compromised the personal and medical information of approximately 350,000 patients in Washington State between January 20 and January 25, 2025. What began as a so-called “network disruption” was later revealed to be a massive breach that exposed a treasure trove of sensitive data — including names, Social Security numbers, health records, and financial information.This case study exemplifies the escalating crisis in healthcare cybersecurity. According to the 2025 Breach Barometer report, over 300 million patient records were compromised in 2024, with healthcare data breaches averaging nearly $10 million in costs per incident, making the sector the most expensive for cyberattacks.Key points we cover include:Scope of the Breach: Nearly 350,000 records exposed, including highly sensitive health and financial details.Transparency Issues: Northwest Radiologists initially described the event as a “network disruption,” delaying full disclosure. Formal notification to the Washington Attorney General came months after the breach, well beyond the state’s 30-day legal requirement.Legal Fallout: A class-action lawsuit alleges negligence and inadequate cybersecurity, pointing to “completely inadequate” data protections that allowed cybercriminals unprecedented access.Patient Impact: Victims face risks of identity theft, medical fraud, financial fraud, and long-term privacy violations. Many now rely on credit monitoring services, but trust in healthcare providers continues to erode.The Bigger Picture: With 77% of breached records in 2024 tied to business associates, insider threats, ransomware, and delayed notifications, the healthcare sector remains a prime target for cybercriminals.Protective Measures: Experts urge patients to avoid sharing Social Security numbers with providers when possible, use strong passwords for healthcare portals, monitor financial and medical accounts closely, and consider dark web monitoring services.The Northwest Radiologists breach is more than a local crisis — it’s a warning about the systemic vulnerabilities in U.S. healthcare cybersecurity. Without stronger defenses, transparency, and accountability, the cost of inaction will not only be financial but measured in patient safety and public trust.#NorthwestRadiologists #HealthcareBreach #DataBreach #Cybersecurity #HIPAA #MedicalDataSecurity #Ransomware #PatientPrivacy #IdentityTheft #HealthcareCybersecurity #WashingtonState #CISA #DataProtection #BreachBarometer

In this episode, we analyze the multiple vulnerabilities recently disclosed in Honeywell’s Experion Process Knowledge System (PKS), a widely deployed industrial control and automation solution that underpins operations in energy, chemical plants, manufacturing, healthcare, and transportation sectors worldwide. Reported by CISA and Positive Technologies, these flaws range from remote code execution (RCE) to denial-of-service (DoS), giving attackers the potential to disrupt or manipulate critical processes in environments where downtime is simply not an option.While Honeywell’s affected devices are often deployed in isolated operational technology (OT) networks, the stakes remain dangerously high. If attackers gain access—via remote exploitation, insider compromise, or supply chain attacks—they could stop or reboot industrial systems, modify process parameters, or cause widespread operational disruption. CISA warns that the vulnerabilities, including flaws in Control Data Access (CDA) components, are low-complexity and remotely exploitable, meaning even modestly skilled adversaries could weaponize them.We’ll break down:The nature of these Honeywell Experion PKS vulnerabilities (CVE-2025-2520, CVE-2025-2521, CVE-2025-2523, CVE-2025-3946) and their potential consequences.Why ICS/OT environments face unique patching challenges, with safety and uptime often prioritized over security.How nation-state APTs, ransomware groups, and insider threats are increasingly targeting industrial control systems.The critical role of network segmentation, Zero Trust architectures, and anomaly detection in defending critical infrastructure.Why rapid patching and rigorous testing are essential, despite the cost and complexity of OT maintenance windows.Strategic mitigations, including progressive rollout, compensating controls, intrusion detection, and IT/OT collaboration.The Honeywell case highlights a recurring truth: in ICS and OT, the cost of inaction is measured not only in data loss or downtime but in real-world safety and public trust. As vulnerabilities grow more severe and the Time-to-Exploit window shrinks, organizations must balance operational continuity with aggressive security measures to prevent catastrophic outcomes.#Honeywell #ExperionPKS #CISA #PositiveTechnologies #ICS #OTSecurity #CriticalInfrastructure #RemoteCodeExecution #DenialOfService #ZeroTrust #PatchManagement #NetworkSegmentation #IndustrialAutomation #NIST #IEC62443 #Cybersecurity

In this episode, we uncover the Auto-Color Linux malware, a stealthy and highly persistent Remote Access Trojan (RAT) that is rapidly emerging as one of the most dangerous threats of 2025. First identified by Palo Alto Networks’ Unit 42 and later analyzed by Darktrace, Auto-Color has now been linked to active exploitation of CVE-2025-31324, a critical SAP NetWeaver vulnerability with a perfect CVSS score of 10.0.This malware isn’t your average Linux RAT. It employs shared object injection, a malicious rootkit module, and privilege-aware execution, adapting its tactics depending on whether it has root access. If its Command-and-Control (C2) server is unreachable, it suppresses activity, appearing benign to analysts and evading detection in sandboxes and air-gapped environments. By hooking into /etc/ld.preload and loading implants like libcext.so.2, Auto-Color ensures deep, system-wide persistence.The exploitation of CVE-2025-31324 has been fast and widespread. Originally disclosed in April 2025, the vulnerability was already being exploited weeks earlier. Threat intelligence indicates involvement by both ransomware groups and Chinese state-sponsored APTs, with incidents ranging from university breaches to an attack on a U.S.-based chemicals company. Analysts warn that the Time-to-Exploit (TTE) window is collapsing — what used to take weeks now takes hours after disclosure.We’ll explore:How Auto-Color’s rootkit-level persistence allows attackers full remote control of Linux systems.The blurring line between nation-state operations and ransomware crews, who now share techniques and infrastructure.Why SAP NetWeaver environments are particularly high-risk targets, and how widespread CVE-2025-31324 really is.The multi-stage intrusion playbook: from phishing and DNS tunneling to webshell deployment and RAT installation.Practical mitigations, including immediate patching, anomaly-based detection, and close monitoring of /etc/ld.preload.With Auto-Color, the message is clear: patching delays can be catastrophic. As ransomware groups adopt APT-style zero-day exploitation, the security community must rethink defense speed, visibility, and collaboration.#AutoColor #LinuxMalware #SAPNetWeaver #CVE202531324 #Darktrace #Unit42 #Cybersecurity #Rootkit #APT #Ransomware #LinuxSecurity #ZeroDayExploits #SAPSecurity #IncidentResponse #ThreatIntelligence

In this episode, we investigate the growing cybersecurity storm targeting the Python Package Index (PyPI) — the backbone of Python’s software distribution ecosystem. A recent phishing campaign in July 2025 has developers on high alert, as attackers impersonated PyPI using a deceptive domain (pypj.org) to trick maintainers into handing over their credentials. Victims were directed to a convincing PyPI lookalike site where their credentials were stolen — and silently relayed to PyPI’s legitimate servers, creating the illusion of a normal login and delaying detection.But phishing is just one front in a much larger battle. The open-source software supply chain is under siege, with malicious packages skyrocketing — over 512,000 discovered since late 2023, a 156% year-over-year increase. Attackers leverage typosquatting, dependency confusion, and data exfiltration techniques to compromise developers and enterprises alike. Malware buried in these packages has ranged from crypto miners and backdoors to credential stealers and PII exfiltration tools.Key issues we cover include:PyPI’s phishing threat response: how admins added warning banners and launched takedowns of the malicious infrastructure.The critical role of Multi-Factor Authentication (MFA), now mandatory for PyPI accounts, in preventing account compromise.The concept of Persistent Risk: why 80% of dependencies remain outdated for over a year, despite safer alternatives existing.Historic lessons from Log4Shell, SolarWinds, and the XZ Utils incident, showing the escalating sophistication of supply chain attacks.Why the AI revolution in phishing — with voice synthesis, deepfakes, and multi-channel deception — is raising the stakes for developers and organizations.Practical defenses, from Software Composition Analysis (SCA) tools in CI/CD pipelines to careful package reputation checks and strict credential hygiene.As the market for AI-driven cybersecurity surges toward $93.75 billion by 2030, the fight for the security of open-source ecosystems like PyPI is not just about protecting code — it’s about safeguarding the entire digital supply chain.#PyPI #Phishing #SupplyChainSecurity #OpenSource #Python #Cybersecurity #MFA #MaliciousPackages #Typosquatting #DependencyConfusion #Log4Shell #SolarWinds #XZUtils #SoftwareSupplyChain #CI_CD #AIPhishing #PyPA

In this episode, we examine the alarming discovery of critical security vulnerabilities in Dahua smart cameras, one of the world’s most widely deployed surveillance systems. Researchers at Bitdefender uncovered two zero-click flaws — CVE-2025-31700 and CVE-2025-31701 — that allow unauthenticated remote attackers to gain root access to Dahua devices. Exploited through the ONVIF protocol and an undocumented RPC upload endpoint, these flaws bypass integrity checks, enabling attackers to install malicious payloads, create persistent implants, and hijack surveillance systems without user interaction.The affected Dahua camera models, including popular IPC and SD series, are commonly used in retail, warehouses, residential security, and critical infrastructure, meaning millions of environments could be exposed. Dahua has since released patches, but experts stress that updating firmware is only part of the solution. With IoT devices like IP cameras notoriously vulnerable, leaving systems unpatched or exposed to the internet can lead to devastating consequences, including data breaches, surveillance hijacking, and use of compromised cameras in botnet operations.We’ll also explore:Why IoT devices remain one of the weakest links in cybersecurity,The dangers of insecure protocols like UPnP that open devices to remote access,Best practices for securing IP cameras, from network isolation to VPN-based remote access,Lessons from other IoT case studies, like the Tenda CP3 vulnerabilities with hardcoded passwords and missing firmware integrity checks,And why regular patching, strong authentication, and disabling unnecessary services are essential to protecting your surveillance infrastructure.This case underscores a sobering reality: as IoT adoption grows, attackers are increasingly targeting devices once considered “low risk” — turning everyday surveillance tools into gateways for cyber intrusion.#Dahua #Bitdefender #IoTSecurity #SmartCameras #CVE202531700 #CVE202531701 #ONVIF #UPnP #Cybersecurity #FirmwareUpdate #SurveillanceSecurity #IoTVulnerabilities #RPCExploit #RootAccess #Botnets

