• Burp AI and DAST: The founder of PortSwigger and creator of legendary security software Burp Suite, Dafydd Stuttard, drops by to pitch listeners on Burp AI and Burp Suite DAST.

• Sondera: Josh Devon talks about Sondera, a technology designed to intervene when AI models start doing the wrong thing by statefully tracking their trajectories. This isn’t a permissions suite for AI agents, it’s a way to stick agents in a harness and make sure they adhere to hard policy boundaries.

• Truffle Security: Dylan Ayrey, the founder of Truffle Security, joins Risky Business again to talk through the latest bells and whistles in Trufflehog, a security tool that searches for exposed secrets and validates them. The Truffle team has done a lot of work on the remediation part of their product over the last few years, and Dylan tells us all about it!

This episode is also available on YouTube

Show notes

• Anthropic’s new Mythos model hunts bugs and chains exploits together so well that… you cant have it…
• …Unless you’re one of their Project Glasswing partners
• The world isn’t short on bugs, though. F5, Fortinet, Progress ShareFile, and TrueConf are all getting rekt by humans
• GPU Rowhammering goes in the GPU, past the IOMMU and back into the host-side Nvidia driver
• North Korea is spending serious time and money on its crypto hacking
• Just when the US needs CISA most, they slash its budget some more!

This week’s episode is sponsored by identity verification firm, Persona. Tying digital actions to actual human identities isn’t just for banking know-your-customer any more. Persona’s Benjamin Chait says know-your-staff checks belong in high-value flows inside your organisation, too.

This episode is also available on Youtube.

Show notes

• Claude Mythos Preview \ red.anthropic.com
• Anthropic Claims Its New A.I. Model, Mythos, Is a Cybersecurity ‘Reckoning’ - The New York Times
• Anthropic Teams Up With Its Rivals to Keep AI From Hacking Everything | WIRED
• FFmpeg on X: "Thank you to @AnthropicAI for sending FFmpeg patches" / X
• Critical flaw in F5 BIG-IP faces wide exploitation risk | Cybersecurity Dive
• React2Shell vulnerability helps hackers steal credentials, AI platform keys and other sensitive data | Cybersecurity Dive
• Critical flaw in FortiClient EMS under exploitation | Cybersecurity Dive
• Researchers warn of critical flaws in Progress ShareFile | Cybersecurity Dive
• CISA gives agencies two weeks to patch video conferencing bug exploited by Chinese hackers | The Record from Recorded Future News
• New Rowhammer attacks give complete control of machines running Nvidia GPUs - Ars Technica
• North Korea's hijack of one of the web's most used open source projects was likely weeks in the making | TechCrunch
• Drift crypto platform confirms $280 million stolen in hack as researchers point finger at North Korea | The Record from Recorded Future News
• Drift on X: "Drift Protocol — Incident Background Update " / X
• Trump’s FY2027 budget again targets CISA | Cybersecurity Dive
• CISA’s vulnerability scans, field support on chopping block in Trump budget | Cybersecurity Dive
• Iranian hackers break into U.S. industrial systems, agencies warn
• FBI labels suspected China hack of law enforcement data 'a major cyber incident'
• Russia Hacked Routers to Steal Microsoft Office Tokens – Krebs on Security
• Massachusetts hospital turning ambulances away after cyberattack | The Record from Recorded Future News
• Exclusive | 'Ghost Murmur,' a never-used secret tool, deployed to find lost airman in Iran in daring mission
• A Secure Chat App’s Encryption Is So Bad It Is ‘Meaningless’

Part one features recollections from:

• Jeff Moss (The Dark Tangent), DefCon and Black Hat founder
• Chris Wysopal (Weld Pond), L0pht member, co-founder, @Stake
• Kevin Poulsen (Dark Dante), 1990s hacker turned journalist
• Elias Levy (Aleph One), author of Smashing the Stack for Fun and Profit, Phrack, 1996

How the World Got Owned is produced in partnership with SentinelOne.

Show notes

• Elias Levy (Aleph1), Former Principle Engineer, Google
• Kevin Poulsen, Journalist
• Jeff Moss, DefCon founder
• Chris Wysopal, @Stake founder, L0pht member
• Hackers testifying at the United States Senate, May 19, 1998
• Hackers May ‘Net’ Good PR for Studio
• DefCon Archives | DefCon 1
• A Not So Terribly Brief History of the Electronic Frontier Foundation
• Innocent Hackers Want Their Computers Back
• Breakdowns in Computer Security
• Unsolved Mysteries, Season 3, Episode 4
• The Last Hacker: He Called Himself Dark Dante. His Compulsion Led Him to Secret Files and, Eventually, The Bar of Justice
• Justia appeal summary, Kevin Poulsen, 1994
• Smashing the Stack for Fun and Profit, Phrack Magazine, November 1996
• From subversives to CEOs: How radical hackers built today’s cybersecurity industry

• Those pesky North Koreans shim a backdoor into a 100M-downloads-a-week npm package
• TeamPCP appear to have ransacked Cisco’s source and cloud environments
• AI is getting legitimately good at being told to “just go find some 0day in this”
• Kaspersky says Coruna and Triangulation do share code lineage
• Iranian hackers dump Kash Patel’s gmail spool
• Oh, and of course there’s a Citrix Netscaler memory leak being exploited in the wild

This week’s episode is sponsored by Dropzone AI, who make automated AI SOC analysts. Head honcho Ed Wu explains how they’ve built pre-canned ‘hunt packs’ to lead the AI off into your environment to find weird, interesting and security relevant things.

This episode is also available on Youtube.

Show notes

• Google links axios supply chain attack to North Korean group | The Record from Recorded Future News
• Cisco source code stolen in Trivy-linked dev environment breach
• chiefofautism on X: "someone at ANTHROPIC just showed CLAUDE finding ZERO DAY vulnerabilities in a live conference demo"
• h0mbre on X: "Claude is somehow better at kernel exploitation than creating meal plans."
• Vulnerability Research Is Cooked — Quarrelsome
• MAD Bugs: vim vs emacs vs Claude - Calif
• MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747)
• A Risky Biz Experiment: Hunting for iOS 0day with AI - Risky Business Media
• Security leaders say the next two years are going to be 'insane' | CyberScoop
• Coruna framework: an exploit kit and ties to Operation Triangulation | Securelist
• Apple says no one using Lockdown Mode has been hacked with spyware | TechCrunch
• Reverse engineering Apple’s silent security fixes - Calif
• Jury finds Meta's platforms are harmful to children in 1st wave of social media addiction lawsuits | PBS News
• Meta and YouTube found liable in social media addiction trial
• Iranian hackers publish emails allegedly stolen from Kash Patel
• Iran Us War: 'Legitimate targets': Iran issues warning to US tech firms including Google, Amazon, Microsoft, Nvidia - The Times of India
• Drop Site on X: "IRGC: From now on, for every assassination, an American company will be destroyed"
• OSINTtechnical on X: "Starlink shutdowns are forcing Russian troops even deeper into Ubiquiti’s ecosystem. "
• Citrix NetScaler products confirmed to be under exploitation | Cybersecurity Dive
• CISA tells federal agencies to patch Citrix NetScaler bug by Thursday | The Record from Recorded Future News
• Using a VPN May Subject You to NSA Spying | WIRED
• Post reporters called the White House. Their phones showed ‘Epstein Island.’ - The Washington Post

SpecterOps is the company behind attack path enumeration tool Bloodhound and Bloodhound Enterprise, but they’re also a pentest and red teaming shop with world class expertise in popping shells on all sorts of interesting systems in all sorts of interesting places.

