Daily Security Review

This podcast dives deep into one of the most pressing vulnerabilities in modern AI — the rise of sophisticated "jailbreaking" attacks against large language models (LLMs). Our discussion unpacks a critical briefing on the evolving landscape of these attacks, with a spotlight on the novel “Echo Chamber” technique discovered by NeuralTrust.Echo Chamber weaponizes context poisoning, indirect prompts, and multi-turn manipulation to subtly erode an LLM's safety protocols. By embedding "steering seeds" — harmless-looking hints — into acceptable queries, attackers can build a poisoned conversational context that progressively nudges the model toward generating harmful outputs.We'll explore how this method leverages the LLM’s "Adaptive Chameleon" nature, a tendency to internalize and adapt to external inputs even when they conflict with training, and how the infamous "Waluigi Effect" makes helpful, honest models more vulnerable to adversarial behavior.Listeners will gain insight into:The lifecycle of an Echo Chamber attack and its alarming success rates (90%+ for hate speech, violence, and explicit content).Emerging multi-turn techniques like Crescendo and Many-Shot jailbreaks.The growing arsenal of attacks — from prompt injection to model poisoning and multilingual exploits.The race to develop robust defenses: prompt-level, model-level, multi-agent, and dynamic context-aware strategies.Why evaluating AI safety remains a moving target, complicated by a lack of standards and the ethical challenges of releasing benchmarks.Join us as we dissect the key vulnerabilities exposed by this new wave of AI jailbreaking and what the community must do next to stay ahead in this ongoing arms race.

In this episode, we dive deep into the alarming revelations about Salt Typhoon—a Chinese state-sponsored advanced persistent threat (APT) actor, also known as RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286. Backed by China’s Ministry of State Security (MSS), this group has been running extensive cyber espionage operations since at least 2023, with a focus on telecommunication giants, government agencies, technology firms, and academic institutions around the world.We’ll unpack how Salt Typhoon leveraged critical vulnerabilities, like CVE-2023-20198, and custom malware such as GhostSpider and Demodex, to gain deep, persistent access to telecom infrastructure in the U.S., Canada, and dozens of other nations. Despite being publicly exposed, sanctioned, and highly scrutinized, this APT remains entrenched in networks due to the fragmented, legacy-heavy state of telecom systems.The discussion will cover: ✅ The strategic objectives of Salt Typhoon—ranging from intelligence collection on political figures to geolocation tracking around Washington, D.C. ✅ The scope of compromise, with intrusions affecting major telecoms like AT&T, Verizon, T-Mobile, and Canadian infrastructure—earning the label from Sen. Mark Warner as “the most serious telecom hack in our nation’s history.” ✅ The tactics and techniques that enable persistence—GRE tunnels, credential theft, lateral movement, and stealthy malware designed to evade detection across LTE/5G networks. ✅ The challenges of defense—why eradicating Salt Typhoon is nearly impossible in an industry described as a “Frankenstein’s monster” of outdated and incompatible technologies. ✅ What can be done—improving network visibility, hardening systems, fostering intelligence sharing, and why “secure by design” is more critical than ever.Finally, we’ll examine what this ongoing cyber espionage campaign means for national security, individual privacy, and the future of global communications infrastructure—as the FBI calls for public help to fully map the scope of this unprecedented threat.

In this eye-opening episode, we break down a sophisticated new trend in tech support scams (TSS) that’s catching even the most cautious users off guard.Scammers are now hijacking Google Ads and manipulating search results to funnel users—who are simply looking for help—to malicious phone numbers injected directly into legitimate websites like Apple, Microsoft, Netflix, and major banks. Clicking on what appears to be an official Google Ad can land you on a real brand page — but with a fake tech support number secretly inserted into the URL path or internal search results.We’ll dive into:How scammers use Google Ads as a primary conduit for distributing rogue tech support ads.The alarming tactic of injecting fraudulent phone numbers into real company websites.Why even Fortune 500 companies are vulnerable to these attacks — with 86% of the top 50 companies affected.The shift from “aggressive” pop-up-based scams to “passive” professional-looking scam pages that evade detection for longer.How black hat SEO and support domains are driving long-lived scam infrastructure.The persistent financial motivation behind these scams — and why many victims end up giving remote access to their devices or sharing sensitive banking details.We’ll also cover what law enforcement and cybersecurity experts are doing to counter this new wave of scams, why detection remains so challenging, and practical tips that users and defenders can take to protect themselves.If you’ve ever searched for tech support online — or know someone who has — this is an episode you won’t want to miss.

In this episode, we take a deep dive into the Qilin ransomware group — now regarded as the world’s leading ransomware-as-a-service (RaaS) operation — and explore how it’s reshaping the cybercrime landscape in 2025.Qilin, also known as Agenda, burst onto the scene in 2022 with a Go-based ransomware. It has since evolved into a highly evasive Rust-based malware platform targeting both Windows and Linux environments, including critical VMware ESXi servers. The group uses aggressive double extortion tactics — encrypting data while also threatening public exposure of stolen information — with ransom demands ranging from $50,000 to $800,000.But what truly sets Qilin apart is its transformation into a full-service cybercrime platform, offering affiliates advanced tooling, data storage, spam and DDoS services, and — most controversially — a “Call Lawyer” feature designed to pressure victims with legal consultation during ransom negotiations. While some experts dismiss this legal counsel angle as a mere recruitment stunt, it has proven effective in unnerving corporate victims, especially in sectors like healthcare, manufacturing, and energy.In 2024 alone, Qilin has amassed over $50 million in ransom payments from more than 60 attacks, shifting its targeting to critical infrastructure and operational technology companies worldwide. The group's high-profile assaults — such as the $50 million ransom attack on Synnovis, a major UK healthcare provider — have caused severe disruptions, even impacting critical patient care.We’ll unpack:Qilin’s evolution from a simple RaaS to a global cybercrime platformThe unique legal pressure tactic and why it’s alarming defendersHow Qilin’s affiliates, including groups like Scattered Spider, are exploiting the platformThe malware’s sophisticated TTPs mapped to MITRE ATT&CKThe shift toward targeting healthcare and critical OT systemsKey defense and mitigation strategies organizations must adopt to combat this growing threatIf you want to understand how ransomware has morphed into a professionalized business model — and what comes next — don’t miss this episode.

In this episode, we dive deep into the story behind CVE-2025-27363, a critical zero-click vulnerability in the widely used FreeType font rendering library. Initially discovered by Facebook’s security team and patched by Google in May 2025, this flaw allowed attackers to execute arbitrary code on Android devices—without any user interaction—by exploiting how FreeType parsed certain font structures.This seemingly obscure bug became a key attack vector for Paragon Solutions’ "Graphite" spyware, an Israeli-made surveillance tool capable of taking near-total control of compromised smartphones. Through forensic analysis, it was revealed that Paragon’s spyware leveraged CVE-2025-27363 to infect targets via WhatsApp: malicious PDF files sent through groups triggered the vulnerability, which then deployed Graphite and escaped Android’s sandbox protections. The spyware could then exfiltrate encrypted chats, enable microphones and cameras, and track real-time GPS—without the user’s knowledge.Our discussion also explores:The technical nuances of the vulnerability—how a signed/unsigned integer mismatch led to a dangerous heap overflow.The patching timeline, and Google’s move toward replacing FreeType with the safer Rust-based Skrifa library.How governments in countries like Australia, Canada, Italy, and Israel are suspected of deploying this spyware.The role of The Citizen Lab in uncovering evidence of targeted attacks against journalists, activists, and civil society members—despite Paragon’s public claims of safeguarding human rights.Practical advice for detecting spyware infections and why hybrid detection strategies offer the best protection.Finally, we examine the broader implications for software supply chains, surveillance ethics, and why even basic libraries like font parsers must be designed with security in mind. Tune in for an eye-opening look at how a small coding bug cascaded into a global espionage tool.