In this episode, we dive into Dropzone AI’s landmark $37 million Series B funding round, bringing the company’s total raised to over $57 million. Backed by major investors, Dropzone AI is accelerating the development of its AI-powered SOC analysts — tools designed to autonomously investigate and resolve security alerts across critical threat categories like phishing, insider threats, and compromised accounts.The cybersecurity industry is at a turning point. With hybrid work, widespread cloud adoption, and economic uncertainty fueling a surge in cyberattacks, security teams face an overwhelming volume of alerts. Alert fatigue — the constant flood of notifications and false positives — has become one of the industry’s greatest pain points, leading to burnout, delayed responses, and missed threats. Dropzone AI’s autonomous agents aim to solve this by mimicking human reasoning, analyzing data from existing security tools, and taking swift, informed containment actions.We’ll unpack:Why 74% of organizations report insider threats are increasing and harder to detect,How AI is transforming phishing campaigns into scalable, multi-channel attacks using deepfakes and voice synthesis,Dropzone AI’s vision to cut false positives by 70% and speed up investigations 5x,The debate over whether AI SOC analysts will augment or replace human analysts,And why the global AI in cybersecurity market is projected to hit $93.75 billion by 2030, marking a generational shift in cyber defense.This funding is not just about expanding Dropzone AI’s platform — it’s about redefining the security operations center of the future, where autonomous AI agents act faster and humans think deeper. As insider threats and AI-driven phishing escalate, the question isn’t whether AI will reshape cybersecurity, but how quickly.#DropzoneAI #Cybersecurity #AIinCybersecurity #SOC #AlertFatigue #InsiderThreats #Phishing #Deepfakes #MachineLearning #SeriesB #CyberDefense #SOCAnalysts #ThreatDetection #CyberOps

In this episode, we explore Axonius’s landmark acquisition of Cynerio, a healthcare cybersecurity company specializing in protecting vulnerable medical devices like MRI machines, infusion pumps, and ventilators. The deal — valued at over $100 million in cash and stock — marks Axonius’s first-ever acquisition and signals a major strategic expansion into the healthcare sector. Already valued at $2.6 billion, Axonius is now positioning itself as a leader in securing one of the most overlooked yet high-risk areas of cybersecurity: clinical environments filled with network-connected medical devices.Healthcare remains the most expensive industry for data breaches, with average costs exceeding $10 million and breach containment timelines stretching over 300 days. Beyond financial fallout, these breaches carry life-threatening implications: compromised devices can delay critical care or even endanger patients. Cynerio, known for its purpose-built healthcare cybersecurity solutions and ranked a top provider in the KLAS Healthcare IoT Security report three years running, brings specialized expertise in passive network discovery, real-time threat detection, and automated risk mitigation.Together, Axonius and Cynerio aim to eliminate what Axonius’s CEO calls a “digital security blind spot” — the lack of comprehensive monitoring and protection for medical devices that cannot be rebooted, aggressively scanned, or patched like standard IT equipment. This move addresses not only patient safety and compliance concerns but also the growing regulatory and threat landscape.We’ll also discuss the broader context:Why 53% of healthcare IoT devices contain known critical vulnerabilities,How medical device security requires a Total Product Life Cycle (TPLC) approach,The escalating risks of ransomware, data theft, and patient safety incidents in healthcare,And why consolidation in the cybersecurity market — like Axonius’s move — is shaping the future of digital healthcare defense.This acquisition isn’t just about expanding market share — it’s about redefining how healthcare providers secure the entire clinical environment, from electronic records to life-supporting devices.#Axonius #Cynerio #HealthcareCybersecurity #MedicalDeviceSecurity #MRI #InfusionPumps #Cyberattacks #IoTsecurity #HealthcareIT #HIPAA #PatientSafety #Ransomware #AssetManagement #ePHI #IoT #ClinicalEnvironmentSecurity

In this episode, we examine a critical firmware security crisis shaking Lenovo devices worldwide. Security researchers at Binarly have uncovered six serious vulnerabilities in the Insyde BIOS firmware used in Lenovo’s IdeaCentre and Yoga product lines. Four of these flaws, rated high severity, reside in the System Management Mode (SMM) — a privileged execution mode sometimes called “Ring -2.” Exploiting these vulnerabilities allows attackers to deploy persistent UEFI implants that can bypass Secure Boot, gain elevated privileges, and even survive a full operating system reinstallation. The remaining two vulnerabilities, rated medium severity, enable information disclosure that could further aid attackers in stealthy intrusions.This disclosure comes against the backdrop of a growing firmware security crisis. The PKfail scandal, involving leaked and mismanaged Secure Boot Platform Keys, has left over 10% of devices from major vendors — including Lenovo, Dell, HP, and Intel — exposed to permanent Secure Boot bypass risks. At the same time, Microsoft continues to grapple with BlackLotus UEFI bootkit mitigations (CVE-2023-24932), rolling out staged updates that risk device instability, BitLocker lockouts, and recovery media failures.We’ll break down:How SMM vulnerabilities give attackers unfettered control over hardware and memory,Why firmware-level malware persists invisibly beyond OS defenses,The challenges Lenovo faces in delivering BIOS patches amid revoked driver certificates and Windows Defender blocks,The broader pattern of nation-state and criminal groups exploiting UEFI and firmware-level flaws for ransomware, espionage, and long-term persistence,And why firmware is now one of the most dangerous attack surfaces in enterprise and consumer security.As Lenovo scrambles to patch affected devices, this story underscores a chilling truth: firmware attacks represent the ultimate stealth threat, bypassing traditional antivirus, EDR, and even secure OS reinstalls.#Lenovo #Binarly #FirmwareSecurity #UEFI #BIOS #SMM #SecureBoot #BlackLotus #PKfail #PersistentThreats #Cybersecurity #UEFIbootkit #Ransomware #NationStateAttacks #FirmwareExploits #BitLocker

In this episode, we dive into Promptfoo’s groundbreaking $18.4 million Series A funding round, led by Insight Partners and supported by Andreessen Horowitz, bringing the AI security startup’s total funding to $23.4 million. Founded in 2024, Promptfoo has quickly emerged as a leader in securing Large Language Models (LLMs) and generative AI applications against critical threats like prompt injections, data leaks, hallucinations, and compliance violations.With its open-source tools already adopted by over 100,000 developers and nearly 30 Fortune 500 companies, Promptfoo is not just scaling technology — it’s redefining how enterprises defend their AI systems. CEO Ian Webster warns that “AI security has become the largest blocker to enterprises shipping generative AI applications,” pointing to the skyrocketing attack surface created by advanced architectures such as Retrieval-Augmented Generation (RAG), multi-agent systems, and the Model Context Protocol (MCP).We explore why AI security is no longer optional, how red teaming and automated testing are becoming essential for preventing catastrophic failures, and why financial institutions, in particular, see this as a race against time to prevent regulatory fines, insider threats, and sophisticated adversarial attacks. We’ll also discuss the industry-wide shift toward proactive defenses, the importance of data leakage prevention strategies, and the emerging security arms race among AI startups, enterprises, and cloud providers.Tune in as we break down how Promptfoo’s funding will fuel platform expansion, team growth, and the democratization of advanced red teaming techniques — making AI security a built-in safeguard, not an afterthought.#AIsecurity #Promptfoo #GenerativeAI #LLM #InsightPartners #AndreessenHorowitz #AIrisks #PromptInjection #DataLeakage #RedTeaming #FinTechSecurity #Cybersecurity #MCP #RAG #AIagents #EnterpriseAI

A platform designed to protect women’s safety in dating has instead become a nightmare for its users. In this episode, we uncover the catastrophic Tea app data breach, which exposed more than 59 GB of highly sensitive user data due to a fundamental security failure: a completely public Firebase storage bucket with no authentication, no encryption, and no internal checks.Among the compromised data were 13,000 government ID selfies collected for user verification, over 59,000 user-generated images from posts and comments, and a separate database containing 1.1 million private messages—some discussing deeply personal topics like infidelity, abortions, and abusive relationships. Far from being old or inactive data, some of the leaked conversations were as recent as last week.The fallout has been severe. Hackers quickly exploited the breach, sharing stolen data on forums, torrent sites, and even creating a “facesmash”-style site to publicly rate women from their selfies. Another leak mapped user locations on Google Maps, raising terrifying risks of stalking and real-world targeting. Victims now face identity theft, harassment, and social engineering attacks, with personal dignity and safety at stake.We break down how this disaster was made possible by “vibe coding” with AI-generated code, rushed development without security audits, and a failure to follow basic cybersecurity hygiene. We also examine Tea’s contradictory statements, delayed disclosure, and the potential legal and reputational fallout for a platform that promised women they’d “never have to compromise their safety while dating.”Finally, we discuss the critical lessons for developers and users: why infrastructure reviews, encryption, incident response planning, and staff training are essential, and what individuals should do if they suspect their personal data has been compromised.The Tea app breach isn’t just a cautionary tale—it’s a wake-up call for every digital platform that handles sensitive information.#TeaApp #DataBreach #Cybersecurity #Privacy #WomenSafety #IdentityTheft #Facesmash #Firebase #AIgeneratedCode #IncidentResponse #Doxxing #SocialEngineering #DataProtection #DigitalSafety #Cybercrime

Deepfake technology has evolved from a fringe novelty into one of the most serious cybersecurity and national security threats of our time. In this episode, we examine how artificial intelligence–generated synthetic media is being weaponized to impersonate CEOs, manipulate elections, infiltrate corporate networks, and damage reputations worldwide.We explore shocking real-world cases, including a $25 million deepfake video call scam where criminals impersonated a CFO to defraud a company, and the alarming rise of fake job applications designed to gain insider access to sensitive networks. Beyond the financial industry, deepfakes are increasingly being used by nation-states like Russia, China, and North Korea to conduct disinformation campaigns, erode trust in democratic institutions, and funnel billions through fraudulent schemes.But the threat doesn’t stop at institutions—society itself is under siege. Over 90% of online deepfake content is non-consensual pornography, disproportionately targeting women and minors, with devastating personal and professional consequences. Meanwhile, the “Liar’s Dividend” allows bad actors to dismiss authentic evidence as fake, pushing us toward a post-truth digital world.We break down the technological, educational, and legislative responses required to combat this crisis. From AI-powered detection tools and blockchain-based content authentication, to media literacy campaigns and new federal legislation against deepfake misuse, we discuss the multifaceted strategies needed to fight back.This is not just a story about technology—it’s about the future of trust in the digital age. Join us as we uncover how deepfakes are reshaping security, finance, and society, and what must be done to stay ahead of this rapidly escalating threat.#Deepfakes #AIThreats #Cybersecurity #NationalSecurity #Fraud #CorporateEspionage #Disinformation #SyntheticMedia #ElectionSecurity #FinancialCrime #AI #GenerativeAI #Liar’sDividend #DigitalTrust #Privacy #OnlineSafety