This episode is also available on Youtube.

Show notes

• TeamPCP’s supply chain attack on Github, and they threw in an anti-Iran wiper, because why not?!
• Anthropic hooks up its models to just… use your whole computer
• After Stryker’s Very Bad Day, CISA says maybe add some more controls around your Intune?
• Another iOS exploit kit shows up in the cyber bargain-bin
• The FTC decides to ban… all new home routers?! U wot m8?!
• Supermicro founder was personally sanction-busting Nvidia GPUs into China?!

This week’s episode is sponsored by enterprise browser maker, Island. Chief Customer Officer Bradon Rogers joins Pat to explain how its customers are using Island to control the use of personal AI services in regulated industries.

This episode is also available on Youtube.

Show notes

• ‘CanisterWorm’ Springs Wiper Attack Targeting Iran
• TeamPCP deploys CanisterWorm on NPM following Trivy compromise
• Andrej Karpathy on X: "Software horror: litellm PyPI supply chain" attack
• Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags
• Felix Rieseberg on X: "Today, we’re releasing a feature that allows Claude to control your computer"
• A Top Google Search Result for Claude Plugins Was Planted by Hackers
• Lockheed Martin targeted in alleged breach by pro-Iran hacktivist
• CISA urges companies to secure Microsoft Intune systems after hackers mass-wipe Stryker devices
• FBI seems to seize website tied to Iranian cyberattack on Stryker
• Stryker confirms cyberattack is contained and restoration underway
• Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wild
• Someone has publicly leaked an exploit kit that can hack millions of iPhones
• Russia-linked hackers use advanced iPhone exploit to target Ukrainians
• Apple rolls out first 'background security' update for iPhones, iPads, and Macs to fix Safari bug
• Post by @wartranslated.bsky.social — Bluesky
• Signal’s Creator Is Helping Encrypt Meta AI
• Hacker says they compromised millions of confidential police tips held by US company
• Millions of 'anonymous' crime tips exposed in massive Crime Stoppers hack
• Feds Disrupt IoT Botnets Behind Huge DDoS Attacks
• FCC bans import of consumer-grade routers amid national security concerns
• White House pours cold water on cyber ‘letters of marque’ speculation
• Google launches threat disruption unit, stops short of calling it ‘offensive'
• Supermicro’s cofounder was just arrested for allegedly smuggling $2.5 billion in GPUs to China
• Cyberattack on vehicle breathalyzer company leaves drivers stranded across the US
• Man pleads guilty to $8 million AI-generated music scheme
• Two Israelis AI generated "intelligence" and sold it to Iran

• Iran’s Intune-based wiper attack on medical device maker Stryker
• Qihoo 360’s AI publishes its own wildcard TLS cert private key
• Instagram is canning its end-to-end encrypted messaging
• What’s going on with mobile internet access in Moscow?
• The Xbox One’s bootloader gets voltage glitched into submission
• Oh Qualys! We love you! (At least, whoever is in the basement writing these beautiful .txt files…)

This week’s episode is sponsored by browser-based detection and response company, Push Security. Researcher Dan Green and Field CTO Mark Orlando join Pat to talk through the InstallFix variant of the *Fix attack technique.

This episode is also available on Youtube.

Show notes

• Iranian Hacktivists Strike Medical Device Maker Stryker in "Severe" Attack that Wiped Systems
• Stryker says it's restoring systems after pro-Iran hackers wiped thousands of employee devices | TechCrunch
• Stryker attack raises concerns about role of device management tool | Cybersecurity Dive
• Stryker tells SEC that timeline for recovery from cyberattack unknown | The Record from Recorded Future News
• How ‘Handala’ Became the Face of Iran’s Hacker Counterattacks | WIRED
• U.S Strikes Killed Iranian Cyber Chiefs, But The Hacks Continued
• Risky Business Features: Being a Wartime CISO
• Supply-chain attack using invisible code hits GitHub and other repositories - Ars Technica
• China's biggest cybersecurity company, Qihoo 360 just leaked their own wildcard SSL private key
• Emergent Cyber Behavior: When AI Agents Become Offensive Threat Actors - Irregular
• Risky Business Features: MCP is Dead
• Measuring AI Agents’ Progress on Multi-Step Cyber Attack Scenarios
• Measuring AI Agents' Progress on Multi-Step Cyber Attack Scenarios
• What is end-to-end encryption on Instagram | Instagram Help Center
• US Lawmakers Move to Kill the FBI’s Warrantless Wiretap Access | WIRED
• Website "whitelists" launched in Moscow | Forbes.ru
• Exclusive: Foreign hacker in 2023 compromised Epstein files held by FBI, source and documents show | Reuters
• Feds say another DigitalMint negotiator ran ransomware attacks and helped extort $75 million | CyberScoop
• Researchers disclose vulnerabilities in IP KVMs from four manufacturers - Ars Technica
• RE//verse 2026: Hacking the Xbox One by Markus 'doom' Gaasedelen - YouTube
• CrackArmor: Multiple vulnerabilities in AppArmor

They also talk about the durability of allowlisting as a control. After 12 years in business, the Airlock product hasn’t really changed all that much. That’s a good thing! It also means the Airlock team have been able to spend some time doing deep engineering instead of chasing the latest attacker TTPs and writing detection rules for them.

This episode is also available on Youtube.

Show notes

• The Coruna exploits were L3 Harris, but it seems Triangulation… was not!
• Iran’s cyber HQ hit by Israeli (kinetic) strikes
• Trump’s cyber “strategy” is … well, all we’ve got is jokes cause there’s no serious content
• NSA and CyberCom finally get a leader after Lt Gen Joshua Rudd gets Senate nod
• DOGE (remember them?!) employee walked a social security database out on a USB stick

This episode is sponsored by open source cloud security scanner Prowler. Creator and CEO Toni de la Fuente talks to Pat about some of the enterprise features Prowler is growing, while remaining true to its open source roots.

This episode is also available on Youtube.

Show notes

• Inside Coruna: Reverse Engineering a Nation-State iOS Exploit Kit From JavaScript
• GitHub - matteyeux/coruna: deobfuscated JS and blobs
• US military contractor likely built iPhone hacking tools used by Russian spies in Ukraine
• APT36: A Nightmare of Vibeware
• State-linked actors targeted US networks in lead-up to Iran war
• Iranian cyber warfare HQ allegedly hit by Israel
• Last 2 names of 6 US soldiers who died in Kuwait attack identified by the Pentagon
• Signal, WhatsApp users face Russian phishing push, Dutch warn
• Samuel Bendett on X: "Russian military told it couldn't use Telegram messaging app"
• FBI investigating ‘suspicious’ cyber activities on critical surveillance network
• Risky Bulletin: New White House EO prioritizes fight against scams and cybercrime
• President Trump’s CYBER STRATEGY for America
• Fact Sheet: President Donald J. Trump Combats Cybercrime, Fraud, and Predatory Schemes Against American Citizens
• UK plans to shift fraud fight onto telecoms, tech companies
• Trump to hit Anthropic with executive order to remove "woke" AI Claude
• Anthropic launches code review tool to check flood of AI-generated code
• CrowdStrike reports record quarter amid investor concerns about AI impact
• Critical defect in Java security engine poses serious downstream security risks
• Gen. Joshua Rudd confirmed as NSA, Cyber Command head
• Plankey’s nomination as CISA director now in jeopardy
• DOGE employee stole Social Security data and put it on a thumb drive, report says
• Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel
• Cel mai mare exportator român de carne, deținătorul brandului Cocorico, a intrat în restructurări, alături de Casa de Insolvență Transilvania

• The US-Israeli attack on Iran had a whole lot of cyber. It’s clearly in the playbook now!
• The NSA Triangulation / L3 Harris Trenchant iOS exploit kit is on the loose, and being used by Chinese crypto scammers
• So long Maddhu Gottumukkala, but CISA’s annus horribilis continues
• Adam “humbug” Boileau complains about the Airsnitch wifi attack just being three ethernets in a trenchcoat
• ASD’s Cisco SD-WAN threat hunting guide is clearly borne of … experience

This week’s episode is sponsored by AI threat hunting platform Nebulock. Sydney Marrone joins to talk about how useful AI models are on the hunt, and her work building out an open source framework and maturity model. It’s methodology agnostic, so you can adapt it for your environment, and the github link is in the show notes!