In this episode, we take a deep dive into the June 2025 cyberattack on Aflac, one of the latest strikes in a growing wave of sophisticated, AI-driven cyber campaigns targeting the insurance industry. On June 12, Aflac detected suspicious activity within its U.S. network—a breach attributed to a highly organized cybercrime group and part of a larger pattern of targeted attacks against financial and insurance providers.Our discussion goes beyond Aflac’s rapid response to explore the broader cybersecurity landscape of 2024-2025: a time marked by an explosion in third-party supply chain vulnerabilities, the resurgence of ransomware, and the growing use of AI-powered phishing and polymorphic malware. We examine how ransomware payloads are evolving to evade detection, why SMBs and mid-market firms are increasingly in the crosshairs, and how credential theft and sophisticated phishing are driving the majority of breaches.We also break down:How real-world cases like Marks & Spencer, Victoria’s Secret, and UNFI show the cascading impacts of third-party risks.The strategic importance of Zero Trust and proactive supply chain management.What companies can learn from the Aflac incident about preparing for coordinated industry-specific campaigns.Practical steps organizations can take today—layered defenses, threat monitoring, employee training, and incident response planning—to build resilience in this new threat environment.If you want to understand the tactics modern attackers are using—and what your organization can do about it—don’t miss this episode.

In May 2025, a ransomware attack forced Nucor — one of America’s largest steel producers — to halt its metal production operations. This wasn’t just a corporate IT incident: it disrupted a critical link in the nation’s industrial supply chain.In this episode, we take an in-depth look at the Nucor attack: how cybercriminals targeted operational technology (OT) systems, why manufacturers like Nucor are becoming prime ransomware targets, and what this means for national security.We analyze the escalating tactics of ransomware groups, including sophisticated loader chains, abuse of legitimate tools, and emerging delivery methods that can take down even hardened industrial environments. We also examine why the attack on Nucor marks a new chapter in the ransomware threat landscape — one where physical production and critical infrastructure are increasingly at risk.Most importantly, we discuss how organizations can defend against these evolving threats: leveraging the NIST Cybersecurity Framework, adopting proactive detection and incident response strategies, and addressing growing vulnerabilities in the cyber supply chain.If Nucor’s shutdown taught us anything, it’s that no manufacturer can afford to ignore the ransomware threat. Tune in to learn what your organization can do to prepare.

A staggering $225 million in illicit cryptocurrency was recently seized by U.S. authorities in what has become the largest digital asset recovery in Secret Service history. This episode unpacks the mechanics, methods, and forensics that made this possible—and how a sprawling network of scams, labor compounds, and fake identities in Southeast Asia unraveled under blockchain scrutiny.We explore how cryptocurrency is being used in modern money laundering operations—from intermediary wallet “hops” and high-frequency rounded transactions, to tumblers like WasabiWallet and Tornado Cash, and privacy coins like Monero. You'll hear how these laundering methods are structured, and why they’re no longer enough to stay hidden.We also break down how U.S. and international regulators are leveraging blockchain transparency, stablecoin issuer cooperation, and advanced forensic tools to trace and freeze funds. From court orders served via NFT, to mandatory injunctions forcing smart contract code edits, enforcement is evolving—and fast.Finally, we discuss tax implications, cost basis methods, and upcoming IRS rules that will redefine crypto accounting in 2025. Whether you’re in compliance, enforcement, or just trying to understand how illicit actors move money through crypto, this episode offers a detailed look into the shifting balance of power between criminals and regulators in the digital asset space.

Ransomware groups are no longer just encrypting data — they're going straight for the backups. And if those backups aren’t properly protected, recovery becomes impossible, and ransom payouts more likely. In this episode, we dive deep into how threat actors are exploiting critical vulnerabilities in widely used backup systems, focusing on the recently disclosed CVEs affecting Veeam Backup & Replication.We explore CVE-2025-23121, a critical remote code execution flaw already being weaponized in the wild, and CVE-2025-24287, a privilege escalation vulnerability that opens the door for deeper compromise. These aren't theoretical risks — these are the exact tactics used by ransomware groups like Cuba and FIN7 to dismantle organizations’ last lines of defense.The discussion goes further into why backup hardening isn't optional anymore. We break down what it means to implement the 3-2-1-1-0 backup strategy effectively and why immutability, offsite storage, and automated testing are the bare minimum for survival. You’ll also hear hardening best practices — directly from real-world sysadmins — including isolating Veeam servers from the domain, restricting access with the principle of least privilege, and enforcing MFA.But protection doesn’t end at backups. We unpack broader ransomware defense strategies: network segmentation, browser isolation, file integrity monitoring, and behavioral logging through SIEM and EDR platforms. Learn how honey files, malware detonation environments, and strict firewall rules are helping defenders detect and contain attacks before they spread.This isn’t about theory. This is about what ransomware operators are doing right now — and what it takes to stop them.If you’re running backups without verification, hosting Veeam on a multi-role domain-joined server, or delaying critical patches, this episode is your wake-up call.

Ransomware just bankrupted a 100-year-old manufacturer—and the world should take notice.In this episode, we dissect the cyberattack that brought down Fasana, a German paper napkin producer, and pushed it into insolvency. On May 19, 2025, employees arrived to find printers ejecting extortion notes. By the end of the week, systems were paralyzed, €250,000 in daily orders went unprocessed, and the company hemorrhaged €2 million in under 14 days. Fasana couldn’t pay salaries, couldn’t ship products, and now has just eight weeks to find a buyer or shut down for good.We explore how this happened—and why it could happen to almost any manufacturing company operating today.This isn’t just a story of one company—it’s a cautionary tale about the growing frequency and impact of ransomware, especially in industries where IT and OT environments are merging. From indirect attacks on connected IT systems to direct strikes against operational machinery, manufacturers are being hit hard. In 2023 alone, over 500 physical sites were disrupted by cyberattacks—more than half in manufacturing.We examine how ransomware exploits vulnerable systems like ERP platforms, SCADA controls, and HMIs—and why systems without clear IT/OT segmentation are now high-risk. Then, we look at what Fasana lacked: a functioning Business Continuity Plan. No backup delivery system. No fast recovery options. No clear incident response framework.You'll learn:Why even small manufacturers are now prime ransomware targets.What a robust Business Continuity Plan actually includes—from impact assessments to cloud and off-site backups, endpoint defense, and RPO/RTO strategies.Why regular testing, employee training, and disaster simulation drills are just as critical as having the right technology.The operational, legal, and reputational risks of sensitive data loss in manufacturing.How financial pressure compounds risk—and why companies already under strain are often one cyberattack away from collapse.We also break down key defense strategies: network segmentation, encryption, EDR, multi-factor authentication, vendor access controls, and the emerging role of cyber insurance in helping companies weather these storms.This episode is more than a post-mortem of a cyberattack. It’s a call to action for manufacturers: ransomware is escalating, and so must your resilience. Fasana didn’t have time to prepare—but you do.

In this episode, we break down the true scale and mechanics behind the largest credential leak ever recorded—over 16 billion login credentials, most of them exfiltrated by infostealer malware.We dive into how this happened: from the malware-as-a-service (MaaS) model enabling even low-skill threat actors to deploy powerful stealers, to how credentials are harvested from infected systems, bundled into "logs", and sold on dark web marketplaces.You'll learn about the rise of credential stuffing attacks that use these logs to hijack user accounts at scale, bypassing traditional defenses with distributed botnets and evasion tactics. We examine the ecosystem behind it all—how groups like Nova Sentinel operate, where data gets hosted, and how anti-analysis methods help them stay hidden.We also detail the best current defenses—multi-factor authentication (MFA), fingerprint-based detection, rate-limited login systems, and how organizations should handle suspicious IPs and user agent anomalies. You'll hear mitigation tactics sourced from OWASP, CISA, and expert threat research from Gatewatcher, DataDome, and more.This isn't just about malware. It's about how credential theft has become a billion-dollar economy—automated, distributed, and dangerously efficient.