In this episode, we dive deep into Microsoft Threat Intelligence’s latest findings on two critical macOS vulnerabilities that shook Apple’s privacy defenses. The flaws, identified as CVE-2025-31199 (Sploitlight) and CVE-2024-44133 (HM Surf), specifically targeted Apple’s Transparency, Consent, and Control (TCC) framework, the system designed to guard user data and manage app permissions. Sploitlight exploited Spotlight’s plugin mechanism to access sensitive files like Photos.sqlite and Apple Intelligence caches, exposing personal geolocation details and private user activities. Meanwhile, HM Surf allowed attackers to tap into Safari data—including browsing history, camera, and microphone—without authorization.We examine how these vulnerabilities managed to bypass Apple’s multi-layered security approach, from hardware-rooted protections like the Secure Enclave to advanced system defenses like Signed System Volume (SSV) and Kernel Integrity Protection (KIP). Despite Apple’s comprehensive platform security architecture, the incident underscores the evolving sophistication of threat actors targeting macOS.Apple has since released patches to close these security gaps, but the case raises serious questions: Are the TCC framework and other privacy safeguards enough in the face of increasingly complex exploits? What does this mean for the future of macOS security and the trust users place in Apple’s privacy promises?Join us as we unpack the technical details of Sploitlight and HM Surf, analyze Apple’s rapid response, and discuss how users and organizations can stay ahead of such privacy-breaching attacks.#Apple #macOS #Sploitlight #HMSurf #CVE2025_31199 #CVE2024_44133 #cybersecurity #MicrosoftThreatIntelligence #TCC #Spotlight #Safari #AppleIntelligence #dataprivacy #vulnerabilities #SecureEnclave #SignedSystemVolume #KernelIntegrityProtection

On July 28, 2025, Aeroflot—Russia’s largest state-owned airline—was brought to its knees in one of the most severe cyberattacks since the country’s invasion of Ukraine in 2022. The sophisticated assault, carried out by Ukrainian hacktivist group Silent Crow and the Belarusian Cyber-Partisans, led to the cancellation of more than 100 flights, stranded thousands of passengers across Moscow’s Sheremetyevo Airport and beyond, and triggered chaos at every level of Russia’s aviation sector.The attackers claim they had deep-tier access to Aeroflot’s corporate systems for a full year before executing their strike, ultimately destroying over 7,000 physical and virtual servers and stealing more than 20 terabytes of sensitive data—including passenger personal identifiable information (PII), employee records, internal communications, and even recorded phone calls. Silent Crow has threatened to release portions of this data unless Russia ends its “repressive cyber-aggression.”Beyond the immediate disruption, the attack has sent shockwaves through Russia’s tourism and aviation industries, costing Aeroflot tens of millions of dollars in damages, tanking its market value, and shaking global confidence in the security of air travel. For travelers, this serves as a stark reminder of how vulnerable aviation systems are in an era of escalating cyberwarfare. For Russia, it marks a humiliating breach of critical infrastructure during peak travel season, one that its own government has labeled “alarming.”In this episode, we break down the scope of the Aeroflot cyberattack, the groups behind it, the geopolitical motivations fueling this new wave of digital warfare, and what it means for the future of global aviation security. We also examine the economic, reputational, and operational fallout for Aeroflot—and the broader warnings this incident sends to the entire aviation sector.#Cyberattack #Aeroflot #SilentCrow #BelarusCyberPartisans #RussiaUkraineWar #DigitalWarfare #AviationSecurity #TourismCrisis #Cybersecurity #Hacktivism

French defense contractor Naval Group, a cornerstone of Europe’s naval defense industry, is facing a high-stakes cybersecurity crisis. A threat actor known as “Neferpitou” claims to have exfiltrated 1TB of sensitive data, including combat management system (CMS) source code for submarines and frigates, technical documents, developer virtual machines, and internal communications. Initially demanding payment within 72 hours, Neferpitou later posted the entire dataset on DarkForums, a cybercrime hub that has surged in activity since the collapse of BreachForums.Naval Group, partly owned by Thales, denies any breach of its IT systems or operational disruption, labeling the event a “reputational attack.” They argue the claims may involve recycled data from a 2022 Thales breach by LockBit. Still, the gravity of the allegations—potentially exposing restricted and classified defense data—has triggered urgent investigations involving cybersecurity experts, Naval Group’s CERT, and French authorities.The incident reflects the rise of multi-extortion tactics in cybercrime, where threat actors don’t just encrypt or steal data but also weaponize reputation and public perception to pressure victims. In this case, the alleged breach raises pressing questions about the vulnerability of defense contractors, the credibility of cyber extortion claims, and the growing influence of platforms like DarkForums in shaping the cybercrime ecosystem.As defense supply chains grow more interconnected, such attacks carry serious national security implications, potentially offering adversaries insights into critical naval capabilities. This episode examines the authenticity of Neferpitou’s claims, the geopolitical stakes, the evolution of cyber extortion beyond ransom notes, and why defense contractors are now prime targets in the digital battlefield.#NavalGroup #Neferpitou #DarkForums #CyberExtortion #ReputationalAttack #FrenchDefense #CombatManagementSystems #Thales #DataLeak #LockBit #Cybersecurity #DefenseContractors #MultiExtortion #CriticalInfrastructure #NationalSecurity #CyberThreats #DataExfiltration #NavalSystems #CyberDefense #InfosecPodcast

In July 2025, a team of seasoned cybersecurity leaders launched Root Evidence, a Boise-based startup with a mission to revolutionize how organizations tackle vulnerability management. Armed with $12.5 million in seed funding led by Ballistic Ventures, founders Jeremiah Grossman, Robert Hansen, Heather Konold, and Lex Arquette are setting out to fix one of cybersecurity’s most persistent problems: the overwhelming flood of vulnerabilities and the inability of security teams to focus on the ones that truly matter.Root Evidence introduces a groundbreaking evidence-based security model—an approach that prioritizes remediation efforts based not on theoretical severity scores but on proof of exploitation in the wild. Their platform identifies the less than 1% of vulnerabilities that are actively weaponized by attackers, allowing organizations to cut through the noise, reduce breach likelihood, and calculate cyber risk in real financial terms.This episode explores:The crisis of vulnerability overload, with tens of thousands of new CVEs published annually and attackers exploiting many within 24 hours of disclosure.Why traditional vulnerability management tools fall short and how Risk-Based Vulnerability Management (RBVM) and Cyber Risk Quantification (CRQ) are transforming security strategies.How Root Evidence’s approach empowers CISOs to communicate risk in dollars—a language executives and boards understand.The startup’s timing in Boise’s fast-growing tech ecosystem, where cybersecurity innovation is gaining traction.What Root Evidence’s entry means for enterprises preparing for events like Black Hat USA 2025, where evidence-based security is expected to be a major discussion point.Root Evidence isn’t just another vulnerability scanner—it’s a reimagining of how businesses defend themselves in an era where speed, evidence, and financial clarity are the keys to survival.#RootEvidence #Cybersecurity #VulnerabilityManagement #RBVM #CyberRiskQuantification #CRQ #BallisticVentures #JeremiahGrossman #RobertHansen #HeatherKonold #LexArquette #BoiseTech #CyberRisk #ExploitEvidence #CISO #BlackHat2025 #CyberDefense #CVE #ThreatIntelligence #SecurityInnovation #CyberResilience #VulnerabilityPrioritization

In April 2025, NASCAR became the latest victim of a major cyberattack, with hackers infiltrating its network between March 31 and April 3. During the breach, personal information—including names and Social Security numbers—was exfiltrated from NASCAR’s systems. In response, the organization has notified affected individuals, activated its incident response plan, engaged a leading cybersecurity firm, and offered free credit and identity monitoring services.But the story doesn’t end there. The notorious Medusa ransomware group has claimed responsibility, alleging the theft of 1 terabyte of sensitive data and demanding a $4 million ransom. Although NASCAR has not confirmed Medusa’s claims or whether ransom negotiations took place, the incident highlights the increasingly common tactic of data exfiltration as leverage, beyond mere encryption.In this episode, we break down:How Medusa executed the attack, leveraging techniques like exploiting unpatched vulnerabilities and disabling security tools.Why groups like Medusa have shifted toward double and even triple extortion tactics, using stolen data as a weapon.The critical lessons from NIST’s Incident Response Life Cycle—from preparation to post-incident analysis—that organizations can apply today.The wider implications for the sports industry, which now manages massive volumes of sensitive fan, athlete, and financial data.The debate over transparency in ransomware negotiations—should organizations disclose more, or does silence protect victims?This breach isn’t just a wake-up call for NASCAR—it’s a warning for all high-profile organizations that handle sensitive data. As ransomware groups like Medusa grow more sophisticated, incident response, proactive defenses, and cross-industry information sharing are more critical than ever.#NASCAR #MedusaRansomware #Cyberattack #DataBreach #Ransomware #Cybersecurity #IncidentResponse #NIST #RaaS #DataExfiltration #IdentityTheft #SportsCybersecurity #DoubleExtortion #TripleExtortion #DarkWeb #CISO #CyberDefense #CyberThreats #InformationSecurity #PersonalDataBreach #NASCARBreach #CreditMonitoring