This episode is also available on Youtube.

Show notes

• Inside the plan to kill Ali Khamenei
• Hacked traffic cams and hijacked TVs: How cyber operations supported the war against Iran | TechCrunch
• Matthew Prince 🌥 on X: "Counter to what some cyber vendors are saying, there’s been a dramatic drop in Iranian cyber operations. Likely as the operators are sheltering. They may pick back up, but right now there’s a noticeable lull." / X
• Cyber Command disrupted Iranian comms, sensors, top general says | The Record from Recorded Future News
• Iranian Hackers Use Elon Musk’s Starlink To Stay Online
• Exclusive | U.S. Smuggled Thousands of Starlink Terminals Into Iran After Protest Crackdown - WSJ
• Attacks on GPS Spike Amid US and Israeli War on Iran | WIRED
• Amazon Data Centers on Fire After Iranian Missile Strikes on Dubai
• A Possible US Government iPhone-Hacking Toolkit Is Now in the Hands of Foreign Spies and Criminals | WIRED
• Canceled contracts, a failed polygraph and personal disputes: Inside the turbulent tenure of Noem’s former cyber czar - POLITICO
• CISA CIO Robert Costello exits agency | CyberScoop
• OpenAI alters deal with Pentagon as critics sound alarm over surveillance
• Inside Anthropic’s Killer-Robot Dispute With the Pentagon - The Atlantic
• Read the full transcript of our interview with Anthropic CEO Dario Amodei - CBS News
• CBP Tapped Into the Online Advertising Ecosystem To Track Peoples’ Movements
• Large-Scale Online Deanonymization with LLMs
• Hackers Weaponize Claude Code in Mexican Government Cyberattack - SecurityWeek
• New AirSnitch attack bypasses Wi-Fi encryption in homes, offices, and enterprises - Ars Technica
• CISA orders agencies to patch Cisco devices now under attack | Cybersecurity Dive
• CISCO SD-WAN THREAT HUNT GUIDE
• ClawJacked attack let malicious websites hijack OpenClaw to steal data
• Area Man Accidentally Hacks 6,700 Camera-Enabled Robot Vacuums | WIRED
• Intellexa founder, three others sentenced to 8 years in prison over Greek spyware scandal | The Record from Recorded Future News
• Moscow man accused of posing as FSB officer to extort Conti ransomware gang | The Record from Recorded Future News
• Farewell, Felix · The Recurity Lablog
• Atmos Sphere 2026 | Atmos
• The Agentic Threat Hunting Framework | Nebulock blog
• GitHub - Nebulock-Inc/agentic-threat-hunting-framework: ATHF is a framework for agentic threat hunting - building systems that can remember, learn, and act with increasing autonomy. · GitHub

• Low skill actors compromise 600 Fortinets with AI-generated playbooks
• Anthropic calls out Chinese AI firms over model distillation
• Meta’s director of AI safety tells her ClawdBot not to delete her mail… so of course it does
• Peter Williams cops 7 years in jail for selling L3 Harris Trenchant’s exploits to Russia
• Ivanti got hacked in 2021 via… bugs in Ivanti

This episode is sponsored by line-rate network capture system Corelight. CEO Brian Dye joins to discuss what AI can do for defenders, and what it can’t.

This episode is also available on Youtube.

Show notes

• AI-augmented threat actor accesses FortiGate devices at scale
• "this reads to me like: they ran existing tools.... but with a cool dashboard :D"
• Anthropic accuses Chinese labs of trying to illicitly take Claude’s capabilities | CyberScoop
• Detecting and preventing distillation attacks
• Hegseth warns Anthropic to let the military use the company’s AI tech as it sees fit, AP sources say
• Anthropic Rolls Out Embedded Security Scanning for Claude
• AWS's AI Coding Bot Kiro Caused a 13-Hour Outage
• Running OpenClaw safely: identity, isolation, and runtime risk
• Former Adobe, Cisco and Salesforce CISO talks AI pentesting
• History Repeats: Security in the AI Agent Era
• Meta Director of AI Safety Allows AI Agent to Accidentally Delete Her Inbox
• Microsoft says Office bug exposed customers' confidential emails to Copilot AI | TechCrunch
• The (tangential) fix: Microsoft adds Copilot data controls to all storage locations
• Ex-L3Harris executive sentenced to 87 months in prison for selling zero-day exploits to Russian broker
• Treasury Sanctions Exploit Broker Network for Theft and Sale of U.S. Government Cyber Tools
• Risky Bulletin: Russia starts criminal probe of Telegram founder Pavel Durov
• Ukraine pushes tighter Telegram regulation, citing Russian recruitment of locals
• The watchers: how openai, the US government, and persona built an identity surveillance machine that files reports on you to the feds
• Persona emails customers saying they don’t work with ICE or DHS amid ‘surveillance’ claims
• Inside the Fix: Analysis of In-the-Wild Exploit of CVE-2026-21513
• Ivanti hacked in 2021 via its own product
• Fed agencies ordered to patch Dell bug by Saturday after exploitation warning | The Record from Recorded Future News
• From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day

There is no magic solution to this problem. AI models mix code and data, are non-deterministic, and are crawling around all over your enterprise data and APIs as you read this.

But in this sponsored interview, Josh outlines how we can start to wrap our hands around the problem.

This episode is also available on Youtube.

Show notes

• Palo Alto threat researchers want to attribute to China, but management says shush
• An increasing proportion of ransomware is data extortion. Is this good?
• Cambodia says it’s going to dismantle scam compounds
• CISA sufferers through yet another shutdown
• Google Gemini’s training secrets are being systematically harvested to improve other LLMs
• Academics assess SaaS password managers’ resilience against a malicious server

This episode is sponsored by SSO-firewall integration vendor Knocknoc. Chief exec Adam Pointon joins to talk about the latest in defences… which is to say Knocknoc for Solaris/Sparc and HPUX on PA-RISC?! Okay also that other little known OS… Windows.

This episode is also available on Youtube.