A malware distribution network hiding in plain sight — on GitHub.This episode unpacks the Stargazers Ghost Network, a massive Distribution-as-a-Service (DaaS) infrastructure run by a threat actor known as Stargazer Goblin. Using over 3,000 GitHub accounts, this operation pushes dangerous information-stealing malware disguised as legitimate game mods and cracked software, particularly targeting communities like Minecraft players.At the center of the campaign are well-known infostealers such as Atlantida, Rhadamanthys, RisePro, Lumma, and RedLine. The delivery mechanism? Sophisticated Java-based loaders, GitHub phishing repositories, and links embedded across platforms like Twitch, TikTok, YouTube, and Discord.Key insights we explore:🎯 Targeted deception: Modded Minecraft downloads hiding Java loaders that drop multiple stealers 💸 Financial motivation: An estimated $100,000 earned by Stargazer Goblin through stolen data 🧠 Social engineering: Repository stars, forks, and watchers used to appear trustworthy 🧪 Anti-analysis: Malware designed to evade detection with anti-VM and anti-sandbox techniques 🔐 Data exfiltration: Passwords, cookies, crypto wallets, VPN credentials, Discord tokens, and more 🌍 Attribution: Russian-language artifacts and UTC+3 activity suggest a Russian-based operatorWe also explore how GitHub’s platform was exploited, the use of password-protected archives to bypass scans, and the tiered account structure that allows malicious repositories to reappear even after bans.With GitHub being abused at this scale — and over 1,500 Minecraft users already infected — this case is a wake-up call for both platforms and end users. The combination of malware-as-a-service (MaaS) and DaaS delivery is lowering the bar for cybercriminals and increasing the risk for everyone online.#StargazersGhost #GitHubMalware #Infostealers #StargazerGoblin #MinecraftMalware #RedLine #Rhadamanthys #LummaStealer #AtlantidaStealer #JavaMalware #MalwareCampaign #CybersecurityPodcast #DaaS #MaaS #InfoSec #GamingCyberThreats #DiscordMalware

Cybercriminals are increasingly turning GitHub into a malware distribution network. In this episode, we unpack two of the most alarming recent campaigns: Water Curse and Banana Squad — both targeting developers, red teams, and security professionals through poisoned open-source projects.Water Curse, a financially motivated group, used at least 76 GitHub accounts to deliver multistage malware hidden inside project configuration files of tools like Sakura-RAT. These payloads deploy obfuscated VBS and PowerShell scripts, perform system reconnaissance, and disable recovery mechanisms like shadow copies. The malware, tracked as Backdoor.JS.DULLRAT.EF25, allows long-term remote access and data exfiltration via services like Telegram.Banana Squad, meanwhile, deployed over 60 fake repositories containing trojanized Python scripts masked as ethical hacking tools. Using visual obfuscation tricks, they pushed malicious code off-screen in the GitHub UI to avoid detection — a tactic that worked until automated tools caught the behavior.Both groups are part of a broader trend: cybercriminals leveraging Malware-as-a-Service (MaaS) platforms to outsource infrastructure, scale their operations, and target critical parts of the software supply chain. Developers, security teams, and even gamers are now at risk — not through phishing emails, but by trusting what they download from legitimate platforms.We also explore how MaaS lowers the technical barrier for attackers and discuss the critical need for secure software development, SBOM transparency, and active code validation.This isn’t a theoretical threat. It’s a shift in the way malware is built, delivered, and scaled — and it’s already compromising environments in plain sight.#GitHubMalware #WaterCurse #BananaSquad #SoftwareSupplyChain #MaaS #OpenSourceSecurity #PythonMalware #BackdoorJS #Cybersecurity #DeveloperSecurity #Infosec #VisualStudioMalware #TrojanizedCode #GitHubSecurity #CodeTrustCrisis

A single vendor was compromised — and suddenly, internal records from UBS, Pictet, Manor, and Implenia were leaked. The Chain IQ cyberattack is a textbook example of how fragile the digital supply chain has become.This episode dissects the breach that exposed names, roles, phone numbers, even CEO contact details of over 137,000 UBS employees, and 230,000 lines of internal billing data from Pictet, including expenses ranging from hotel stays to pottery purchases. While client data remained untouched, the exposure of employee and operational data is alarming.The attack was carried out by World Leaks — formerly known as Hunters International — a group known for data theft and public extortion, not encryption. Their tactics reflect the evolving nature of supply chain threats, where trust in vendors is weaponized and internal data becomes a high-value target.We go beyond the breach and explore:🔹 How 62% of supply chain attacks exploit trust in third-party providers 🔹 Why 66% of suppliers don't even know how they were compromised 🔹 The massive industry ripple effect, with Chain IQ’s clients including FedEx, IBM, Swiss Life, AXA, Swisscom, and KPMG 🔹 What organizations should be doing now — from vendor due diligence and access minimization to continuous risk monitoring 🔹 Why employee data security must be treated as business-criticalWe also break down essential defense and recovery strategies — including zero trust access, contractual audit clauses, IAM, vulnerability patching, and a Plan-Do-Check-Act cycle for full-spectrum supply chain security.The Chain IQ breach isn’t just a warning — it’s a case study in what happens when your cybersecurity depends on someone else's.#ChainIQBreach #UBSLeak #SupplyChainAttack #PictetBreach #WorldLeaks #Cybersecurity #VendorRisk #DataLeak #ThirdPartySecurity #CyberAttack #EmployeeDataExposure #InfoSec #IncidentResponse #FinancialSectorSecurity #DigitalTrust

State and local governments are under cyber siege. In this episode, we break down how and why these public institutions have become top targets for attackers — and why the threats are getting worse.Digitization is expanding public access to services, but it's also opening new doors for threat actors. Many local authorities still rely on legacy IT systems, outdated operating systems, and unsupported software — leaving them vulnerable to ransomware, phishing, impersonation, and supply chain exploits. The rise in attacks isn’t hypothetical: cyber data breaches in UK local councils have surged by nearly 400% in just three years.We examine key reasons for the surge: 🔸 Outdated infrastructure and tight budgets 🔸 Rampant phishing and email impersonation 🔸 Ransomware that paralyzes city services and steals citizen data 🔸 Weak oversight of third-party vendors and digital service providers 🔸 A lack of board-level responsibility and incident response planningThe consequences aren’t just operational. Citizens are losing jobs, facing housing instability, and experiencing long-term harm due to the exposure of sensitive personal data. In the case of Oxford City Council, 21 years of historical data were compromised — impacting both current and former council employees. Although no large-scale data extraction has been confirmed, investigations are ongoing.Across the UK, councils have reported more than 12,700 breaches in three years, with over £260,000 paid in legal claims and compensation. High-profile incidents, such as the Capita breach and the Metropolitan Police supplier compromise, highlight a growing trend: third-party vendors are becoming major points of failure.We also discuss the lack of proactive cybersecurity measures. Most public bodies don’t regularly assess supply chain risks or re-evaluate vendor contracts. In many cases, cybersecurity is still not a board-level priority, especially for smaller agencies operating with limited resources.This episode explores what needs to change — from upgrading legacy systems to enforcing third-party risk management and creating a culture of privacy and accountability. Cybersecurity isn’t just a technical issue anymore. It’s public safety, trust, and governance at stake.#CyberSecurity #DataBreach #PublicSectorSecurity #Ransomware #OxfordDataBreach #CapitaBreach #LocalGovernment #InfoSec #DigitalTrust #PrivacyMatters #CyberAttack #SupplyChainRisk

Two newly disclosed critical vulnerabilities—CVE-2025-5349 and CVE-2025-5777—have put Citrix NetScaler ADC and Gateway deployments at serious risk, exposing enterprise environments to potential data breaches and service disruptions. These flaws underscore the persistent challenges facing infrastructure teams, especially when balancing security patching with service availability.We dive deep into: 🔍 The technical mechanisms behind the NetScaler vulnerabilities and why they’re considered high risk ⚙️ The real-world difficulties of patching Citrix environments, including long installation times, session disruption concerns, and HA strategy failures 🛠️ Staged patching techniques, including gold image refresh for MCS, traffic redirection using VIP isolation, and Citrix’s official upgrade flow 🔒 A breakdown of the AAA (Authentication, Authorization, Accounting) model and its relevance for secure VPN access 🧠 Broader lessons from CWE-125 (Out-of-Bounds Read) and how SAST, SCA, and code reviews help developers catch software vulnerabilities before they reach productionThis episode ties together software security principles with enterprise infrastructure reality, highlighting how missteps in either domain can leave organizations exposed. Whether you're managing Citrix infrastructure or building secure software, this conversation bridges the gap between theory and practice.