In this episode, we examine the sophisticated operations of Scattered Spider—also known as Muddled Libra, UNC3944, and Octo Tempest—a financially motivated cybercriminal group that has redefined the ransomware threat landscape. Recently highlighted by Google’s Threat Intelligence Group (GTIG), Scattered Spider has escalated its attacks by targeting VMware vSphere and ESXi environments, seizing control of hypervisors to disable backups, steal sensitive data, and deploy ransomware with devastating speed.Unlike traditional malware-heavy groups, Scattered Spider relies on meticulous social engineering to gain initial access—tricking IT support staff into resetting credentials and multi-factor authentication tokens. From there, they execute a lightning-fast kill chain:Escalating privileges through Active DirectoryGaining administrative control of vCenterPivoting to ESXi hypervisors to paralyze entire enterprisesEncrypting data and backups to maximize leverage in double extortion schemesDespite arrests of key members, including links to high-profile attacks on MGM Resorts, Caesars Entertainment, and major financial institutions, Scattered Spider continues to evolve. Their methods expose a dangerous blind spot: EDR tools don’t run on ESXi hypervisors, leaving virtualized infrastructure dangerously under-monitored.This episode unpacks:The attack chain Scattered Spider uses to dominate virtualized environmentsWhy EDR is no longer enough in today’s infrastructure-driven attacksHow their partnerships with ransomware-as-a-service (RaaS) groups like ALPHV, DragonForce, and RansomHub amplify their reachDefensive strategies for organizations, including Managed XDR, immutable backups, phishing-resistant MFA, and infrastructure-centric monitoringWhy businesses must move toward holistic, zero-trust security models that extend beyond the endpointAs Scattered Spider shows, the threat landscape is shifting from endpoints to the very infrastructure that keeps enterprises running. If organizations don’t adapt, the next breach could unfold in hours—crippling entire networks before defenses can respond.#ScatteredSpider #MuddledLibra #UNC3944 #OctoTempest #VMware #ESXi #vSphere #Ransomware #Cybercrime #GoogleThreatIntelligence #SocialEngineering #EDR #XDR #Cybersecurity #VirtualizationSecurity #HypervisorAttack #DataExfiltration #DoubleExtortion #MFABypass #RaaS #ALPHV #BlackCat #DragonForce #RansomHub #CyberThreats #CyberDefense #ZeroTrust #IncidentResponse

A new and highly sophisticated malware strain named Koske is redefining the threat landscape for Linux environments. Suspected to be partially developed using artificial intelligence, Koske introduces novel and highly evasive techniques, blending image files, rootkits, and adaptive cryptomining logic to create a stealthy and persistent backdoor into systems worldwide.What sets Koske apart is its ingenious use of polyglot files—specifically, JPEG images of panda bears that look harmless to the user but contain embedded shell scripts and C code. These files not only display a cute picture but simultaneously execute malicious commands to deploy CPU- and GPU-optimized cryptominers targeting 18 different cryptocurrencies. When one mining pool goes offline, Koske switches dynamically to another, demonstrating AI-assisted adaptability.But the deception doesn't stop there. Koske uses stealth rootkits to hide its files, processes, and even its own presence from system monitoring tools. It establishes persistence through cron jobs, modifications to .bashrc and .bash_logout, and even creates custom systemd services. Its connectivity module is capable of proxy discovery and failover, giving it resilience in varied network conditions—a hallmark of AI-generated logic.Security researchers have flagged verbose, modular code structures, well-commented logic, and defensive programming patterns as signs that large language models (LLMs) played a role in writing Koske. This points to a disturbing new frontier: the rise of AI-generated malware that can learn, adapt, and hide better than anything seen before.With 70% of web servers running on Linux, and many enterprises relying on misconfigured or poorly secured systems, the danger posed by malware like Koske is immense. Traditional antivirus tools fall short, especially against polyglot-based file delivery, making runtime protection, network anomaly detection, and strict access controls more essential than ever.In this episode, we break down how Koske operates, what makes it so hard to detect, and why it represents a paradigm shift in malware evolution. We also cover defensive strategies, including Linux-specific hardening, container protection, AI-powered defense tools, and why user awareness is still one of the most powerful safeguards.This isn’t just a story about malware. It’s a case study in the cyber arms race between AI-powered offense and AI-powered defense—and why the stakes have never been higher.#KoskeMalware #LinuxSecurity #AIThreats #PolyglotFiles #CryptominingMalware #Rootkits #Cybersecurity #PandaJPEGAttack #ShellScriptMalware #GPUCryptoMiner #AIinCybercrime #CyberThreats #LLMGeneratedCode #StealthMalware #LinuxCryptojacking #AdaptiveMalware #CyberHygiene #ContainerSecurity #AIvsAI #MalwareEvasion #InfosecPodcast #APT #CyberDefense #PersistentMalware #DynamicMalware

BlackSuit, the ransomware strain known for crippling critical sectors and demanding multi-million dollar payouts, has just suffered a devastating blow. In a coordinated international law enforcement operation codenamed "Operation Checkmate," authorities—including the U.S. Department of Justice, Homeland Security Investigations, FBI, Europol, the UK’s NCA, Dutch and German police, and more—have seized BlackSuit’s dark web extortion platforms. These takedowns included the gang’s negotiation and data leak sites, effectively severing their means to pressure and extort victims.BlackSuit is no small player. A direct descendant of Royal ransomware, and before that Quantum and Conti, this group has orchestrated attacks against hundreds of organizations worldwide, demanding ransoms ranging from $1 million to $60 million, with total demands exceeding $500 million USD. Their tactics—ranging from phishing, RDP exploitation, to malware-assisted lateral movement and data exfiltration—showcase a sophisticated playbook powered by open-source tools like Chisel, RClone, Gootloader, Cobalt Strike, and even SystemBC.Known for double extortion, BlackSuit steals data before encrypting it, then threatens to release sensitive information on the dark web. Victims across sectors like education, healthcare, manufacturing, and construction have been affected, with the United States as the primary target.“Operation Checkmate” goes beyond disruption: a decryptor tool has now been released to help victims recover encrypted files. This move mirrors past successes against ransomware groups like HIVE and LockBit, reflecting a growing trend of international cybercrime enforcement unity.But while the infrastructure has been seized, experts warn that BlackSuit’s members—many with ties to Conti and Royal—may resurface under a new alias. The takedown is a critical win, but not the end of the game.This episode explores the technical depths of BlackSuit’s operations, their evolution from Conti-linked origins, and what this takedown means for the broader ransomware threat landscape. We also examine key defense strategies, including multi-factor authentication, network segmentation, secure logging, and real-time monitoring, to defend against future attacks.#BlackSuitRansomware #OperationCheckmate #RoyalRansomware #RansomwareTakedown #Cybercrime #DoubleExtortion #DecryptorReleased #DarkWebSeizure #FBI #CISA #HomelandSecurity #Europol #NCA #ContiRansomware #DataExfiltration #Cybersecurity #CyberThreat #BigGameHunting #RDPExploit #MalwarePersistence #Infosec #PhishingAttacks #DecryptorTool #StopRansomware

A new banking trojan called Coyote has emerged as a groundbreaking cyber threat, becoming the first known malware in the wild to exploit Microsoft’s User Interface Automation (UIA) framework—an accessibility tool originally designed to help users interact with Windows interfaces. But in the hands of attackers, UIA becomes a weapon of stealth and precision.Primarily targeting Brazilian banking and crypto users, Coyote uses sophisticated techniques to extract credentials from over 60 financial institutions by reading UI elements in active windows and phishing through subtle interface manipulation. Leveraging tools like GetForegroundWindow() and UIAutomation COM objects, Coyote identifies sensitive browser elements such as tabs and address bars—without ever requiring prior knowledge of the application’s structure.What makes this threat even more dangerous is its stealth. Traditional endpoint detection and response (EDR) tools struggle to detect UIA-based intrusions, allowing Coyote to operate quietly in the background—whether online or offline. Beyond keylogging and phishing, it can take screenshots, kill processes, mimic system updates, and even freeze entire systems.Even more alarming is the technical novelty: Coyote's final payload is written in Nim, a lesser-known programming language that helps it avoid signature-based detection. This Trojan spreads using the Squirrel installer, masquerading as a legitimate updater to gain initial access.Researchers warn this technique could be the beginning of a wave of UIA-based attacks, which will be much harder to detect and stop. Detection strategies now include monitoring the loading of UIAutomationCore.dll, and inspecting named pipes like UIA_PIPE_* to catch inter-process communication anomalies.In this episode, we also explore Cryptika’s role as a leading cybersecurity provider in the Middle East. From penetration testing and DFIR to GRC consulting and threat hunting, Cryptika is equipping organizations with the tools to detect and prevent threats like Coyote before they cause damage.Coyote is a harbinger of a future where even accessibility features can be turned against us—highlighting the urgent need for proactive monitoring, multi-layered defenses, and vigilant detection of abused system components.#CoyoteMalware #MicrosoftUIAutomation #UIAExploit #BankingTrojan #CredentialTheft #WindowsAccessibilityAbuse #NimMalware #CyberThreat #BrazilianTrojan #CryptocurrencySecurity #Cybersecurity #EDREvasion #NamedPipes #UIAutomationCore #InfoStealer #C2Infrastructure #BankingMalware #Phishing #CommandAndControl #AdvancedThreats #Cryptika #CyberDefense #ThreatDetection #DFIR #GRC #RedTeaming #InfosecPodcast

A newly disclosed critical vulnerability, CVE-2025-7742, is putting hundreds of LG Innotek LNV5110R security cameras at risk around the world—including within critical infrastructure. This high-severity authentication bypass flaw allows remote attackers to gain full administrative control without credentials, giving them access to live camera feeds, the ability to disable or disrupt device functionality, and the opportunity to pivot deeper into internal networks.The most alarming detail? LG Innotek has confirmed it will not release a patch, as the affected camera model has officially reached its end-of-life (EOL) status. Security researcher Souvik Kandar uncovered the vulnerability, which is now being highlighted by major security bodies like CISA. With over 1,300 internet-exposed devices still active, the risk of exploitation is very real—and immediate.This episode unpacks the technical details of the vulnerability, the wider dangers of unpatched EOL devices, and the pressing need for network segmentation, Zero Trust access controls, and proactive EOL management policies. We examine how remote code execution (RCE) enables threat actors to escalate privileges, maintain persistence, and launch further attacks—all starting with an unpatched IoT device.From the failure to patch, to poor lifecycle management, to the broader lessons in infrastructure security, this is more than just a flaw in one device—it’s a case study in how old tech becomes a new threat.#CVE20257742 #LGInnotek #SecurityCameras #RemoteCodeExecution #RCE #CriticalInfrastructure #IoTSecurity #Cybersecurity #UnpatchedDevices #EndOfLife #NetworkSegmentation #ZeroTrust #VulnerabilityDisclosure #CISAwarning #PivotAttack #ReverseShell #AdminAccess #CyberThreats #Infosec #ThreatHunting