Show notes

• Data-only extortion grows as ransomware gangs seek better profits | Cybersecurity Dive
• Arctic Wolf Threat Report 2026
• Exclusive: Palo Alto chose not to tie China to hacking campaign for fear of retaliation from Beijing, sources say
• Risky Bulletin: Cambodia promises to dismantle scam networks by April - Risky Business Media
• Age of the ‘scam state’: how an illicit, multibillion-dollar industry has taken root in south-east Asia | Cybercrime | The Guardian
• Critical flaw in BeyondTrust Remote Support sees early signs of exploitation | Cybersecurity Dive
• CISA Navigates DHS Shutdown With Reduced Staff - SecurityWeek
• Kimwolf Botnet Swamps Anonymity Network I2P – Krebs on Security
• BADIIS to the Bone: New Insights to a Global SEO Poisoning Campaign — Elastic Security Labs
• Over 500,000 VKontakte accounts hijacked through malicious Chrome extensions | The Record from Recorded Future News
• Password managers' promise that they can't see your vaults isn't always true - Ars Technica
• Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers
• Google finds state-sponsored hackers use AI at 'all stages' of attack cycle | CyberScoop
• Google: Gemini hit with 100,000+ prompts in cloning attempt
• Proofpoint acquires Acuvity to tackle the security risks of agentic AI | CyberScoop
• Cisco Redefines Security for the Agentic Era with AI Defense Expansion and AI-Aware SASE
• Sophos Acquires Arco Cyber to Bring CISO-Level, Agentic AI-Powered Expertise to Every Organization
• Dave Kennedy on X: "Regarding this, there was a couple questions on does the pacemaker continue to advertise - most BLE implantable devices go into a sleep type mode. In this case, we are lucky - it does not. We know based on law enforcement answers that she is using a more modern pacemaker with" / X
• Clash Report on X: "BIG: Dutch Defence Minister Gijs Tuinman hints that software independence is possible for F-35 jets. He literally said you can “jailbreak” an F-35. When asked if Europe can modify it without US approval: “That’s not the point… we’ll see whether the Americans will show https://t.co/f11cGvtYsO" / X
• Dutch police arrest man who refused to delete confidential files shared by mistake | The Record from Recorded Future News

• Microsoft reshuffles security leadership. It doesn’t spark joy.
• Russia is hacking the Winter Olympics. Again. But y tho?
• China-linked groups are keeping busy, hacking telcos in Norway, Singapore and dozens of others
• Campaigns underway targeting Ivanti, BeyondTrust and SolarWinds products
• An unknown hero blocks 23/tcp on the US internet backbone
• And James Wilson pops into talk about Claude’s go at a C compiler

This week’s episode is sponsored by Ent.AI, an AI startup that isn’t quite ready to tell us all what they’re doing. But nevertheless, founder Brandon Dixon joins to discuss AI’s role in security. Where does language-based understanding take us that previous methods couldn’t?

This episode is also available on Youtube.

Show notes

• Updates in two of our core priorities - The Official Microsoft Blog
• Strengthening Windows trust and security through User Transparency and Consent | Windows Experience Blog
• Microsoft prepares to refresh Secure Boot’s digital certificate | Cybersecurity Dive
• Microsoft Patch Tuesday matches last year’s zero-day high with six actively exploited vulnerabilities | CyberScoop
• Microsoft releases urgent Office patch. Russian-state hackers pounce. - Ars Technica
• Italy blames Russia-linked hackers for cyberattacks ahead of Winter Olympics | The Record from Recorded Future News
• Researchers uncover vast cyberespionage operation targeting dozens of governments worldwide | The Record from Recorded Future News
• Germany warns of state-linked phishing campaign targeting journalists, government officials | The Record from Recorded Future News
• Norwegian intelligence discloses country hit by Salt Typhoon campaign | The Record from Recorded Future News
• Singapore says China-linked hackers targeted telecom providers in major spying campaign | The Record from Recorded Future News
• Largest Multi-Agency Cyber Operation Mounted to Counter Threat Posed by Advanced Persistent Threat (APT) Actor UNC3886 to Singapore’s Telecommunications Sector | Cyber Security Agency of Singapore
• How Intel and Google Collaborate to Strengthen Intel® TDX
• Strengthening the Foundation: A Joint Security Review of Intel TDX 1.5 - Google Bug Hunters
• Active Exploitation of SolarWinds Web Help Desk (CVE-2025-26399) | Huntress
• EU, Dutch government announce hacks following Ivanti zero-days | The Record from Recorded Future News
• North Korean hackers targeted crypto exec with fake Zoom meeting, ClickFix scam | The Record from Recorded Future News
• BeyondTrust warns of critical RCE flaw in remote support software
• Rapid7 Analysis of CVE-2026-1731
• Building a C compiler with a team of parallel Claudes \ Anthropic
• (1) Post by @ryiron.bsky.social — Bluesky
• What AI Security Research Looks Like When It Works | AISLE
• South Korean crypto exchange races to recover $40bn of bitcoin sent to customers by mistake | South Korea | The Guardian
• White House to meet with GOP lawmakers on FISA Section 702 renewal | The Record from Recorded Future News

• Notepad++ update supply chain attack has been attributed to China
• The AI agent future is even more stupid than expected; behold the OpenClaw/Clawdbot/Moltbook mess
• The Epstein files claim he had a personal hacker?
• Microsoft is finally getting ready to (think about starting to begin to) disable NTLM by default
• The usual bugs in the usual things! Ivanti, Fortinet, and Solarwinds. Again.
• Telco hides a free trip in its privacy policy, someone actually reads it and wins!

This weeks’s episode is sponsored by opensource IDP platform Authentik. CEO Fletcher Heisler talks to Pat about their new endpoint agent that can enforce device posture policies during login.

This episode is also available on Youtube.

Show notes

• The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit
• Notepad++ Hijacked by State-Sponsored Hackers | Notepad++
• Notepad++ v8.8.3 - Self-signed Certificate: Certified by Code, Not Corporations | Notepad++
• Hacking Moltbook: AI Social Network Reveals 1.5M API Keys | Wiz Blog
• lcamtuf on X: "Moltbook debate in a nutshell" / X
• Exposed Moltbook Database Let Anyone Take Control of Any AI Agent on the Site
• AndrewMohawk on X: "How exactly did an attacker send a message to your bot since you need to approve all the channels and set keys etc" / X
• Signal president warns AI agents are making encryption irrelevant
• Massive AI Chat App Leaked Millions of Users Private Conversations
• Runa Sandvik on X: New court record from the FBI details the state of the devices seized from Washington Post reporter Hannah Natanson
• EFTA01683874.pdf
• Disrupting the World's Largest Residential Proxy Network | Google Cloud Blog
• Nobel Committee says Peace Prize winner likely revealed early by digital spying | Reuters
• County pays $600,000 to pentesters it arrested for assessing courthouse security - Ars Technica
• Advancing Windows security: Disabling NTLM by default - Windows IT Pro Blog
• Critical flaws in Ivanti EPMM lead to fast-moving exploitation attempts | Cybersecurity Dive
• CISA orders federal agencies to patch exploited SolarWinds bug by Friday | The Record from Recorded Future News
• CISA, security researchers warn FortiCloud SSO flaw is under attack | Cybersecurity Dive
• Fintech firm Marquis blames hack at firewall provider SonicWall for its data breach | TechCrunch
• We Hid a Free Trip to Switzerland in Our Privacy Policy. Someone Found It in 2 Weeks. - Cape
• Between Two Nerds: The internal logic of Russian power grid attacks - YouTube

• La France is tres sérieux about ditching US productivity software
• China’s Salt Typhoon was snooping on Downing Street
• Trump wields the mighty DISCOMBOBULATOR
• ESET says the Polish power grid wiper was Russia’s GRU Sandworm crew
• US cyber institutions CISA and NIST are struggling
• Voice phishing for MFA bypass is getting even more polished

This episode is sponsored by Sublime Security. Brian Baskin is one of the team behind Sublime’s 2026 Email Threat Research report. He joins to talk through what they see of attackers’ use of AI, as well as the other trends of the year.

This episode is also available on Youtube.