CVE-2025-1568, dubbed "GerriScary", has shaken the open-source ecosystem by exposing a fundamental weakness in Google’s Gerrit code review system—one that could have enabled attackers to infiltrate 18 of Google’s most widely used open-source projects, including Chromium, ChromiumOS, Dart, and Bazel.This episode breaks down how the vulnerability was discovered by researchers at Tenable using a subtle but powerful HTTP status code fingerprinting technique. A simple 209 response exposed whether a user had the “addPatchSet” permission on a given project. That small indicator opened the door to a potentially massive software supply chain compromise, allowing malicious patchsets to be injected silently into production workflows.We also explore the broader threat landscape with critical and actively exploited vulnerabilities, such as:🔓 CVE-2023-0386 – A Linux kernel flaw exploited for root access 🧨 CVE-2025-23121 – Remote code execution on Veeam Backup Server 💣 CVE-2025-2783 – A Google Chrome zero-day used by the Trinper backdoor 📡 CVE-2023-33538 – Command injection in TP-Link routers, actively exploited 🔥 CVE-2024-1086 – Use-after-free in Linux netfilter, leading to system takeoverFrom hardcoded keys in enterprise tools to command injections in home routers, we highlight how poor development practices continue to fuel real-world threats.But this isn't just about reacting to flaws. We dissect the NIST Secure Software Development Framework (SSDF), now more relevant than ever. You’ll learn how the SSDF’s four core areas—Prepare, Protect, Produce, and Respond—provide a practical roadmap to building secure software, preventing flaws like GerriScary, and rapidly responding when the next critical CVE emerges.Whether you’re a software engineer, CISO, or security architect, this episode offers a grounded and urgent look at the real-world risks of unpatched systems, insecure third-party dependencies, and weak DevSecOps discipline—and how to fix them.

Cisco and Atlassian have both released urgent security advisories in response to newly discovered high-severity vulnerabilities—and the implications are serious.Cisco’s firmware flaws impact Meraki MX and Z Series devices running AnyConnect VPN. A bug in the SSL VPN process allows authenticated attackers to crash the VPN server, causing repeated denial-of-service conditions. Cisco ClamAV also contains heap-based buffer overflow vulnerabilities that could crash antivirus defenses simply by scanning a malicious file. Proof-of-concept exploit code is already circulating—making exploitation only a matter of time.Atlassian isn’t faring much better. Their June 2025 bulletin disclosed 13 high-severity vulnerabilities across Bamboo, Bitbucket, Confluence, Jira, Crowd, and Service Management. Many of these are rooted in third-party dependencies like Netty, Apache Tomcat, and Spring Framework. From improper authorization to remote code execution and denial of service, the risks span multiple vectors.This episode breaks down:🔧 Cisco CVEs (2025-20212, 2025-20271, 2025-20128, 2025-20234) 🛑 How malformed VPN attributes trigger a system crash 🧪 The risk of crashing ClamAV with OLE2 content 📦 Atlassian’s dependency-driven vulnerabilities (CVE-2025-22228, CVE-2024-47561, CVE-2024-39338 and more) 🔁 The challenges of managing firmware updates across Meraki networks 💣 The broader danger of unpatched systems and third-party bloat 📉 Real-world fallout: from Equifax to ProxyShell ☁️ Shared responsibility in cloud environments and how institutions often misinterpret itIf you're running Cisco hardware, using Atlassian platforms, or relying on open-source libraries, this episode shows why you must have a clear patching strategy, strong third-party oversight, and internal security validation—before attackers find the gaps for you.

A deep dive into one of the most aggressive ransomware groups operating today—Play—and their latest high-profile target: Krispy Kreme.Operating since 2022, the Play ransomware group has become notorious for its double extortion model, where sensitive data is exfiltrated before systems are encrypted. Victims are pressured not just by digital ransom notes but also through direct phone calls to company lines, creating a highly aggressive and disruptive extortion cycle. Play has targeted over 900 entities globally, from government institutions to media outlets and, most recently, the food industry.In November 2024, Krispy Kreme was forced to shut down online ordering in parts of the U.S. after detecting unauthorized access to its systems. The Play group claimed responsibility. Stolen data reportedly included names, Social Security numbers, banking credentials, biometrics, and even military IDs—a scale and sensitivity that elevates this attack far beyond typical retail breaches.We break down: 📛 The origins and global targeting footprint of Play ransomware 📤 Their TTPs: dynamic compilation, intermittent encryption, WinRAR compression, and data exfiltration via WinSCP ☎️ Their use of direct communication, including threatening phone calls to corporate numbers 🧠 Their links to Russian-affiliated cyber actors and similarities to other ransomware variants like Hive and Nokoyawa 🧬 The specific operational and reputational damage inflicted on Krispy Kreme 💥 The unique risks of biometric data exposure in ransomware cases 🛡️ Critical cybersecurity recommendations from CISA, including segmentation, offline backups, EDR, and least-privilege access 🧪 How businesses—regardless of industry—must rethink cybersecurity resilience in the face of industrialized extortion modelsWhether you're in tech, retail, or public infrastructure, this is a wake-up call: ransomware doesn’t discriminate by sector—it hunts for scale, pressure points, and poor preparation.#Ransomware #PlayRansomware #KrispyKremeHack #CyberSecurity #DoubleExtortion #DataBreach #InfoSec #CISA #HunterInternational #BiometricDataBreach #RetailSecurity #PodcastCybersecurity #CyberAttack #RansomwareTTPs #MITREATTACK

In this episode, we unpack the dramatic takedown of Archetyp Market, a darknet marketplace that dominated the online drug trade since its launch in May 2020. With over €250 million ($290 million) in drug transactions, more than 600,000 users, and 17,000 listings, Archetyp wasn’t just another darknet forum—it was the largest dedicated drug market on the Tor network by 2024.The operation that brought it down, Operation Deep Sentinel, was a five-nation law enforcement effort led by Germany’s BKA, coordinated by Europol and Eurojust, and supported by the United States. Between June 11–13, 2025, authorities arrested the alleged German administrator in Barcelona, one moderator, and six top vendors. They also seized €7.8 million in assets, including crypto wallets, luxury vehicles, and the market’s backend infrastructure hosted in the Netherlands. This was the culmination of years of cyber-forensics, financial tracing, and cross-border intelligence work.But the story doesn’t stop with the arrests. We explore the deeper implications: how digital drug markets continue to evolve, why users easily migrate after shutdowns, and how operations like this shape law enforcement’s long-term cybercrime strategy. We’ll also touch on the philosophical roots of Archetyp’s founder—who modeled the site after Silk Road, with the aim of supporting drug liberalization in Europe—and why this ideological undertone didn't stop the authorities from dismantling the platform piece by piece.Tune in as we analyze the fall of Archetyp, the future of darknet markets, and the growing role of international cybersecurity cooperation in this high-stakes game of cat and mouse.

In this episode, we break down one of 2025’s most significant healthcare cybersecurity incidents: the ransomware attack on Ocuco, a global eyecare software provider. On April 1st, 2025, threat actors from the KillSec ransomware group exploited CVE-2024-41197 — a critical authentication bypass in Ocuco’s INVCLIENT.EXE — to gain Administrator-level access and exfiltrate over 340GB of sensitive data, including patient names, SSNs, driver’s license numbers, and financial records.KillSec, a group known for combining ransomware with ideological messaging, claimed responsibility via their dark web leak site. Despite positioning themselves as hacktivists, their modus operandi follows a double extortion model, typical of financially motivated groups. Their tactics reflect a larger 2024–2025 trend: politically charged language masking ransom demands.We dive into the technical details of CVE-2024-41197, a zero-day (or possibly N-day) vulnerability with a CVSS score of 9.8 that allowed unauthenticated remote code execution. Ocuco learned of the breach the same day KillSec publicized it, and the company later reported the incident to the U.S. HHS and Ireland’s DPC under GDPR obligations.This episode also connects the dots across broader healthcare cybersecurity trends. With 458 ransomware attacks tracked in healthcare in 2024, and groups like LockBit 3.0, RansomHub, and BianLian still active, this incident reflects the sector's growing exposure to zero-day exploits, supply chain flaws, and AI-augmented social engineering.We end with a focused discussion on prevention: how organizations can strengthen software supply chain defenses, implement DevSecOps practices, and prepare breach response plans that comply with GDPR and HIPAA alike.

In this episode, we dive deep into the current state of cybersecurity in healthcare, where the growing sophistication of cyber threats has led to increasingly devastating breaches. We begin with a close look at the rise of Ransomware-as-a-Service (RaaS), focusing on DragonForce, a ransomware group that has transitioned from politically motivated attacks to financially-driven extortion campaigns. With their dual-extortion tactics, DragonForce is not just locking data but threatening to release stolen information, significantly amplifying the risk to healthcare organizations.The conversation then shifts to the real-world impact of cybercrime on healthcare. Data breaches do more than cause financial losses—they erode patient trust, which is crucial for effective healthcare delivery. Patients often experience fear and anxiety after their personal information is exposed, which can lead to a reluctance to share vital health details, ultimately impacting patient outcomes.We’ll also explore critical preventive measures and response strategies that healthcare organizations must adopt to safeguard sensitive data. From multi-layered phishing prevention tactics to robust incident response plans, these best practices are essential for maintaining the integrity and confidentiality of patient information. Finally, we discuss the importance of rebuilding trust in the wake of a breach, with practical recommendations for transparent breach reporting and fostering a culture of cybersecurity awareness.Tune in for expert insights on how healthcare can defend against these persistent threats and recover swiftly when the inevitable happens.