In one of the most concerning state-sponsored cyber incidents of the year, Chinese hackers exploited zero-day vulnerabilities in Microsoft SharePoint to breach the networks of the National Nuclear Security Administration (NNSA)—the U.S. agency responsible for managing the nation's nuclear arsenal. The attackers, part of a suspected Chinese state-sponsored group, used a sophisticated chain of vulnerabilities dubbed ToolShell, targeting not only the NNSA but also other high-profile U.S. and global entities, including the National Institutes of Health (NIH).While the U.S. Department of Energy reports no classified data was compromised, cybersecurity experts are sounding the alarm. The campaign, active since at least July 7, 2025, has compromised hundreds of servers and affected more than 148 organizations worldwide, making it one of the broadest cyber-espionage campaigns in recent history.This episode unpacks:How Chinese state-sponsored actors exploited SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-49706 to deploy malware and maintain persistenceThe TTPs (Tactics, Techniques, and Procedures) these actors used, including web shells, lateral movement, credential harvesting, and even disabling Microsoft Defender protectionsWhy the NNSA’s use of cloud-based infrastructure and rapid detection minimized the breach’s impactThe growing sophistication of China’s cyber espionage campaigns, from economic and political spying to targeting critical U.S. defense infrastructureThe broader implications for international cybersecurity, attribution, and the increasingly blurred lines between cybercrime and cyberwarfareWe also explore the cybersecurity gaps that persist across the U.S. public sector, the urgency of "security by design," and the need for immediate patching, endpoint protection, and coordinated threat intelligence sharing.As geopolitical tensions rise and cyberspace becomes the newest front in international conflict, this incident offers a chilling reminder: even the most sensitive government systems are not immune from sophisticated, well-funded nation-state actors.#NNSA #CyberEspionage #ChineseHackers #SharePointZeroDay #ToolShell #MicrosoftVulnerability #CVE202553770 #StateSponsoredHacking #USNationalSecurity #CriticalInfrastructure #ZeroDayExploit #CyberAttack #DOE #Storm2603 #WebShell #Cybersecurity #InfoSec #CloudSecurity #TTPs #GovernmentCyberDefense #CyberWarfare #MicrosoftDefender #PersistentAccess #NuclearSecurity #APT #ChinaCyberOps #CyberThreats #NationalSecurity #CISA #CyberStrategicPlan #CyberResilience

In this episode, we expose the alarming supply chain attack that compromised millions of JavaScript projects across the globe. This sophisticated breach targeted the NPM ecosystem, infecting widely-used packages like eslint-config-prettier and is, through a coordinated phishing campaign and the exploitation of non-expiring legacy access tokens.Attackers began by impersonating the official npm registry with a typosquatted domain (npnjs[.]com), stealing credentials from developers via fake login prompts. Once inside, they bypassed GitHub commit histories and published rogue versions of key packages directly to the registry, effectively weaponizing trusted developer pipelines.The real payload? Scavenger malware—a stealthy, cross-platform info-stealer designed to harvest sensitive data from Chromium-based browsers. It ran entirely in JavaScript or injected malicious DLLs, evading detection with anti-VM and antivirus checks, and even capable of disabling browser security alerts.We break down:The timeline and tactics of the attackWhy NPM’s legacy access tokens became the attackers’ golden ticketThe vulnerabilities in Chromium’s local security model that allowed malware like Scavenger to thriveHow human error and overlooked MFA practices amplified the threatLessons on securing software supply chains and managing third-party risksWith over 180 million weekly downloads potentially affected, this breach wasn’t just a security failure—it was a wake-up call for the entire developer community.We also explore the assigned CVE-2025-54313, and what this means for NPM and open source governance going forward. You'll hear what security professionals, maintainers, and platforms must do now to prevent another incident of this scale—from granular access token enforcement to phishing-resistant MFA and proactive malware scanning.This is more than a breach—it’s a blueprint for future attacks if safeguards don’t evolve.#NPM #ScavengerMalware #SupplyChainAttack #CVE202554313 #JavaScriptSecurity #OpenSourceSecurity #eslint #Prettier #InfoStealer #LegacyTokens #TokenSecurity #Chromium #Typosquatting #SoftwareSupplyChain #Cybersecurity #Phishing #2FA #Nodejs #Malware #DeveloperSecurity #DevSecOps #npmEcosystem #MaliciousPackages #CrossPlatformMalware #CredentialTheft

In one of the most dramatic cybersecurity legal battles of the past year, Clorox has filed a lawsuit against IT services giant Cognizant, accusing the company of gross negligence that allegedly enabled a catastrophic 2023 cyberattack. The breach wreaked havoc on Clorox's operations—causing widespread product shortages, a multibillion-dollar hit to its market cap, and an estimated $356 million in damages.At the center of the controversy? A series of alleged failures by Cognizant's help desk staff, who Clorox claims repeatedly reset passwords and multi-factor authentication (MFA) credentials without verifying identities. Hackers, believed to be part of the Scattered Spider group, reportedly exploited these lapses to gain system access via social engineering—highlighting a growing trend of attacks bypassing technical safeguards by targeting human weaknesses.But Cognizant is pushing back hard, arguing that its role was limited to narrow help desk services and that Clorox's own cybersecurity defenses were inadequate. The dispute raises urgent questions about third-party risk, contractual clarity, and the fine line between support roles and security responsibilities in IT outsourcing relationships.This episode dives deep into:The timeline and tactics behind the Clorox breachWhat the lawsuit reveals about gaps in MFA implementation and help desk protocolsThe contractual gray areas now under legal scrutinyWhy even companies hailed for cybersecurity investments—Clorox spent over $500 million on IT upgrades—can fall victim to poor vendor oversightLessons for organizations on drafting better IT service contracts, vetting MSPs, and strengthening protections against social engineering attacksWe also examine how this case underscores the broader industry shift: Organizations may outsource IT functions, but they can never outsource accountability.Whether you’re in legal, IT, procurement, or the C-suite, this is a must-listen episode on how a help desk misstep became a case study in enterprise risk, and what every company can learn from it.#Clorox #Cognizant #Cybersecurity #CyberAttack #DataBreach #Lawsuit #MFA #SocialEngineering #ITContracts #ThirdPartyRisk #ScatteredSpider #CyberLiability #OutsourcedIT #HelpDeskBreach #InfoSec #SupplyChainDisruption #CISO #TechLaw #DigitalRisk #EnterpriseSecurity #SecurityAwareness #BusinessContinuity #DataProtection #SecurityCompliance #CyberInsurance

In this episode, we dive deep into HeroDevs' recent $125 million strategic growth investment, a move that signals a major expansion in the fight against the vulnerabilities of end-of-life (EOL) open source software. Based in Salt Lake City, HeroDevs has carved out a critical niche—providing "Never-Ending Support" (NES) to ensure security, compliance, and functionality for deprecated OSS widely used across enterprise systems.With this latest round, HeroDevs has raised a total of $133 million, and they’re putting it to strategic use. The funding will enhance their NES offerings, reinforce proactive defense against AI-driven vulnerabilities, and expand compatibility across more frameworks like Drupal 7, Bootstrap, jQuery, and even CentOS. Perhaps most significantly, $20 million of the raise is earmarked for their Open Source Sustainability Fund, a powerful initiative supporting creators and maintainers of OSS projects that follow best practices when entering end-of-life.HeroDevs already supports over 900 organizations, including nearly a third of the Fortune 100. Their NES model allows companies to avoid the costly burden of migrating away from deprecated tools while maintaining security and regulatory compliance with standards like HIPAA, PCI-DSS, and FedRAMP.As the adoption of AI accelerates and increases security surface area, the need for long-term, secure OSS support becomes more urgent. We explore how HeroDevs plans to meet that demand, the risks of unmanaged EOL software, and how their NES services are already mitigating threats before they’re disclosed publicly.This is not just about patching old code. It’s about sustaining the backbone of modern digital infrastructure, supporting the developers who maintain it, and giving companies a viable path forward in a rapidly evolving threat landscape.#HeroDevs #OpenSourceSecurity #NeverEndingSupport #OSS #EndOfLifeSoftware #CyberSecurity #Compliance #VulnerabilityManagement #SustainabilityFund #AIThreats #CentOS #Drupal7 #Bootstrap #jQuery #OpenSourceFunding #SoftwareMaintenance #DevSecOps #EnterpriseSecurity #LegacySoftware #AaronFrost #PSGInvestments

In a landmark move to disrupt the financial engine powering ransomware attacks, the United Kingdom is pushing forward with legislation that would ban ransom payments across the public sector and critical national infrastructure (CNI). This sweeping proposal covers everything from local councils and schools to healthcare providers like the NHS, aiming to make essential public services less attractive to cybercriminals.The government is also introducing a mandatory ransomware incident reporting regime, requiring organizations to notify authorities within 72 hours of a suspected attack and submit a detailed report within 28 days. For private sector businesses, a new Ransomware Payment Prevention Regime would require prior government notification before any ransom can be paid — a measure designed to ensure sanctions compliance and transparency.While ransomware groups increasingly target vulnerable and underfunded public services, the UK’s targeted ban seeks to remove the core incentive: money. The plan enjoys overwhelming support from the public sector and critical infrastructure organizations, though debate continues over exemptions for essential services and how to support victims during live incidents.This episode breaks down what these legislative proposals mean, how they fit into the larger fight against ransomware, and why the timing couldn’t be more urgent. With ransomware attacks surging to record levels — fueled by leaked credentials, infostealers, and ransomware-as-a-service — the UK aims to shift the risk-reward calculus for threat actors.We’ll also explore how attackers are adapting post-macro disablement, turning to container payloads and social engineering to gain access, and how nation-state groups from Russia, China, Iran, and North Korea are blending financial and political motives in their cyber operations.As ransomware groups continue to evolve, the UK is trying to stay one step ahead — not just by catching criminals, but by cutting off their funding altogether.#RansomwareBan #UKCyberSecurity #NHS #CriticalInfrastructure #NoMoreRansoms #RansomwareReporting #Infostealers #CNI #CyberCrime #UKGov #CyberLegislation #RansomwareEconomics #MandatoryReporting #CyberResilience #MFA #ZeroTrust #CredentialTheft #PublicSectorSecurity #SecureWorks #RansomwareAsAService #Clop #LaceTempest #StateSponsoredCyber #CyberPolicy