Show notes

• France to ditch US platforms Microsoft Teams, Zoom for ‘sovereign platform’ amid security concerns | Euronews
• Suite Numérique plan - Google Search
• China hacked Downing Street phones for years
• Cyberattack Targeting Poland’s Energy Grid Used a Wiper
• Trump says U.S. used secret 'discombobulator' on Venezuelan equipment during Maduro raid | PBS News
• Risky Bulletin: Cyberattack cripples cars across Russia - Risky Business Media
• Lawmakers probe CISA leader over staffing decisions | CyberScoop
• Trump’s acting cyber chief uploaded sensitive files into a public version of ChatGPT - POLITICO
• Acting CISA director failed a polygraph. Career staff are now under investigation. - POLITICO
• NIST is rethinking its role in analyzing software vulnerabilities | Cybersecurity Dive
• Federal agencies abruptly pull out of RSAC after organizer hires Easterly | Cybersecurity Dive
• Real-Time phishing kits target Okta, Microsoft, Google
• Phishing kits adapt to the script of callers
• On the Coming Industrialisation of Exploit Generation with LLMs – Sean Heelan's Blog
• GitHub - SeanHeelan/anamnesis-release: Automatic Exploit Generation with LLMs
• Overrun with AI slop, cURL scraps bug bounties to ensure "intact mental health" - Ars Technica
• Bypassing Windows Administrator Protection - Project Zero
• Task Failed Successfully - Microsoft’s “Immediate” Retirement of MDT - SpecterOps
• Kubernetes Remote Code Execution Via Nodes/Proxy GET Permission
• WhatsApp's Latest Privacy Protection: Strict Account Settings - WhatsApp Blog
• Microsoft gave FBI a set of BitLocker encryption keys to unlock suspects' laptops: Reports | TechCrunch
• He Leaked the Secrets of a Southeast Asian Scam Compound. Then He Had to Get Out Alive | WIRED
• Key findings from the 2026 Sublime Email Threat Research Report

This week news includes:

• Did the US cyber Venezuela’s power grid, or do they just want us to think they coulda?
• US govt might boycott the RSAC Conference ‘cause Jen Easterly being CEO makes them mad
• MS Patch Tuesday fixes CVSS5.5 bug and … stops you shutting down
• Wiz pulls off cloud stunt hack that ends with control of everyone’s AWS console
• Millions of Bluetooth devices that use Google’s Fast Pairing will pair with anyone, any time
• GNU inet-tools’ telnetd parties like it’s 2007, and brings -f root unauthed remote login back

Thinkst is this week’s sponsor, and long time friend of the show Haroon Meer joins. As always they’re polishing their Canary tokens - adding breadcrumbs to lead you to them - but they’re also a bunch of giant nerds who now run South Africa’s Computer Olympiad.

This episode is also available on Youtube.

Show notes

• Cyberattack in Venezuela Demonstrated Precision of U.S. Capabilities - The New York Times
• Why I’m withholding certainty that “precise” US cyber-op disrupted Venezuelan electricity - Ars Technica
• Layered Ambiguity: US Cyber Capabilities in the Raid to Extract Maduro from Venezuela | Royal United Services Institute
• Former CISA Director Jen Easterly Will Lead RSAC Conference | WIRED
• Trump officials consider skipping premier cyber conference after Biden-era cyber leader named CEO - Nextgov/FCW
• Federal agencies ordered to patch Microsoft Desktop Windows Manager bug | The Record from Recorded Future News
• Windows 11 shutdown bug forces Microsoft into damage control • The Register
• CodeBreach: Supply Chain Vuln & AWS CodeBuild Misconfig | Wiz Blog
• Critical flaw in AWS Console risked compromise of build environment | Cybersecurity Dive
• Never-before-seen Linux malware is “far more advanced than typical” - Ars Technica
• VoidLink: Evidence That the Era of Advanced AI-Generated Malware Has Begun - Check Point Research
• Hundreds of Millions of Audio Devices Need a Patch to Prevent Wireless Hacking and Tracking | WIRED
• Critical flaw in Fortinet FortiSIEM targeted in exploitation threat | Cybersecurity Dive
• CVE-2025-64155: 3 Years of Remotely Rooting the FortiSIEM
• A single click mounted a covert, multistage attack against Copilot - Ars Technica
• Police raid homes of alleged Black Basta hackers, hunt suspected Russian ringleader | The Record from Recorded Future News
• Jordanian initial access broker pleads guilty to helping target 50 companies | The Record from Recorded Future News
• Supreme Court hacker posted stolen government data on Instagram | TechCrunch
• oss-sec: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
• How crypto criminals stole $700 million from people - often using age-old tricks
• Ctrl + Alt + Chaos: How Teenage Hackers Hijack the Internet

• Santa brings hackers MongoDB memory leaks for Christmas
• Vercel pays out a million bucks to improve its React2Shell WAF defences
• 39C3 delivers; the pink Power Ranger deletes nazis, while a catgirl ruins GnuPG
• Cambodian scam compound kingpin gets extradited to China, and we don’t think it’ll go well for him
• Krebs picks apart the Kimwolf botnet and residential proxy networks
• So many healthcare data leaks that we have a roundup section

This week’s episode is sponsored by Airlock Digital. The founders of the application allow-listing vendor, David Cottingham and Daniel Schell, discuss Microsoft’s ClickOnce .NET app packaging, and how attackers have been abusing it to load code. Airlock hates it when you load code!

This episode is also available on Youtube.

Show notes

• US, Australia say ‘MongoBleed’ bug being exploited | The Record from Recorded Future News
• Merry Christmas Day! Have a MongoDB security incident. | by Kevin Beaumont | Dec, 2025 | DoublePulsar
• Inside Vercel’s sleep-deprived race to contain React2Shell | CyberScoop
• gpg.fail
• Hacktivist deletes white supremacist websites live onstage during hacker conference | TechCrunch
• Chinese attackers exploiting zero-day to target Cisco email security products | The Record from Recorded Future News
• Ni8mare  -  Unauthenticated Remote Code Execution in n8n (CVE-2026-21858) | Cyera Research Labs
• ServiceNow patches critical AI platform flaw that could allow user impersonation | CyberScoop
• Alleged cyber scam kingpin arrested, extradited to China | The Record from Recorded Future News
• FCC IoT labeling program loses lead company after China probe | Cybersecurity Dive
• Trump picks Lt. Gen. Joshua Rudd to lead NSA spy agency - The Washington Post
• NSA cyber directorate gets new acting leadership | The Record from Recorded Future News
• Dutch court sentences hacker who used port systems to smuggle cocaine to 7 years | The Record from Recorded Future News
• ECLI:NL:GHAMS:2026:22, Amsterdam Court of Appeal, 23-003218-22
• The Kimwolf Botnet is Stalking Your Local Network – Krebs on Security
• Who Benefited from the Aisuru and Kimwolf Botnets? – Krebs on Security
• Coupang recovers smashed laptop that alleged data leaker threw into river | The Record from Recorded Future News
• Ransomware responders plead guilty to using ALPHV in attacks on US organizations | The Record from Recorded Future News
• Nearly 480,000 impacted by Covenant Health data breach | The Record from Recorded Future News
• Illinois health department exposed over 700,000 residents' personal data for years | TechCrunch
• Tech provider for NHS England confirms data breach | TechCrunch
• Hacker claiming to be behind ManageMyHealth breach: ‘I do it for the money and I’m in negotiations to get it’ - NZ Herald

This podcast features the memories of:

• Jon Callas, former principal software engineer at Digital Equipment Corporation
• Mark Rasch, Morris Worm prosecutor
• Timothy Winslow, former 414 hacker
• Greg Chartrand, author of Cracking the Cuckoos Egg and
• Tony Sager, former NSA

How the World Got Owned is produced in partnership with SentinelOne.