In this episode, we break down the seismic implications of Google’s proposed $32 billion acquisition of Wiz, the world’s largest cybersecurity unicorn—and why this isn’t just another tech deal.At the core is the U.S. Department of Justice's antitrust investigation, triggered by concerns that the deal could tighten Google’s grip on a critical sector: multi-cloud cybersecurity. With Wiz already serving 40% of the Fortune 100 and boasting $500M in ARR, the acquisition could position Google as a dominant force in cloud-native application protection—potentially squeezing competitors and reshaping the market.We examine what’s driving this mega-deal, from Google’s desire to compete with Microsoft Defender for Cloud, to its push for a unified security stack that spans AWS, Azure, and Oracle Cloud. We also look at the staggering $3.2B breakup fee—10% of the deal value—which suggests that both companies anticipated regulatory roadblocks.This isn’t happening in a vacuum. We contextualize the deal within broader M&A trends in 2025, including evolving deal structures, regional regulatory crackdowns in Europe and China, and a shifting landscape under the Trump administration in North America. Plus, we explore the booming cloud security market, projected to hit $270B by 2035, and what the DOJ’s actions could mean for future cloud M&A.Finally, we explore counterpoints from the UK's Cloud Services Market Report, which suggests that the cloud landscape remains competitive globally, with price wars, strong buyer power, and plenty of innovation. So is the DOJ overreacting—or is Google really aiming to own the future of cybersecurity?📌 Topics covered: 🧠 Why Wiz became the crown jewel of cloud security 💰 The motivations behind Google’s biggest acquisition ever ⚖️ The DOJ’s case and the growing wave of antitrust scrutiny 🌍 Regional M&A shifts in the US, Europe, and China 📉 Price wars, competition, and market structure in cloud services 🛡️ The future of multi-cloud security, and who really controls it

In this critical episode, we dive into the alarming exploitation of CVE-2024-57727, a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) software actively leveraged by ransomware operators since early 2025. This isn't just a theoretical risk—it's already being used to compromise utility billing providers and downstream MSP customers through double extortion tactics.We examine how the trusted capabilities of RMM tools—remote control, patching, and backup—are being weaponized in Living Off the Land (LOTL) attacks, allowing adversaries to maintain persistence, evade detection, and move laterally across networks with ease. With input from CISA, NSA, FBI, MS-ISAC, and INCD, we explore why RMM platforms like SimpleHelp have become high-value targets and what this means for IT, OT, and ICS environments.The discussion covers: 🛠️ What makes RMM software such a potent attack vector ⚠️ The details and real-world impact of CVE-2024-57727 🔐 CISA’s recommended mitigations—from network segmentation to MFA, application controls, and zero-trust policies 📉 Supply chain risk: How MSP compromise can cascade across client networks 🧰 Detection techniques and critical indicators of compromise for SimpleHelp instances 🛡️ Why developers, MSPs, and SaaS providers must adopt security-by-design, auditable logging, and privilege minimizationThis episode is a must-listen for IT admins, MSPs, SOC teams, software vendors, and cybersecurity professionals tasked with protecting remote infrastructure. If your organization uses or builds RMM software—don’t miss this briefing.

In this episode, we dissect UNK_SneakyStrike—a major account takeover campaign targeting Microsoft Entra ID users with precision and scale. Tracked by Proofpoint, this campaign began in December 2024 and has since escalated, leveraging TeamFiltration, a legitimate penetration testing tool, to enumerate users and launch password spraying attacks that have compromised over 80,000 accounts across 100+ cloud tenants.We explore how attackers are weaponizing red team tools, abusing Microsoft Teams and OneDrive APIs, and even exploiting refresh tokens for persistent access—turning standard identity infrastructure into their playground. With origins traced to AWS infrastructure in the U.S., Ireland, and the UK, the campaign represents a dangerous convergence of identity-based threats, cloud misconfigurations, and cross-cloud attack surfaces.Join us as we walk through: 🔹 The operational characteristics and attack patterns of UNK_SneakyStrike 🔹 Why password spraying remains effective—and undetected—in the cloud 🔹 How Microsoft Entra’s gaps, like token handling and user enumeration exposure, played a role 🔹 Real-world risks: unauthorized access, lateral movement, and long-term persistence 🔹 The importance of multi-factor authentication, Zero Trust, real-time threat intelligence from AWS's MadPot and Mithra, and security hygiene 🔹 Concrete mitigation strategies to reduce exposure to identity-focused attacksThis is a must-listen for IT admins, CISOs, cloud security professionals, and anyone responsible for protecting digital identities in Microsoft and hybrid cloud environments.

In this episode, we dive deep into one of the most critical attack techniques in modern cyber warfare: privilege escalation—and how it recently hit center stage with three high-severity vulnerabilities discovered in Tenable’s Nessus Agent for Windows.We break down CVE-2025-36631, CVE-2025-36632, and CVE-2025-36633, which, when exploited, allow a non-administrative user to gain SYSTEM-level access, execute arbitrary code, delete critical files, or overwrite system content. These vulnerabilities, patched in version 10.8.5 of Nessus Agent, represent a textbook example of how privilege escalation paves the way for arbitrary code execution (ACE) and potential ransomware deployment.In the second half of the episode, we unpack: 🛠️ What privilege escalation is, including vertical and horizontal types 📊 Real-world exploitation paths on Windows systems 🔐 Why tools like BloodHound, winPEAS, and PowerUp are favorites among threat actors 📉 The security impact of misconfigured services, overprivileged accounts, and weak registry settings ✅ And most importantly: what your organization can do to detect, prevent, and mitigate privilege escalation attacks before they spiral out of controlWith privilege escalation playing a central role in everything from data breaches to ransomware infections, this episode is a must-listen for IT admins, security professionals, and anyone responsible for hardening their organization’s defenses.🔄 Don't forget to patch your Nessus Agents, enforce least privilege, and audit your environments regularly.

A major cyberattack has rocked Canada's second-largest airline, WestJet—crippling internal systems and prompting warnings for customers to monitor their accounts and change passwords. But this is more than just a corporate incident. It’s the latest sign of a broader, escalating crisis in aviation cybersecurity.In this episode, we examine the WestJet breach in the context of a rapidly evolving threat landscape. With airlines facing more than 1,000 cyberattacks each month, we unpack the critical vulnerabilities putting passenger safety, operational continuity, and public trust at risk. From DDoS attacks grounding flights at LOT Polish Airlines to phishing campaigns linked to the MH370 tragedy, history shows the aviation sector is an attractive and dangerous target.We dive into the technical and organizational weak points—unpatched systems, insecure networks, and undertrained personnel—that attackers continue to exploit. And we explore the international standards and frameworks designed to fight back: ISO 27001, ISO 22301, ISO 27032, and the NIST Cybersecurity Framework.Most importantly, we discuss how airlines and airports can move from reactive measures to proactive security—layered defenses, real-time detection, and rapid incident response. Whether you're in cybersecurity, aviation, or simply a frequent flyer, this episode breaks down why the WestJet incident is a loud alarm the entire industry must heed.🔐 Key Talking Points:What we know about the June 2025 WestJet cyberattackAviation’s unique cybersecurity vulnerabilitiesLessons from past incidents (LOT, Malaysia Airlines, etc.)How global frameworks like ISO and NIST can strengthen defensesWhy personnel training is just as critical as technical tools

In this episode, we dig into a disturbing yet underreported national security threat: the exploitation of internet-connected surveillance cameras—especially those manufactured in the People’s Republic of China—as a cyber weapon against U.S. critical infrastructure. Drawing from recent DHS intelligence briefings and independent cybersecurity analyses, we uncover how these seemingly benign devices are being used by PRC state-sponsored actors for espionage, system disruption, and even real-time support for physical attacks.We break down how default settings, weak passwords, firmware neglect, and open internet access leave tens of thousands of cameras vulnerable. We explore the scale of exposure—over 14,000 vulnerable devices in the U.S. alone—and how this exposure extends across vital sectors including energy, utilities, transportation, and tech. We also discuss the alarming potential for compromised cameras to feed attackers sensitive system information, map out network layouts, and manipulate operational technologies.Finally, we go beyond the headlines to talk mitigation: What can organizations do right now? What responsibilities do vendors and policymakers have in tightening security standards? And how do we balance real cybersecurity needs with the practical realities of widespread camera deployment? Whether you're in IT, government, or just concerned about digital privacy, this episode will open your eyes to what your cameras might be seeing—and who else might be watching.