Two newly added vulnerabilities in SysAid’s On-Prem IT support software — CVE-2025-2775 and CVE-2025-2776 — have officially joined the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, signaling increased concern around their potential abuse. While there are no confirmed reports of public exploitation or ransomware involvement to date, history suggests that SysAid products remain a viable target for threat actors.These flaws, discovered by watchTowr Labs in late 2024 and patched in early 2025, are XML External Entity (XXE) injection vulnerabilities that allow attackers to extract sensitive files and administrator credentials from vulnerable servers. When chained with a separate post-authentication command injection bug (CVE-2024-36394), they can lead to full remote code execution (RCE) as SYSTEM — an extremely dangerous scenario that effectively gives attackers unrestricted access to compromised servers.Though no active ransomware campaigns have yet exploited these specific flaws, CISA’s KEV designation highlights the need for urgent remediation — particularly given that SysAid products have been targeted before. In 2023, the Cl0p ransomware gang exploited a separate zero-day (CVE-2023-47246), using it to deploy malware across enterprise networks. That precedent, combined with the stealthy nature of XXE and RCE attacks, underscores why organizations must treat these vulnerabilities as critical.This episode explores how the vulnerabilities work, what makes them exploitable in real-world attack chains, and why CISA’s inclusion in the KEV catalog should be taken seriously — especially under Binding Operational Directive 22-01, which mandates federal agencies to patch affected systems by strict deadlines.We also dive into broader threat trends from CrowdStrike’s 2025 Global Threat Report: how attackers are increasingly going malware-free, leveraging AI, and moving at unprecedented speeds. With 79% of breaches no longer relying on malware and a 442% rise in vishing attacks, defenders must prepare for identity-based intrusions and rapidly evolving social engineering.We wrap with actionable guidance: patch to SysAid version 24.4.60 or higher, conduct compromise assessments, disable external XML entity parsing, and strengthen access controls and monitoring to reduce lateral movement risk. Even if these vulnerabilities haven’t yet been publicly exploited, waiting for proof-of-exploit is no longer an option in today’s threat landscape.#SysAid #CVE20252775 #CVE20252776 #CISAKEV #XXEVulnerability #RemoteCodeExecution #RCE #KEVCatalog #WatchTowrLabs #CISAWarning #Cybersecurity #PatchNow #CommandInjection #Infosec #ITSupportSecurity #Cl0pRansomware #SysAidSecurity #XMLInjection #CrowdStrike2025 #CyberThreats #BindingDirective #IdentitySecurity #AdminTakeover #ThreatIntelligence

In this episode, we unpack the rapid and concerning resurgence of Lumma Stealer, a sophisticated Malware-as-a-Service (MaaS) platform, just months after a major international takedown. Despite Microsoft, the FBI, Europol, and global partners dismantling over 2,500 malicious domains and seizing critical infrastructure in May 2025, Lumma Stealer has come roaring back. The cybercriminal group behind the malware — tracked as Water Kurita by Trend Micro and Storm-2477 by Microsoft — adapted quickly, hardening their operations and adopting stealthier tactics to evade future disruptions.We delve into how Lumma’s developers responded by shifting away from public cybercrime forums and deploying infrastructure across Russian data centers like Selectel. Their latest strategies include abusing cloud services, fake software websites, and social media platforms like YouTube and Facebook to spread the infostealer — often disguised as cracked tools, Photoshop downloads, or game cheats. Even GitHub is being weaponized with AI-generated lures targeting unsuspecting users.Lumma Stealer’s capabilities are dangerous and comprehensive: it steals credentials, financial data, crypto wallets, and even hijacks session cookies — effectively bypassing multi-factor authentication (MFA). Its code can run directly in memory, avoiding detection by traditional antivirus. The consequences are real — the malware has already been tied to breaches of Jaguar Land Rover and customer data leaks from Royal Mail.This episode also highlights the larger trend of information stealers enabling modern cybercrime. With generative AI accelerating phishing, malware coding, and even infrastructure building, the bar to entry for cybercriminals has never been lower.We explore actionable defense strategies including DNS filtering, browser hardening, dark web monitoring, and the critical role of behavioral endpoint detection. Listeners will also learn how companies can adjust security policies, implement segmentation, and improve staff awareness to defend against this evolving threat landscape.Lumma’s comeback isn’t just a case study in cyber resilience — it’s a wake-up call. Cybercrime doesn’t disappear when servers go offline. It morphs, rebuilds, and strikes again — smarter, faster, and harder to detect.#LummaStealer #MalwareAsAService #MaaS #InformationStealer #MicrosoftDCU #WaterKurita #Storm2477 #Cybercrime #FakeSoftware #Phishing #SessionHijacking #MFABypass #AIInCybercrime #DarkWeb #CredentialTheft #Infostealer #GitHubAbuse #CyberThreats #RansomwareEcosystem #BYODSecurity #DNSFiltering #CyberSecurity #TrendMicro #TakedownFail #PersistenceOfMalware

Hackers are actively exploiting a trio of critical zero-day vulnerabilities in Cisco’s Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC), prompting urgent patching directives from the company. The flaws — CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337 — each carry a maximum CVSS severity score of 10.0, indicating the highest possible risk. These vulnerabilities allow remote, unauthenticated attackers to execute arbitrary code with root-level access, completely compromising the underlying system. Cisco has confirmed active exploitation attempts as of July 2025, making this not a theoretical threat but a real and present danger to enterprise networks.Each vulnerability is distinct and does not require chaining, yet all enable full system compromise. CVE-2025-20281 and CVE-2025-20337 exploit poor input validation on exposed APIs, while CVE-2025-20282 takes advantage of insecure file handling to write malicious files into privileged directories. None of these attacks require credentials or user interaction, making exploitation trivial for attackers once systems are exposed to the internet or internal threat actors.Cisco has urgently advised customers running ISE or ISE-PIC version 3.3 to upgrade to Patch 7, and version 3.4 to Patch 2. Importantly, earlier hot patches released by Cisco do not address CVE-2025-20337, leading to a patching gap for many organizations. There are no workarounds available — the only protection is to patch immediately.This episode breaks down how the vulnerabilities work, what makes them so dangerous, and why attackers are targeting Cisco’s identity infrastructure right now. We also cover who discovered these bugs, Cisco's delayed but critical patch guidance, and how privilege escalation to root on Linux opens the door for complete system takeover.If your network uses Cisco ISE or ISE-PIC, this episode could be the difference between resilience and root-level compromise.#CiscoISE #ZeroDay #CVE202520281 #CVE202520282 #CVE202520337 #PrivilegeEscalation #RemoteCodeExecution #RootAccess #CVSS10 #PatchNow #CyberSecurity #Cisco #ISEPIC #ThreatIntel #ExploitInTheWild #VulnerabilityManagement #LinuxSecurity #NetworkSecurity #RCE #ZeroDayExploit #CiscoPatch #TrendMicroZDI

A new wave of zero-day attacks—collectively known as ToolShell—is actively targeting Microsoft SharePoint servers, with two vulnerabilities (CVE-2025-53770 and CVE-2025-53771) allowing unauthenticated remote code execution and identity control bypass. First observed in high-value targets across government, critical infrastructure, and manufacturing sectors, the ToolShell exploit chain has since expanded into opportunistic attacks, with early attribution pointing to China-linked threat actors.The attack chain begins by exploiting a deserialization flaw and a spoofing/path traversal bug to gain unauthenticated access to SharePoint’s ToolPane functionality. Once inside, attackers deploy stealthy ASPX webshells like xxx.aspx and spinstall0.aspx to exfiltrate cryptographic secrets—including ASP.NET MachineKey values—without triggering alerts. In more advanced cases, attackers avoid persistent shell artifacts altogether, using in-memory modules for fileless exploitation and credential theft.This episode dives into the full lifecycle of the ToolShell attacks:How attackers rapidly evolved their tactics after initial Microsoft patches were releasedWhy SharePoint 2016 users remain at elevated risk due to the absence of a patchEvidence of AMSI evasion, SSO and MFA bypasses, and credential harvesting across victim networksBest practices for mitigation: patching, enabling AMSI "Full Mode", deploying antivirus with EDR, and rotating cryptographic keysWhy machine key rotation is essential even post-patching to revoke compromised credentials and prevent persistent accessWe’ll also discuss the role of SharePoint's layout endpoints, how logging POST requests to /_layouts/15/ToolPane.aspx can reveal exploitation attempts, and why incident response planning and forensic readiness are now non-negotiable for organizations running on-prem SharePoint.The ToolShell campaign is a sobering example of how quickly adversaries can pivot in response to public disclosures—and why organizations must treat patching as a race against weaponization. If your infrastructure still relies on SharePoint Server, this is a must-listen breakdown of one of the most sophisticated exploit chains of 2025.#ToolShell #SharePointZeroDay #CVE202553770 #CVE202553771 #MicrosoftSharePoint #RemoteCodeExecution #ZeroDayExploit #Webshell #MachineKey #CryptographicTheft #AMSI #PatchNow #AdvancedPersistentThreat #Cyberattack #Infosec #ChinaAPT #EDR #SSOBreach #MFABypass #EnterpriseSecurity #ThreatIntel #OnPremSecurity #CyberThreats