Show notes

• 1988 Federal sentencing guidelines manual
• Computer Intruder is put on probation and fined $10,000 | The New York Times
• Computer Intruder is found guilty | The New York Times
• United States of America, Appellee, v. Robert Tappan Morris, Defendant-appellant, 928 F.2d 504 (2d Cir. 1991)
• The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage | Clifford Stoll
• Cracking the Cuckoo’s Egg: The Untold Story of tracking and finding Karl Koch aka Hagbard of the Chaos Computer Club | Greg Chartrand
• Computer Buffs Tapped NASA Files | The New York Times
• Young Computer Bandits Byte off More than They Could Chew | The Washington Post
• ‘Hacker’ is used by Mainstream Media, September 5, 1983 | EDN
• Neal Patrick to testify before congressional committee
• Wargames official trailer, 1983
• CBS News Segment on Robert Morris Computer Hacker
• The Fall of the Berlin Wall | Sky News
• I Hacked a Nuclear Facility in the 1980’s. You’re Welcome | CNN

• React2Shell attacks continue, surprising no one
• The unholy combination of OAuth consent phishing, social engineering and Azure CLI
• Venezuela’s state oil firm gets ransomware’d, blames US… but what if it really is a US cyber op?!
• Russian junk-hacktivist gets indicted for cybering critical… err… a car wash and a fountain
• Microsoft finally turns RC4 off by default in Active Directory Kerberos
• Traefik’s TLS verify=on … turns it off, whoopsie 🤡

This week’s episode is sponsored by Sublime Security, makers of an email filtering solution that’s up for dealing with modern problems. Founder and CEO Josh Kamdjou joins to talk about calendar invite phishing, and the extra steps they’ve had to take to reach into people’s calendars and fix the mess.

The Risky Business weekly show is taking holiday break, and will return on 14 January for its twentieth year! Good luck out there, internet friends.

This episode is also available on Youtube.

Show notes

• React2Shell attacks expand widely across multiple sectors | Cybersecurity Dive
• React issues new patches after security researchers flag additional flaws | Cybersecurity Dive
• ConsentFix: Browser-native ClickFix hijacks OAuth grants
• Hacking Endpoint to Identity (Microsoft 365): "ConsentFix" - YouTube
• Announced pick for No. 2 at NSA won’t get the job as another candidate surfaces | The Record from Recorded Future News
• Laura Loomer on X: "EXCLUSIVE: 🚨 White House Official Confirms Ongoing Search for NSA Deputy Director As Tim Kosiba's Deep State And Anti-Trump Ties Raise Red Flags 🚨"
• Senior official at Indo-Pacific Command is set to be Trump’s pick to lead Cyber Command, NSA | The Record from Recorded Future News
• Trump Administration Turning to Private Firms in Cyber Offensive - Bloomberg
• PdV says cyber attacks contained | Latest Market News
• Venezuela state oil company blames cyberattack on US after tanker seizure | The Record from Recorded Future News
• Office of Public Affairs | Justice Department Announces Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups | United States Department of Justice
• DOJ, CISA warn of Russia-linked attacks targeting meat processing plants, nuclear regulatory entities and other critical infrastructure | The Record from Recorded Future News
• vx-underground on X: "The United States government has indicted a state-sponsored Threat Actor named Victoria Eduardovna Dubranova"
• vx-underground on X: "I'm actually laughing. One of the compromises is so dumb"
• German parliament suffers suspected cyber attack during Zelenskyy’s visit
• Während Selenskyj-Besuch: Große Internet-Störung im Bundestag! | Politik | BILD.de
• Germany summons Russian ambassador over cyberattack, election disinformation | The Record from Recorded Future News
• Russische hackgroep had toegang tot openbare waterfontein in Nederland | de Volkskrant
• Most Parked Domains Now Serving Malicious Content – Krebs on Security
• PornHub extorted after hackers steal Premium member activity data
• Office of Public Affairs | Senior Manager for Government Contractor Charged in Cybersecurity Fraud Scheme | United States Department of Justice
• Microsoft will finally kill obsolete cipher that has wreaked decades of havoc - Ars Technica
• CVE-2025-66491: Traefik's "Verify=On" Turned TLS Off | AISLE
• Dylan O'Donnell 🦋 on X: "This week I was rushed to hospital with a diagnosis of oesophageal cancer."

OpenGraph enumerates attack paths across platforms and services, not just your primary directories.

A compromised GitHub account to on-prem AD compromise attack path? It’s a thing, and OpenGraph will find it.

Cross-platform attack path enumeration! So good!

This episode is also available on Youtube.

Show notes

• There’s a CVSS 10/10 remote code exec in the React javascript server. JS server? U wot mate?
• China is out popping shells with it
• Linux adds support for PCIe bus encryption
• Amnesty International says Intellexa can just TeamViewer into its customers’ surveillance systems
• …and a Belgian murder suspect complains that GrapheneOS’s duress wipe feature failed him?

This week’s episode is sponsored by Kroll Cyber. Simon Onyons is Managing Director at Kroll’s Cyber and Data Resilience arm, and he discusses a problem near to many of our hearts. Just how do you explain cyber risk to the board?

This episode is also available on Youtube.

Show notes

• Risky Bulletin: APTs go after the React2Shell vulnerability within hours - Risky Business Media
• Guillermo Rauch on X: "React2Shell" / X
• React2Shell-CVE-2025-55182-original-poc/README.md at main · lachlan2k/React2Shell-CVE-2025-55182-original-poc · GitHub
• Hydrogen: Shopify’s headless commerce framework
• Researchers track dozens of organizations affected by React2Shell compromises tied to China’s MSS | The Record from Recorded Future News
• Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary
• Three hacking groups, two vulnerabilities and all eyes on China | The Record from Recorded Future News
• Risky Bulletin: Linux adds PCIe encryption to help secure cloud servers
• Sean Plankey nomination to lead CISA appears to be over after Thursday vote | CyberScoop
• 🕳 on X: "This guy is complaining that GrapheneOS “failed him”. Showing a Belgian 🇧🇪 police request for an interrogation regarding premeditated murder (as a suspect)." / X
• Sanctioned spyware maker Intellexa had direct access to government espionage victims, researchers say | TechCrunch
• To Catch a Predator: Leak exposes the internal operations of Intellexa’s mercenary spyware - Amnesty International Security Lab
• Is ransomware finally on the decline? Treasury data offers cautious hope | CyberScoop
• UK cyber agency warns LLMs will always be vulnerable to prompt injection | CyberScoop
• In comedy of errors, men accused of wiping gov databases turned to an AI tool - Ars Technica

• Airbus rolls out software updates after a cosmic ray bitflips an A320 into a dive
• Krebs tracks down a Scattered Lapsus$ Hunters teen through the usual poor opsec…
• … as Wired publishes an opsec guide for teens.
• Microsoft decides its login portal is worth a Content Security Policy
• South Korean online retailer data breach covers 65% of the country

This week’s episode is sponsored by Nebulock. Founder and CEO Damien Lewke joins to talk through their work bringing more SIgma threat detection rules to MacOS.

This episode is also available on Youtube.