In this episode, we dive deep into the alarming revelations surrounding Graphite, a powerful spyware tool developed by Israeli firm Paragon Solutions. Promoted as a “responsible alternative” to the NSO Group’s Pegasus, Graphite is now implicated in the surveillance of journalists, humanitarian activists, and civil society figures—contrary to the vendor’s public claims.We’ll examine new forensic findings by Citizen Lab and how notifications from Apple and WhatsApp revealed targeting in Italy and potentially Canada. Confirmed cases include members of the refugee aid group Mediterranea Saving Humans and journalists critical of the Italian government. We also explore Paragon’s controversial ties with Italy’s intelligence agencies, the rejection of its offer to help investigate the abuse, and the murky termination of the spyware contract.Beyond the political implications, we address the technical side of zero-click attacks, the difficulty of detection, and the real fears expressed by ordinary users on platforms like Reddit. This conversation unpacks not just what happened—but what it means for privacy, transparency, national security, and the future of global surveillance regulation.

zeroRISC just raised $10 million to bring OpenTitan—the first open-source silicon Root of Trust—to market. In this episode, we break down what this funding means for the future of supply chain security, and why investors are betting on open hardware to fix vulnerabilities baked into modern chips.We explore how geopolitical tension, forced labor enforcement (like the UFLPA), and cyber threats are forcing companies to look deeper into their supply chains—including third-party IP and sub-suppliers. We also look at the real-world implications of secure silicon for IoT, data centers, and critical infrastructure.From tamper-resistant firmware updates to attestation against AI deepfakes, we explain why zeroRISC’s Integrity Management Platform may shift control back to device owners—and how open-source innovation is becoming a national security imperative.

The financial services industry is under siege. In this episode, we unpack the latest findings from Radware’s 2025 Financial Threat Analysis and multiple intelligence reports detailing a relentless rise in cyberattacks targeting banks and financial institutions across the globe.We examine the surge in sophisticated attacks that blend legitimate tools with malicious intent—an approach known as "living off the land"—featuring the emergence of new ransomware strains like Fog and RedFox. These campaigns exploit compromised VPN credentials, sideload DLLs through trusted applications, and evade defenses with stealthy tactics that cripple online banking systems, ATMs, and trading platforms.From the 9,000% increase in DDoS attacks in APAC to targeted breaches like the ABDA Insurance attack in Indonesia, we analyze the global scope of these threats. We also dig into the tactics of state-aligned groups like Moonstone Sleet and APT28, who are now weaponizing ransomware and advanced loaders to further geopolitical aims.Tune in for a detailed breakdown of the actors, tactics, and tools defining this new wave of financial sector cyber warfare—and learn the key mitigation strategies experts recommend to stay ahead of these escalating threats.

In this episode, we break down Trend Micro’s urgent June 10th security update that patched ten high- and critical-severity vulnerabilities—some with CVSSv3.1 scores as high as 9.8—across Apex Central and Endpoint Encryption PolicyServer (TMEE). While no active exploitation has been observed, the risks are too severe to ignore.We spotlight the most dangerous issues: pre-authentication remote code execution vulnerabilities stemming from insecure deserialization, a critical authentication bypass that allows attackers full admin access, and SQL injection flaws that enable privilege escalation. Apex Central and TMEE users running vulnerable versions could face full system compromise if left unpatched.We’ll explain what deserialization means, why insecure deserialization is so dangerous, how attackers could exploit these bugs, and why immediate patching is non-negotiable. We also explore mitigation strategies including updated intrusion prevention filters, secure coding practices, and why perimeter security and monitoring matter more than ever—even if no exploitation has been spotted (yet).Tune in for a deep dive into one of the year’s most critical coordinated vulnerability disclosures—and make sure your systems aren’t left exposed.

In this episode, we dissect the critical vulnerabilities plaguing Mitel MiCollab, a widely used unified communications platform, and explore how attackers are exploiting these flaws in the wild. Recently, security researchers uncovered a trio of dangerous vulnerabilities, including CVE-2024-35286 (a SQL injection flaw), CVE-2024-41713 (an authentication bypass), and an unpatched arbitrary file read zero-day. With active exploitation confirmed and proof-of-concept (PoC) exploits already in circulation, these issues have escalated into an urgent cybersecurity crisis.We’ll examine how these vulnerabilities allow attackers to gain unauthorized file access and even full administrative control over affected systems. As noted by watchTowr Labs, the ability to infiltrate VoIP platforms like MiCollab could grant attackers unprecedented access to live communications—a serious concern for enterprise security. The U.S. CISA has added these flaws to its Known Exploited Vulnerabilities catalog, prompting immediate patching directives.Join us as we break down the timeline of discovery, Mitel's patch response, and the current mitigation strategies recommended by FortiGuard Labs and other security experts. If you’re running MiCollab in your environment, this is not an episode you can afford to miss.

Join us for a gripping discussion on "Operation Secure," a landmark international crackdown that reverberated through the dark corners of the cybercriminal world between January and April 2025. Led by INTERPOL and involving law enforcement from 26 countries, primarily across the Asia-Pacific region, this massive coordinated effort, bolstered by critical support from private sector cybersecurity giants like Group-IB, Kaspersky, and Trend Micro, aimed to dismantle the very infrastructure fueling information-stealing malware.In this episode, we'll peel back the layers of Operation Secure, revealing the astounding scale of its impact: over 20,000 malicious IP addresses and domains neutralized, 32 arrests made, and 41 servers seized, containing a staggering 100GB of invaluable cybercriminal data. We'll explore how this intelligence goldmine is now being leveraged to inform future threat hunting and attribution efforts.But why are infostealers such a critical target? We'll delve into the insidious nature of these digital thieves, designed to pilfer sensitive data like passwords and credit card numbers, acting as a perilous gateway to even more severe cybercrimes, including devastating ransomware attacks and widespread fraud. Learn about the "Malware-as-a-Service (MaaS)" model that has fueled the proliferation of notorious strains like Lumma, RisePro, and META, making sophisticated cyber weaponry accessible to a wider range of criminals. We'll also examine the booming infostealer market, which, despite previous law enforcement successes, continues to demonstrate remarkable resilience and innovation.Operation Secure is more than just a series of arrests; it's a testament to the power of global public-private partnership in the fight against an ever-evolving digital threat. We'll discuss the pivotal roles played by INTERPOL in coordinating this complex operation and the crucial contributions of cybersecurity firms in providing intelligence and analysis.While acknowledging the persistent adaptability of cybercrime, Operation Secure sets a powerful precedent. We'll ponder the strategic importance of targeting operators and developers, not just the low-level distributors, and consider what the future holds for continued cross-border cooperation in curbing the infostealer menace. Tune in to understand why "Operation Secure" is not just a tactical victory, but a crucial step forward in securing our digital future.

On June 5, 2025, GreyNoise flagged a massive spike in coordinated brute-force login attempts targeting Apache Tomcat Manager interfaces. Nearly 400 unique IP addresses, many traced back to DigitalOcean infrastructure, were involved in a widespread and opportunistic campaign. In this episode, we dissect the attack pattern, what makes Apache Tomcat a recurring target, and why this surge should be treated as an early warning signal—not just random noise.We go deep into the authentication and configuration weaknesses that attackers exploit and walk through concrete hardening steps every Tomcat admin should implement—starting with strong password hashing (like Argon2id), multi-factor authentication, and locking down management interfaces. We also highlight specific Tomcat security configurations—from Realms and RemoteAddrValve tuning to disabling TRACE, SSLv3, and limiting directory listings.The discussion also covers essential logging and incident response measures, such as setting up AccessLogValve, conducting regular log analysis, enabling secure session management, and building a living incident response plan. Whether you’re running a public-facing Tomcat server or managing multiple internal environments, this episode offers a focused breakdown of proactive defense strategies to secure against both opportunistic and targeted threats.Tune in to learn how to defend your systems before they become someone else’s reconnaissance experiment.