A critical zero-day vulnerability in CrushFTP (CVE-2025-54309) is being actively exploited, giving attackers administrative access to over a thousand unpatched servers globally. This severe security flaw—caused by improper validation in the AS2 protocol—has exposed enterprise-managed file transfer (MFT) systems across the US, Europe, and Canada. Security experts are sounding the alarm, and organizations relying on CrushFTP are urged to patch immediately.Discovered in mid-July 2025, the bug has been traced to reverse-engineering of recent CrushFTP patches. The vulnerability grants unauthenticated attackers complete control via exposed web interfaces, making it a high-value exploit for data theft, surveillance, and potential ransomware staging. While patched versions (10.8.5 and 11.3.4_23 or later) and properly configured DMZ instances are immune, over 1,000 servers remain vulnerable, according to Shadowserver.This is not CrushFTP’s first brush with exploitation. A similar zero-day (CVE-2024-4040) was weaponized in April 2024 by espionage-linked actors. A separate authentication bypass (CVE-2025-31161) was publicly exploited just two months ago. The rapid cadence of these exploits underscores the high-stakes environment surrounding MFT tools, which are increasingly targeted by ransomware gangs like Clop and advanced persistent threat (APT) groups.This episode dives deep into:The technical root of CVE-2025-54309 and how attackers exploit AS2 mishandlingIndicators of compromise, including rogue admin accounts and fake version numbersHow CrushFTP users can mitigate risk through patching, DMZ deployment, and backup restorationWhy MFT tools have become a goldmine for threat actors—and how to defend themBest practices: zero trust policies, IP whitelisting, SFTP isolation, and automated encryptionThe CrushFTP zero-day is a case study in how unmanaged MFT exposure can lead to catastrophic administrative compromise. If you’re in IT, DevOps, or cybersecurity, this episode is a must-listen to understand the evolving risks in file transfer infrastructure and how to respond effectively before attackers strike.#CrushFTP #CVE202554309 #ZeroDay #MFTSecurity #ManagedFileTransfer #DataBreach #Cyberattack #AS2Protocol #PatchNow #FileTransferVulnerability #Shadowserver #Infosec #AdminTakeover #Exploit #Cybersecurity #ITSecurity #ClopGang #DataTheft #SFTP #DMZ #EnterpriseSecurity #CyberThreats #ZeroTrust #CVEAlert #CrushFTPExploit

Dell Technologies is the latest target in a growing trend of data extortion attacks as threat actors pivot away from traditional ransomware. The cybercrime group known as World Leaks—a rebrand of the former Hunters International gang—has claimed responsibility for breaching Dell’s Customer Solution Centers (CSC), a sandbox environment used primarily for product demonstrations and proofs of concept.Although World Leaks claims to have exfiltrated 1.3 TB of data, Dell has confirmed that the vast majority of it consists of synthetic, publicly available, or demonstration data, with the only legitimate information being an outdated internal contact list. Despite limited direct risk to customers, this breach underscores a dangerous and evolving trend in cybercrime: data extortion without encryption.In this episode, we analyze how World Leaks has shifted away from ransomware’s traditional encrypt-and-demand model in favor of stealthy data theft paired with psychological extortion tactics. The group has built out a data brokerage platform with open-source intelligence (OSINT) capabilities designed to contact, harass, and pressure victims across channels, making non-production systems like Dell’s CSC a prime target for leverage rather than disruption.We break down how synthetic data helps mitigate some risks, but also explore why “safe” environments aren’t really safe anymore—and why developers, security teams, and enterprise leaders must now treat demonstration and development platforms as attack surfaces. As the industry sees rising costs in cybersecurity investments and cyber insurance, organizations must now prepare for extortion scenarios with no encryption, no downtime—but serious reputational stakes.Join us for a deep dive into:The anatomy of the Dell breachThe rise of extortion-as-a-serviceBest practices for securing non-production environmentsHow organizations should update incident response plans to account for silent breachesWhy consumer trust is on the line, even in “low-risk” attacksThis breach may not be catastrophic in data terms—but its implications are loud and clear: data is the new weapon, and extortion is its delivery mechanism.#DellBreach #WorldLeaks #CyberExtortion #DataLeak #Cybersecurity #RansomwareEvolved #NonProductionSecurity #SyntheticData #CustomerSolutionCenters #Infosec #CyberAttack #HuntersInternational #DataBreach #DevOpsSecurity #SandboxBreach #DataPrivacy #NetworkSegmentation #ExtortionAsAService #CorporateCyberRisk #TechNews

A critical vulnerability in ExpressVPN’s Windows client has put a spotlight on the often-overlooked dangers of debug code making its way into production software. This episode dives into how a debug configuration error allowed Remote Desktop Protocol (RDP) traffic to bypass the VPN tunnel, potentially exposing users’ real IP addresses and compromising their privacy. While encryption remained intact, the misrouting flaw meant anyone observing the network—such as ISPs or threat actors on shared Wi-Fi—could infer which remote servers a user was accessing via RDP.This vulnerability, discovered by security researcher "Adam-X," affected multiple versions of the ExpressVPN client (from version 12.97 up to 12.101.0.2-beta) before a patch was issued in version 12.101.0.45. Although the issue was deemed "low risk" due to RDP’s more limited use among IT professionals and enterprise users, the implications are far-reaching. We explore how this misstep echoes a previous DNS leak caused by ExpressVPN's split tunneling feature and what it reveals about the persistent risks in VPN architecture.We also expand the conversation to include broader software development lessons. From Common Weakness Enumerations (CWEs) like CWE-489 (Active Debug Code) and CWE-215 (Sensitive Info in Debug Code), to real-world consequences such as the infamous HP keylogging controversy, debug code remains a silent but dangerous adversary in cybersecurity. We'll cover how poor internal testing and oversight can unravel even the most privacy-focused tools—and what best practices can prevent these incidents, including zero-trust frameworks, strict tunneling policies, secure RDP configurations, and vigilant monitoring.If you rely on a VPN for privacy, especially in corporate settings or when using remote access tools like RDP, you won’t want to miss this deep dive into one of the year’s most revealing security incidents.#ExpressVPN #VPNLeak #RDP #DebugCode #CVE #Cybersecurity #VPNPrivacy #RemoteAccess #SplitTunneling #IPLeak #EnterpriseSecurity #ZeroTrust #NetworkSecurity #SecureVPN #PrivacyBreach #SoftwareDevelopment #SecurityPatch #CWE #ITSecurity #TechNews

In this episode, we unpack the January 2025 data breach at Dior, the iconic luxury fashion house, which exposed sensitive personal information of U.S. customers—including names, addresses, and even Social Security and passport numbers. Although payment data remained secure, the incident's impact is substantial, both in terms of customer trust and corporate accountability.What makes this breach especially troubling is that it wasn’t Dior’s systems that failed—it was a third-party service provider handling customer relationship management and marketing communications. The breach, discovered only in May, is now believed to be part of a larger cyberattack against LVMH, Dior’s parent company, which also affected Louis Vuitton. The ShinyHunters cyber extortion group is suspected of being behind the attack.We explore how third-party vulnerabilities have become the Achilles' heel of even the most well-resourced brands. Drawing from FINRA, FTC, and cybersecurity expert analysis, we look at:The rising frequency and scale of third-party breaches, including parallels to NotPetya, SolarWinds, and MOVEit;The type of data compromised, and why attackers are now focusing more on customer identity data than payment credentials;Dior's incident response, including customer notifications, legal compliance, and free identity theft protection;The regulatory landscape, including SEC and GDPR mandates, and what companies are now legally required to do post-breach;Effective preventative practices, from vendor risk management and contract due diligence to real-time monitoring and zero-trust principles.With luxury brands increasingly targeted not for their wealth but for their rich customer profiles, this episode is a critical listen for business leaders, CISOs, and consumers alike. The Dior breach is more than just a fashion headline—it's a cautionary tale about the hidden risks in our digital supply chains.#DiorDataBreach #Cybersecurity #LVMH #LuxuryRetailHack #ThirdPartyRisk #ShinyHunters #DataLeak #CustomerDataBreach #VendorBreach #IdentityTheft #SSNExposure #PrivacyBreach #DigitalSupplyChain #LouisVuittonHack #CRMbreach #IncidentResponse #CyberAttack #DataProtection #CyberThreats2025 #FashionIndustryCyberattack #BreachNotification #PIILeak #RegulatoryCompliance #FINRA #FTC #GDPR #ZeroTrustSecurity #CyberIncident #LuxuryBrandsUnderAttack

In an era where generative AI is being used not just for productivity but for precision cybercrime, a San Francisco-based startup, StrongestLayer, is taking a bold stand. Backed by $5.2 million in seed funding from Sorenson Capital and others, the company is pioneering a radically new approach to cybersecurity with its AI-native platform TRACE (Threat Reasoning AI Correlation Engine).This episode dives deep into what makes StrongestLayer’s technology different—and why that difference matters. Unlike traditional AI-enhanced tools, TRACE is built from the ground up around LLMs and continuous learning, enabling it to reason through intent rather than just detect patterns. It's capable of identifying AI-generated spear phishing, fake company websites, real-time adaptive phishing campaigns, and more—all with the cognitive power of over a thousand analysts.We explore the fundamental shift from AI-enabled to AI-native security platforms, how TRACE uses reasoning engines instead of rule-based programming, and why traditional filters and blacklists are no match for today’s deepfakes, chat-based phishing, and polymorphic malware.You'll hear insights from CEO Alan LeFort, who explains why human vigilance must evolve in lockstep with technology, and how StrongestLayer is not only detecting threats but training employees to spot AI-enhanced attacks in real time. We break down the risks, the defenses, and the growing arms race between AI-powered attacks and AI-powered defenses.Whether you're a CISO, security analyst, or just someone worried about clicking the wrong link, this episode is a must-listen on the future of cyber defense.#AIPhishing #Cybersecurity #StrongestLayer #EmailSecurity #LLMSecurity #GenerativeAI #PhishingDefense #AlanLeFort #CyberStartup #ThreatDetection #AInative #SpearPhishing #CyberThreats #TRACEPlatform #AIvsAI #DeepfakeSecurity #PhishingAwareness #SOCtools #MalwareDetection #ZeroTrust #SecurityTraining #TechStartup2025

In July 2024, The Alcohol & Drug Testing Service (TADTS), a Texas-based company handling sensitive employment-related data, suffered a catastrophic data breach. Nearly 750,000 individuals had personal information compromised—Social Security numbers, financial data, driver’s licenses, health insurance info, and even biometric identifiers. The attack was claimed by the BianLian ransomware group, which has shifted its strategy away from encryption to pure data theft and extortion.Despite the scope of the breach, TADTS waited nearly a year to notify victims and has not offered free identity theft protection, even though the stolen data includes everything needed to commit large-scale identity fraud. In this episode, we unpack the incident, explore BianLian's evolving tactics, and highlight the regulatory and legal implications for companies that fail to secure consumer data.You’ll learn:How BianLian transitioned from ransomware encryption to data-only extortionWhy the IMSI data and biometric exposure raise the stakes for victimsThe technical tactics used by BianLian—custom backdoors, PowerShell abuse, RDP exploitation, credential dumping, and data syncing via tools like Rclone and MegaThe alarming delay in breach disclosure—nearly 365 days lateWhat Texas law and federal regulations require in such breaches—and whether TADTS violated themThe class action lawsuit risks now emergingWhat individuals can do to defend themselves: credit freezes, fraud alerts, password changes, and monitoringWe also look at the broader cybersecurity implications: why sectors handling biometric and medical data must implement MITRE ATT&CK-aligned defenses, enforce multi-factor authentication, and maintain robust backup strategies to prevent and recover from modern extortion campaigns.