Show notes

• Airlines race to fix their Airbus planes after warning solar radiation could cause pilots to lose control | CNN
• Congress calls on Anthropic CEO to testify on Chinese Claude espionage campaign | CyberScoop
• Post-mortem of Shai-Hulud attack on November 24th, 2025 - PostHog
• Update: Shai-Hulud and the npm Ecosystem: Why CTEM Must Extend Beyond Your Walls | Armis
• Glassworm's resurgence | Secure Annex
• 4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign | Koi Blog
• Post by @spuxx.bsky.social — Bluesky
• Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ – Krebs on Security
• The WIRED Guide to Digital Opsec for Teens | WIRED
• Perth hacker Michael Clapsis jailed after setting up fake Qantas Wi-Fi, stealing sex videos - ABC News
• Ed Conway on X: "The person who first downloaded the OBR's document at 11:35 on Budget day (I'm guessing someone at Reuters, given they first reported it) had already guessed the web address and tried and failed to download it 32 times so far that day(!) https://t.co/6iLm2uEUj2" / X
• Reuters accused of hack attack | ZDNET
• The Destruction of a Notorious Myanmar Scam Compound Appears to Have Been ‘Performative’ | WIRED
• Microsoft tightens cloud login process to prevent common attack | Cybersecurity Dive
• Fortinet FortiWeb flaws found in unsupported versions of web application firewall | Cybersecurity Dive
• Cryptomixer platform raided by European police; $29 million in bitcoin seized | The Record from Recorded Future News
• Officials accuse North Korea’s Lazarus of $30 million theft from crypto exchange | The Record from Recorded Future News
• Data breach hits 'South Korea's Amazon,' potentially affecting 65% of country’s population | The Record from Recorded Future News
• NSA Contractor Groomed Teenage Girls On Reddit, DOJ Alleges
• Nebulock developed coreSigma for MacOS
• coreSigma repo:

• Salesforce partner Gainsight has customer data stolen
• Crowdstrike fires insider who gave hackers screenshots of internal systems
• Australian Parliament turns off wifi and bluetooth in fear of of visiting Chinese bigwigs
• Shai-Hulud npm/Github worm is back, and rm -rf’ier than ever
• SEC gives up on Solarwinds lawsuit
• Dog eats cryptographer’s key material

This week’s episode is sponsored by runZero. HD Moore pops in to talk about how they’re integrating runZero with Bloodhound-style graph databases. He also discusses uses for driving runZero’s tools with an AI, plus the complexities of shipping AI when the company has a variety of deployment models.

This episode is also available on Youtube.

Show notes

• Google says hackers stole data from 200 companies following Gainsight breach
• Gainsight Status
• Trust Status
• CrowdStrike fires 'suspicious insider' who passed information to hackers
• Salesforce cuts off access to third-party app after discovering ‘unusual activity’
• Атаки разящей панды: APT31 сегодня
• Office of Public Affairs | Seven Hackers Associated with Chinese Government Charged with Computer Intrusions
• Australian federal MPs warned to turn off phones when Chinese delegation visits Parliament House
• Sha1-Hulud: The Second Coming of the NPM Worm is Digging For Secrets
• FCC eliminates cybersecurity requirements for telecom companies
• Trade Associations Cybersecurity Practices Ex Parte
• SEC voluntarily dismisses SolarWinds lawsuit
• Record-breaking DDoS attack against Microsoft Azure mitigated
• The Cloudflare Outage May Be a Security Roadmap – Krebs on Security
• Critics scoff after Microsoft warns AI feature can infect machines and pilfer data
• vx-underground on X: "I've had a surprising amount of people ask me about Copilot"
• Researchers warn command injection flaw in Fortinet FortiWeb is under exploitation
• Two suspected Scattered Spider hackers plead not guilty over Transport for London cyberattack
• Russia arrests young cybersecurity entrepreneur on treason charges
• This campaign aims to tackle persistent security myths in favor of better advice
• Oops. Cryptographers cancel election results after losing decryption key.
• Uncovering network attack paths with runZeroHound
• Model Context Protocol

A fascinating chat with Andrew, as always.

This episode is also available on Youtube.

Show notes

• Anthropic says a Chinese APT orchestrated attacks using its AI
• It’s a day ending in -y, so of course there are shamefully bad Fortinet exploits in the wild
• Turns out slashing CISA was a bad idea, now it’s time for a hiring spree
• Researchers brute force entire phone number space against Whatsapp contact discovery API
• DOJ figures out how to make SpaceX turn off scam compounds’ Starlink service

This week’s episode is sponsored by Mastercard. Senior Vice President of Mastercard Cybersecurity Urooj Burney joins to talk about how the roles of fraud and cyber teams in the financial sector are starting to converge. Mastercard also recently acquired Recorded Future, and Urooj talks about how they aim to integrate cyber threat intelligence into the financial world.

This episode is also available on Youtube.

Show notes

• Full report: Disrupting the first reported AI-orchestrated cyber espionage campaign
• Researchers question Anthropic claim that AI-assisted attack was 90% autonomous - Ars Technica
• China’s ‘autonomous’ AI-powered hacking campaign still required a ton of human work | CyberScoop
• Amazon discovers APT exploiting Cisco and Citrix zero-days | AWS Security Blog
• CISA gives federal agencies one week to patch exploited Fortinet bug | The Record from Recorded Future News
• PSIRT | FortiGuard Labs
• CISA, eyeing China, plans hiring spree to rebuild its depleted ranks | Cybersecurity Dive
• This Is the Platform Google Claims Is Behind a 'Staggering’ Scam Text Operation | WIRED
• A Simple WhatsApp Security Flaw Exposed 3.5 Billion Phone Numbers | WIRED
• DOJ Issued Seizure Warrant to Starlink Over Satellite Internet Systems Used at Scam Compound | WIRED
• Multiple US citizens plead guilty to helping North Korean IT workers earn $2 million | The Record from Recorded Future News
• Cyberattack leaves Jaguar Land Rover short of £680 million | The Record from Recorded Future News
• FBI: Akira gang has received nearly $250 million in ransoms | The Record from Recorded Future News
• Operation Endgame: Police reveal takedowns of three key cybercrime tools | The Record from Recorded Future News
• Inside a Wild Bitcoin Heist: Five-Star Hotels, Cash-Stuffed Envelopes, and Vanishing Funds | WIRED

• The KK Park scam compound in Myanmar gets blasted with actual dynamite
• China sentences more scammers TO DEATH
• While Singapore is opting to lash them with the cane
• Chinese security firm KnownSec leaks a bunch of documents
• Necromancy continues on NSO Group, with a Trump associate in charge
• OWASP freshens up the Top 10, you won’t believe what’s number three!

This week’s episode is sponsored by Thinkst Canary. Big bird Haroon Meer joins and, as usual, makes a good point. If you’re going to trust a vendor to do something risky like put a box on your network, they have an obligation to explain how they make that safe. Thinkst has a /security page that does exactly that. So why do we let Palo Alto and Fortinet get away with “trust me, bro”?

This episode is also available on Youtube.

Show notes

• Myanmar Junta Dynamites Scam Hub in PR Move as Global Pressure Grows
• China sentences 5 Myanmar scam kingpins to death | The Record from Recorded Future News
• Law passed for scammers, mules to be caned after victims in Singapore lose almost $4b since 2020 | The Straits Times
• KnownSec breach: What we know so far. - NetAskari
• Risky Bulletin: Another Chinese security firm has its data leaked
• Inside Congress Live
• The Government Shutdown Is a Ticking Cybersecurity Time Bomb | WIRED
• Former Trump official named NSO Group executive chairman | The Record from Recorded Future News
• Short-term renewal of cyber information sharing law appears in bill to end shutdown | The Record from Recorded Future News
• Jaguar Land Rover hack hurt the U.K.'s GDP, Bank of England says
• Monetary Policy Report - November 2025 | Bank of England
• SonicWall says state-linked actor behind attacks against cloud backup service | Cybersecurity Dive
• Japanese media giant Nikkei reports Slack breach exposing employee and partner records | The Record from Recorded Future News
• "Intel sues former employee for allegedly stealing confidential data" Post by @campuscodi.risky.biz — Bluesky
• Introduction - OWASP Top 10:2025 RC1

• We love some good vulnerability reporting drama, this time FFmpeg’s got beef with Google
• OpenAI announces its Aardvark bug-gobbling system
• Two US ransomware responders get arrested for… ransomware
• Memento (nee HackingTeam) CEO says: Sì, those are totally our tools getting snapped in Russia
• Hackers help freight theft gangs steal shipments to resell
• A second Jabber Zeus mastermind gets his comeuppance 15 years on

This week’s episode is sponsored by Nucleus Security, who make a vulnerability information management system. Co-founder Scott Kuffer says that approaches for triaging vulnerabilities have started to fall apart, given there are just. So. Many. And they’re all important!