On May 12, 2025, the Texas Department of Transportation (TxDOT) disclosed a significant data breach that compromised crash reports containing personal data of over 423,000 individuals. In this episode, we take a forensic look at what went wrong, how one compromised account enabled unauthorized downloads of sensitive crash data, and what this means for the cybersecurity posture of government agencies.We’ll explore the risks such breaches pose to citizens—ranging from phishing and social engineering to full-blown identity theft—and discuss the immediate steps individuals should take if they’re impacted. Our conversation expands into the systemic cybersecurity challenges facing public institutions, from outdated systems and internal threats to the rising need for AI-driven defense and cloud-based record protection.Also in this episode: best practices for securing government data, insights from recent large-scale public breaches, and how to evaluate identity monitoring services in the wake of a personal data leak.

What happens when hundreds of thousands of college applications are submitted—not by hopeful students, but by bots using stolen identities? In this episode, we dive deep into the alarming rise of financial aid fraud in U.S. higher education, driven by "ghost students" and increasingly sophisticated scams powered by AI. From fraud rings applying for Pell Grants using inmate names to bots flooding online colleges for quick cash refunds, we examine how these schemes operate, who’s behind them, and how they’re hurting real borrowers and legitimate students.We also spotlight internal institutional fraud—from bribed grade changes to fake vendors draining college budgets—and discuss the critical red flags institutions often miss. You'll learn how weaknesses in verification systems, outdated IT controls, and lax internal oversight are enabling widespread fraud.Finally, we explore how colleges, the Department of Education, and victims are responding—from new ID verification rules to AI-powered fraud detection systems—and where these defenses still fall short. If you're a college administrator, student aid officer, policy maker, or just someone who wants to understand how organized scams are hijacking federal aid, this episode is essential listening.

In this episode, we break down the massive supply chain attack that rocked the React Native ecosystem beginning on June 6, 2025. Over 16 NPM packages, collectively downloaded over one million times per week, were silently weaponized with a Remote Access Trojan (RAT) embedded in obfuscated code. The attack, linked to the same threat actor behind the May 2025 rand-user-agent breach, exploited a compromised contributor token to inject malicious payloads into widely used libraries under the @react-native-aria and @gluestack-ui namespaces.We examine how the malware embedded itself stealthily—using whitespace padding, hidden payloads, and path hijacking to achieve long-term persistence, especially on Windows systems. The trojan's capabilities include arbitrary command execution, system data exfiltration, and stealthy control via hardcoded C2 servers on non-standard ports. Despite the maintainers’ response—deprecating affected versions and implementing 2FA—experts warn that system-level compromises may already be widespread.This incident is not isolated. We also highlight related supply chain attacks across NPM, PyPI, and even browser extensions and macOS malware. From credential theft to sabotage and full host takeovers, these threats underscore a growing trend: open-source ecosystems are high-value targets, and current trust models are not enough.Join us for a deep technical dive into what happened, how it was detected, what makes this attack different—and what you must do now if you rely on these packages.

In this episode, we dive into the latest wave of active Mirai botnet campaigns exploiting high-severity remote code execution (RCE) vulnerabilities in critical enterprise and IoT systems. The Mirai malware—still evolving nearly a decade after its first appearance—has adapted its tactics to weaponize recent CVEs with CVSS scores of 9.8 and 9.9, impacting the Spring Framework (Spring4Shell), Wazuh SIEM, and TBK DVR devices.We break down how attackers used Spring4Shell (CVE-2022-22965) to deploy web shells via Tomcat access logs, enabling remote code execution and malware downloads. Then we examine CVE-2025-24016 in Wazuh, where the unsafe use of Python’s eval() in its distributed API gave attackers direct system-level access via crafted payloads. Lastly, we cover CVE-2024-3721 in TBK DVRs, exploited through unauthenticated POST requests that install Mirai binaries equipped with anti-VM and string obfuscation to evade detection.You’ll hear about:The technical mechanisms behind each exploit and how Mirai is being delivered.Real-world observations from Trend Micro, Akamai, and Kaspersky, including infection vectors and payload behaviors.Why DVRs, SIEMs, and Java-based frameworks remain high-value targets for botnets.Critical mitigation strategies, including API hardening, input sanitization, patch timelines, and anomaly detection.Whether you’re a security analyst, incident responder, or system admin, this briefing gives you the situational awareness and practical defenses needed to address these active, high-impact threats.🛡️ Don’t wait to patch. Mirai isn’t slowing down—and neither should your defense posture.

On June 5, 2025, United Natural Foods Inc. (UNFI)—North America's largest publicly traded wholesale food distributor and primary supplier for Whole Foods—was struck by a major cyberattack that forced the company to shut down key IT systems. The result: widespread delivery disruptions to over 30,000 locations across the U.S. and Canada, eerily empty shelves at Whole Foods, canceled shifts for workers, and a 6% plunge in UNFI’s stock price.In this episode, we unpack the layers of this unfolding incident: how a likely ransomware attack forced one of the largest food logistics networks in North America to its knees, what it reveals about vulnerabilities in the retail and food distribution sectors, and why industry insiders are calling this a wake-up call. We’ll explore the ripple effects on grocery supply chains, the financial blowback, the strategic implications for Amazon and Whole Foods, and the growing concern that single-vendor reliance in critical infrastructure is an unacceptable risk in the age of decentralized cyber threats.You’ll also hear about:The eerie warning signs posted in Whole Foods’ refrigerated sectionsHow attackers exploit “digital over-dependence” in retailWhy experts believe this is only the beginning of a larger industry trendWhat this means for the future of cybersecurity in essential servicesThis isn’t just another cyber incident—it’s a national disruption with visible consequences. Tune in as we connect the dots between a digital breach and the real-world breakdown of our food delivery ecosystem.

In this episode, we dissect one of the most sophisticated ongoing cybercrime trends—malware campaigns weaponizing GitHub repositories to compromise developers, gamers, and even rival hackers. By abusing GitHub’s search functionality and reputation signals, threat actors are pushing backdoored code under the guise of popular tools, game cheats, and exploit kits. These malicious repositories often look legitimate, complete with automated commits, fake contributors, and modest star counts to avoid suspicion.We explore how Distribution-as-a-Service (DaaS) operations are driving these attacks, significantly lowering the barrier to entry for cybercriminals. Notable actors like “ischhfd83” and the “Stargazer Goblin” group have maintained thousands of malicious repositories, many embedding backdoors via PreBuild events, Python obfuscation, and Unicode deception techniques. Their payloads include info-stealers like Lumma and RATs like Remcos, with command-and-control often running through Telegram.We also examine the implications of the Coinbase-linked cascading supply chain attack, how even cybercriminals are falling victim, and what developers and security teams need to do now to detect red flags, verify source code, and stop blindly trusting stars and search rankings. If you’re relying on open-source tools, this episode could save you from compiling your next compromise.

In this episode, we dive deep into ClickFix, also tracked as ClearFix or ClearFake—a highly effective and deceptive malware delivery tactic that emerged in early 2024. ClickFix exploits the human tendency to trust browser prompts by using fake error messages, CAPTCHA pages, and verification requests to convince users to execute malicious PowerShell commands via simple keyboard shortcuts.What makes ClickFix so dangerous? It’s “frictionless.” No exploits, no downloads—just user interaction. Attackers preload malware-laced commands into the clipboard and trick victims into running them through legitimate Windows tools like powershell.exe and mshta.exe, effectively bypassing traditional antivirus and EDR tools. This tactic is being leveraged by major threat groups including APT28, MuddyWater, and TA571, and is distributing malware like Stealc, Rhadamanthys, LummaC2, NetSupport RAT, and even macOS stealers like AMOS and AppleProcessHub.We’ll unpack how ClickFix pages mimic trusted platforms like Google Meet, Zoom, TikTok, and cryptocurrency sites to exploit verification fatigue and deliver payloads silently via obfuscated scripts. You'll hear how attackers use LOLBins, JavaScript loaders, and ROT13-encoded payloads to hide their tracks, and why even experienced users are falling for this trick.We’ll also examine the distribution ecosystem, from malvertising and TikTok scams to fake GitHub issues and cracked game forums, and explore the traffers teams and threat actors monetizing this attack method at scale.If you think malware needs a download or a macro to infect a system, think again—ClickFix proves that all it takes is one careless paste.Stay tuned to learn:How the attack chain works step-by-stepWhy ClickFix is hard to detect and blockWhich threat actors are using it and howReal-world examples of malware campaigns using ClickFixWhat defenders and users can do to spot and stop these attacksThis is one of the most insidious and scalable social engineering attacks of the decade—and it’s only just getting started.