A new attack technique is exposing just how vulnerable global mobile networks remain in 2025. Cybersecurity firm Enea has discovered a surveillance operation that bypasses SS7 firewalls by exploiting a subtle weakness in the TCAP encoding layer—allowing stealth location tracking of mobile users across borders.The method? Tampering with the IMSI field in ProvideSubscriberInfo (PSI) requests to hide it from detection. Many mobile operators’ SS7 stacks simply fail to decode the malformed tag, allowing unauthorized tracking messages to pass security controls.In this episode, we cover:The technical anatomy of the IMSI hiding exploitHow this attack evades standard SS7 security checksThe surveillance firms and platforms involved—WODEN, ASMAN, HURACAN, and othersBroader SS7 weaknesses: lack of encryption, lack of authentication, and global trust architectureThe disturbing truth: most mobile networks still depend on legacy protocols from the 1970sWhy users can’t opt out—and no app can protect youWe also examine the countermeasures: advanced signaling firewalls, protocol filtering, TCAP signing, and why even now, SS7 remains irreplaceable due to the persistence of 2G/3G roaming infrastructure.This isn’t a theoretical vulnerability—it’s a real-world surveillance method in use today, targeting phones across continents without users ever knowing.

In June 2025, United Natural Foods, Inc. (UNFI)—the primary distributor for Whole Foods and tens of thousands of retailers across North America—suffered a major cyberattack that halted deliveries, emptied shelves, and forced core operations offline.The financial damage? Between $350 and $400 million in net sales lost, and up to $60 million in reduced income for fiscal year 2025.In this episode, we break down:What happened during the UNFI cyberattackHow ordering, shipping, and receiving systems were taken downWhy this wasn’t just a business disruption—but a critical infrastructure failureThe pattern of attacks across the food sector, from JBS to Dole to Sam’s ClubThe national security implications of digitally compromised supply chainsWhere cyber insurance, contingency planning, and regulation fall shortWe also compare this incident with the 2020 SolarWinds breach, showing how both attacks exploited software vulnerabilities and disrupted essential services on a massive scale.UNFI’s recovery may be underway, but the larger question remains: Is the U.S. food supply chain prepared for the next attack?

More than five years after the Cambridge Analytica scandal, the legal and financial consequences are still playing out—this time in Delaware’s Chancery Court, where Mark Zuckerberg and Meta executives are being sued by investors seeking over $8 billion in damages.This landmark class-action lawsuit argues that Meta’s leadership knowingly violated a 2012 FTC consent order, misled users and regulators, and failed to prevent the improper sharing of personal data—culminating in the largest privacy fine in U.S. history.In this episode, we explore:The core allegations against Zuckerberg, Sandberg, and othersHow the FTC's 2012 and 2019 orders shaped Meta's legal obligationsWhy investors believe Meta’s disclosures were fraudulentWhat former insiders, including Jeffrey Zients and Yul Kwon, are saying on the standThe broader implications for data privacy governance and board-level accountabilityHow the Supreme Court’s dismissal of Meta’s appeal revived the caseAnd why this trial could redefine what “fiduciary duty” means in the digital ageFrom API loopholes to insider warnings, stock sales, and alleged cover-ups, this case is a referendum on corporate responsibility in the age of surveillance capitalism—and a signal that executive leadership can be held personally liable for privacy failures.

A major Europol-led crackdown—Operation Eastwood—has disrupted one of the most active pro-Russian hacktivist collectives in Europe: NoName057(16). Known for a relentless barrage of DDoS attacks targeting NATO allies and Ukraine-supporting nations, this ideologically driven group ran a global network powered by gamified recruitment, cryptocurrency incentives, and Telegram coordination.In this episode, we unpack:Who NoName057(16) is—and how their DDoS-for-crypto campaign operatedThe gamification of cyberwarfare, where young sympathizers earn crypto and badges for attacking government targetsHow Operation Eastwood led to arrests, infrastructure takedowns, and international arrest warrantsWhy DDoS remains a go-to weapon for hacktivists and state-aligned cyber actorsThe role of crypto on both sides of the Russia-Ukraine cyber conflict, from donations to evasion to digital mercenariesWhy hacktivist groups are blurring the lines between ideology and cybercrime, and how they're increasingly operating like decentralized ransomware gangsWe also explore the long-term implications:Can law enforcement really stop these groups?What happens when attackers are shielded by national borders or political alignment?And how should defenders prepare for digitally mobilized ideological threats with state-level reach?This is cyberwar by proxy—crowdsourced, monetized, and harder than ever to pin down.

In April 2025, The Co-op—one of the UK’s largest retailers—confirmed a data breach that exposed the personal information of 6.5 million members. No financial data was taken, but the attack hit at the core of trust, with CEO Shirine Khoury-Haq calling it a “personal attack on our members and colleagues.”This wasn’t just a technical failure—it was a masterclass in social engineering, executed by attackers linked to Scattered Spider and DragonForce ransomware. By impersonating staff and manipulating the IT helpdesk, the attackers gained privileged access and exfiltrated password hashes, enabling lateral movement and data theft without ever breaching a firewall.In this episode:How the attackers bypassed defenses using psychological manipulation—not malwareThe role of DragonForce ransomware and why Scattered Spider keeps showing up in major breachesWhy social engineering remains the #1 cause of network compromiseWhat retailers like Co-op and M&S are learning the hard way about helpdesk security, privileged accounts, and digital trustArrests made by the UK’s National Crime Agency and their connection to the MGM Resorts breachWe also dive into the broader context:Why retail is an increasingly high-value targetThe compliance landscape for UK retailers (GDPR, PCI DSS, Cyber Essentials)Critical mitigation strategies: phishing-resistant MFA, ZTNA, PAM, and resilient incident response plansThis is not just about one breach—it’s about how an entire sector can fall to a single phone call.

In this episode, we break down how Interlock, a fast-moving ransomware group launched in late 2024, has evolved from using web injectors and clipboard tricks (like ClickFix) to an even more covert social engineering technique that abuses Windows File Explorer’s address bar to execute malicious code without triggering security prompts or downloads.Key topics include:How FileFix works: The attacker tricks users into pasting a disguised PowerShell command into File Explorer, using a technique that removes the "Mark of the Web" (MOTW) and bypasses antivirus warnings.What makes it dangerous: Unlike traditional phishing, FileFix doesn’t rely on file execution or macros—just one paste and one Enter keystroke.The malware: The payload is a PHP-based Remote Access Trojan (RAT) that establishes persistence, gathers system information, and enables lateral movement and data exfiltration.The bigger picture: With FileFix confirmed in the wild and being actively adopted by Interlock, this attack method is poised to become a popular new vector for a variety of threat actors.We also cover how FileFix fits into a wider ransomware evolution:The shift to double extortion and Ransomware-as-a-Service (RaaS)The increasing use of EDR killers and lateral movement toolsThe importance of breakout time and why 1-10-60 detection rules matter more than everFinally, we close with a call to action: FileFix shows that endpoint compromise doesn’t always start with a download. Organizations must reassess how they handle clipboard input, browser content, and even basic UI trust. Email training is no longer enough—file paths can now be weapons.

Ontinue has uncovered a stealthy new phishing campaign that’s flipping conventional defenses on their head—weaponizing SVG image files to silently redirect victims to malicious websites, without requiring file downloads, macros, or even user clicks.In this episode, we break down how attackers are exploiting the JavaScript-capable structure of Scalable Vector Graphics (SVG) to embed obfuscated scripts that decrypt malicious payloads directly in the browser at runtime. These files are being distributed via spoofed emails with weak sender authentication, evading traditional detection tools by masquerading as innocuous graphics—when in fact, they’re functioning like client-side malware.Key topics include:How SVGs bypass legacy email security through script execution in the browserThe role of JavaScript obfuscation and DOM manipulation in these attacksWhy this approach is ideal for credential harvesting and phishing-as-a-serviceHow weak SPF, DKIM, and DMARC records enable spoofing at scaleMitigation strategies: From treating SVGs as executables to enforcing strict CSP headers, Safe Links rewriting, and layered email authenticationWe also explore the broader implications of this trend within the phishing landscape—how attackers are moving away from traditional malware delivery toward zero-download, browser-native exploitation. This evolution makes every user’s browser session a potential threat surface and highlights the urgent need for both technical controls and human-centric awareness training.Ontinue’s discovery reinforces a core truth in modern cybersecurity: “innocent” file types can no longer be assumed harmless, and phishing tactics are increasingly blending code, content, and clever evasion. If your organization handles external emails, especially in B2B services, this episode is a critical briefing on a quiet but powerful threat.

Exein, the Italian cybersecurity company specializing in embedded IoT defense, has raised €70 million in Series C funding, marking a significant milestone in the race to secure AI-connected infrastructure. Backed by Balderton and a roster of prominent investors, this round pushes Exein’s total funding past $106 million and fuels its global expansion into the U.S. and Asia, while laying the groundwork for strategic M&A and product development.This episode breaks down what sets Exein apart in a crowded field: its AI-enabled, device-level runtime protection tailored for IoT systems in critical sectors like healthcare, energy, automotive, robotics, and semiconductors. While most firms focus on perimeter or network security, Exein embeds its defenses directly into devices, ensuring compliance with emerging global regulations like the EU Cyber Resilience Act and offering real-time safeguards against a rising tide of AI-specific threats.We also explore:The expanding attack surface created by the convergence of IoT and AI, and why traditional security tools are falling shortHow Exein’s model supports security-by-design at the firmware and runtime levelThe urgent need for protection against adversarial AI attacks, such as prompt injection, model theft, and data poisoningThe growing push for runtime security solutions for LLMs and AI infrastructure, as generative models move into production environmentsWhy the Series C round reflects strong investor confidence in embedded security, with parallels to recent M&A activity across AI runtime protection, identity access, and data loss preventionExein’s momentum is not just about market expansion—it’s a signal of where security is headed: toward deeply integrated, proactive defenses that recognize AI and IoT as inseparable components of future cyber risk. As the industry braces for new regulatory and adversarial challenges, embedded runtime security is becoming the next competitive frontier.