Cybercrime is rapidly evolving—and so are its tactics. In this episode, we dissect the findings of SoSafe’s Cybercrime Trends 2025 report and explore the six key trends reshaping the global threat landscape, including AI as an attack surface, multichannel intrusions, and the rising exploitation of personal identities. But we don’t stop at theory.We go deep into the real-world case of the ViLE hacking group—responsible for one of the most egregious doxing and extortion campaigns in recent memory. Hear how hackers breached a DEA portal using stolen police credentials, exfiltrated sensitive personal data, impersonated law enforcement to manipulate social media platforms, and threatened victims’ families unless paid.We also confront the darker side of doxing: how legal loopholes and insufficient protections leave victims—especially women and marginalized groups—exposed to psychological, reputational, and physical harm. From online harassment to SWATing incidents, this episode reveals the chilling consequences of unchecked digital exposure.Finally, we offer actionable insights for both organizations and individuals to build cyber resilience—from proactive employee training and AI-powered defense tools to reviewing digital footprints and involving families in cyber hygiene.This isn’t just about breaches and ransomware—it’s about human lives, eroded trust, and the urgent need to close the growing gap in cyber protection. Tune in to understand the stakes—and what must change.

In this episode, we dive deep into three actively exploited zero-day vulnerabilities discovered in Google Chrome in 2025, each of which was patched in rapid succession following targeted attacks. At the center is CVE-2025-5419, a high-severity out-of-bounds read/write flaw in the V8 JavaScript engine that allows attackers to exploit heap corruption through crafted HTML pages — and it’s already being weaponized in the wild.We also revisit CVE-2025-2783, a Chrome Mojo vulnerability used in Operation ForumTroll, a nation-state espionage campaign targeting Russian organizations. This flaw allowed attackers to bypass Chrome’s sandbox entirely with just one click on a phishing link. The third major zero-day, CVE-2025-4664, exposed gaps in Chrome's Loader component, permitting policy bypass and potential full account takeover.Join us as we analyze the technical root causes, discuss Google's mitigation strategies including emergency out-of-band patches and configuration changes, and explore the implications of these rapid-fire exploits in a threat landscape increasingly shaped by advanced persistent threats and browser-based vulnerabilities. We’ll also offer key takeaways for IT teams and CISOs on patching strategy, user awareness, and the critical role of update velocity in today's cybersecurity defense playbook.

Australia just made cyber history. On May 30, 2025, the nation became the first in the world to enforce mandatory ransomware payment reporting under the newly enacted Cyber Security Act 2024. In this episode, we dissect what this means for businesses, law enforcement, and the global cybersecurity landscape.We break down the key aspects of the legislation, including which organizations are affected, what counts as a "ransomware payment," and the strict 72-hour deadline for reporting incidents to the Australian Signals Directorate. We'll also explore how the government intends to use this data to track attackers, strengthen national defenses, and drive policy change — without currently requiring public disclosure.But it’s not all praise. Critics argue the law imposes strict obligations without offering real help to victims. We examine concerns from cybersecurity experts about a lack of proactive support, the continued pressure to pay ransoms, and whether this initiative is more about optics than outcomes. Plus, we look at how this could influence other countries — including the UK — which are watching closely and debating similar moves.If your organization does business in Australia or wants to understand the global implications of ransomware regulation, this is the conversation you need to hear. Tune in as we unpack what might be the most consequential cybersecurity law of the year — and what’s coming next.

In this episode, we dive into Trustifi’s recent $25 million Series A funding round, led by growth equity firm Camber Partners. Specializing in AI-powered email security, Trustifi has now raised a total of $29 million to accelerate its product development, go-to-market strategy, and global marketing initiatives—especially in the MSP space.We unpack what makes Trustifi’s platform stand out in a crowded cybersecurity market, from AI-driven threat detection and seamless Microsoft 365/Google Workspace integration to outbound encryption policies and account takeover protection. We also explore Camber Partners’ investment thesis and how their operational expertise is poised to help Trustifi scale.With CEO Rom Hendler’s roadmap and a growing need for intelligent, adaptable email security solutions, Trustifi is positioning itself at the intersection of AI innovation and rising cybersecurity threats. Tune in to learn how this funding round signals more than growth—it marks a strategic shift in how businesses protect their communications.

In this episode, we dissect Google's recent and upcoming decisions to distrust several Certificate Authorities (CAs) within the Chrome Root Store, including Entrust, Chunghwa Telecom, and Netlock. These high-impact moves are rooted in Chrome's strict enforcement of compliance, transparency, and security standards for public trust.We explore the role of the Chrome Root Store and Certificate Verifier, the timeline and technical specifics of the CA distrust actions taking effect in November 2024 and August 2025, and the broader implications for enterprises and the Web Public Key Infrastructure (WebPKI). You'll hear how these changes affect certificate validation, enterprise overrides, and post-quantum cryptographic readiness.We also examine what these actions signal for the future of digital trust, CA accountability, and browser power dynamics. Tune in to understand how Chrome’s decisions are reshaping the rules of HTTPS trust and what enterprises must do now to stay ahead of disruptions.

Two critical, actively exploited vulnerabilities in vBulletin forum software—CVE-2025-48827 and CVE-2025-48828—have put thousands of websites at immediate risk of full system compromise. In this episode, we dissect how these flaws, triggered by insecure usage of PHP’s Reflection API and abuse of vBulletin’s template engine, allow unauthenticated attackers to execute arbitrary PHP code and gain remote shell access.We’ll break down the exploit chain, from protected method invocation via malformed API calls to injection of malicious <vb:if> conditionals, enabling full Remote Code Execution (RCE) in vulnerable versions of vBulletin running PHP 8.1 or later. You’ll learn how attackers are currently weaponizing these bugs in the wild—leveraging public exploit code and scanning endpoints like /ajax/api/ad/replaceAdTemplate to plant backdoors.We also cover:Patch levels and which versions are safe (hint: upgrade to v6.1.1 now)Temporary mitigations for legacy vBulletin deploymentsIOC monitoring, containment strategies, and threat hunting adviceWhy dynamic method invocation should never be your access control boundaryLessons for developers and sysadmins on avoiding similar reflection-based pitfallsWhether you run a vBulletin forum or just want to understand the anatomy of a modern web RCE exploit, this episode is your front-row seat to one of 2025’s most serious application-layer vulnerabilities.

In this episode, we dissect the JINX-0132 cryptojacking campaign — a real-world example of how threat actors are exploiting cloud and DevOps environments to mine cryptocurrency at scale.We unpack how cybercriminals targeted misconfigured Docker APIs, publicly exposed HashiCorp Nomad and Consul servers, and vulnerable Gitea instances — turning enterprise-grade compute resources into crypto-mining farms, all while staying under the radar. This campaign marks the first publicly documented exploitation of HashiCorp Nomad in the wild.We discuss:How attackers used XMRig, cron jobs, and process-hiding tools to persist and evade detectionThe impact of misconfiguration and unpatched vulnerabilities in fast-moving DevOps workflowsThe financial and operational cost of unauthorized crypto mining in the cloudThe role of DevSecOps in preventing these attacks, with actionable recommendations for securing your containers and runtimesKey practices to “shift left” and catch security flaws early in the software development lifecycleWhy Cloud Workload Protection Platforms (CWPP) are becoming essential in defending modern cloud-native environmentsWe also highlight best practices for hardening Docker images, avoiding privileged containers, monitoring system behavior, and responding to incidents with speed and precision.

In this episode, we unpack two newly disclosed Linux vulnerabilities—CVE-2025-5054 and CVE-2025-4598—discovered by the Qualys Threat Research Unit (TRU). These race condition flaws impact Ubuntu’s apport and Red Hat/Fedora’s systemd-coredump, exposing a little-known but critical attack vector: core dumps from crashed SUID programs.We dive into how these TOCTOU (Time-of-Check to Time-of-Use) race conditions let local attackers manipulate system timing to trick crash handlers into leaking sensitive data. While the CVSS score is a moderate 4.7, the implications are serious—core dumps can contain password hashes, encryption keys, or proprietary data from privileged processes.Join us as we discuss how the vulnerabilities work, which Linux distributions are affected, and how administrators can apply patches or disable SUID core dumps as a temporary fix. We also explore what this means for system hardening, local threat models, and the often-overlooked risk posed by debugging and crash-reporting tools.