This episode is also available on Youtube.

Show notes

• vx-underground on X: "Yeah, so pretty much this entire drama thing is FFmpeg are a bunch of nerds…"
• FFmpeg on X: "@DavidEGrayson It's someone's hobby project of an obscure 1990s decoder…"
• Halvar Flake on X: "Given the extremely big role ffmpeg has played historically..."
• thaddeus e. grugq on X: "Current drama: Plucky security researcher Google takes on volunteer open source behemoth FFmpeg."
• Robert Graham on X: "Current status: There's a conflict between Google…"
• Introducing Aardvark: OpenAI’s agentic security researcher | OpenAI
• Bugcrowd acquires Mayhem Security to advance AI-powered security testing | CyberScoop
• Prosecutors allege incident response pros used ALPHV/BlackCat to commit string of ransomware attacks | CyberScoop
• Former Trenchant Exec Sold Stolen Code to Russian Buyer Even After Learning that Other Code He Sold Was Being "Utilized" by Different Broker in South Korea
• How an ex-L3Harris Trenchant boss stole and sold cyber exploits to Russia | TechCrunch
• Operation Zero — A Zero-Day Vulnerability Platform
• John Scott-Railton on X: "7/ There's a push to scale up America's offensive industry right now…"
• CEO of spyware maker Memento Labs confirms one of its government customers was caught using its malware | TechCrunch
• Exploiting Microsoft Teams: Impersonation and Spoofing Vulnerabilities Exposed Microsoft Teams Vulnerabilities Uncovered
• Cargo theft gets a boost from hackers using remote monitoring tools | The Record from Recorded Future News
• Remote access, real cargo: cybercriminals targeting trucking and logistics | Proofpoint US
• Alleged Conti ransomware gang affiliate appears in Tennessee court after Ireland extradition | The Record from Recorded Future News
• Three suspected developers of Meduza Stealer malware arrested in Russia | The Record from Recorded Future News
• Alleged Jabber Zeus Coder ‘MrICQ’ in U.S. Custody – Krebs on Security
• Windows Server Update Service exploitation ensnares at least 50 victims | Cybersecurity Dive
• Post by @paulschnack.bsky.social — Bluesky

• L3Harris Trenchant boss accused of selling exploits to Russia once worked at the Australian Signals Directorate
• Microsoft WSUS bug being exploited in the wild
• Dan Kaminsky DNS cache poisoning comes back because of a bad PRNG
• SpaceX finally starts disabling Starlink terminals used by scammers
• Garbage HP update deletes certificates that authed Windows systems to Entra

This week’s episode is sponsored by automation company Tines. Field CISO Matt Muller joins to discuss how Tines has embraced LLMs and the agentic-AI future into their workflow automation.

This episode is also available on Youtube.

Show notes

• US accuses former L3Harris cyber boss of stealing and selling secrets to Russian buyer | TechCrunch
• Attackers bypass patch in deprecated Windows Server update tool | CyberScoop
• CVE-2025-59287 WSUS Unauthenticated RCE | HawkTrace
• CVE-2025-59287 WSUS Remote Code Execution | HawkTrace
• Catching Credential Guard Off Guard - SpecterOps
• Cache poisoning vulnerabilities found in 2 DNS resolving apps - Ars Technica
• Uncovering Qilin attack methods exposed through multiple cases
• Safety on X: "By November 10, we’re asking all accounts that use a security key as their two factor authentication (2FA) method to re-enroll their key to continue accessing X. You can re-enroll your existing security key, or enroll a new one. A reminder: if you enroll a new security key, any" / X
• SpaceX disables more than 2,000 Starlink devices used in Myanmar scam compounds | The Record from Recorded Future News
• SpaceX: Update Your Inactive Starlink Dishes Now or They'll Be Bricked
• How we linked ForumTroll APT to Dante spyware by Memento Labs | Securelist
• Former Polish official indicted over spyware purchase | The Record from Recorded Future News
• HP OneAgent Update Broke Entra Trust on HP AI Devices
• Windows' Built-in OpenSSH for Offensive Security
• How Hacked Card Shufflers Allegedly Enabled a Mob-Fueled Poker Scam That Rocked the NBA | WIRED

• China has been rummaging in F5’s networks for a couple of years
• Meanwhile China tries to deflect by accusing the NSA of hacking its national timing system
• Salesforce hackers use their stolen data trove to dox NSA, ICE employees
• Crypto stealing, proxy-deploying, blockchain-C2-ing VS Code worm charms us with its chutzpah
• Adam gets humbled by new Linux-capabilities backdoor trick
• Microsoft ignores its own guidance on avoiding BinaryFormatter, gets WSUS owned.

This episode is sponsored by Push Security. Co-founder and Chief Product Officer Jacques Louw joins to talk through how Push traced a LinkedIn phishing campaign targeting CEOs, and the new logging capabilities that proved critical to understanding it.

This episode is also available on Youtube.

Show notes

• Why the F5 Hack Created an ‘Imminent Threat’ for Thousands of Networks | WIRED
• Breach at US-based cybersecurity provider F5 blamed on China, sources say | Reuters
• Network security devices endanger orgs with ’90s era flaws | CSO Online
• China claims it caught US attempting cyberattack on national time center | The Record from Recorded Future News
• Hackers Dox Hundreds of DHS, ICE, FBI, and DOJ Officials
• Hackers Say They Have Personal Data of Thousands of NSA and Other Government Officials
• ICE amps up its surveillance powers, targeting immigrants and antifa - The Washington Post
• John Bolton Indictment Provides Interesting Details About Hack of His AOL Account and Extortion Attempt
• US court orders spyware company NSO to stop targeting WhatsApp, reduces damages | Reuters
• Apple alerts exploit developer that his iPhone was targeted with government spyware | TechCrunch
• A New Attack Lets Hackers Steal 2-Factor Authentication Codes From Android Phones | WIRED
• GlassWorm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace | Koi Blog
• European police bust network selling thousands of phone numbers to scammers | The Record from Recorded Future News
• Stephan Berger on X: "We recently took over an APT investigation from another forensic company. While reviewing analysis reports from the other company, we discovered that the attackers had been active in the network for months and had deployed multiple backdoors. One way they could regain root" / X
• Linux Capabilities Revisited | dfir.ch
• CVE-2025-59287 WSUS Remote Code Execution | HawkTrace
• TARmageddon (CVE-2025-62518): RCE Vulnerability Highlights the Challenges of Open Source Abandonware | Edera Blog
• Browser threat detection & response | Push Security | Push Security
• How Push stopped a high risk LinkedIn spear-phishing attack

Show notes

After listening to this interview you’ll understand why the credit card company spent $2.65b on threat intelligence vendor Recorded Future!

This episode is also available on Youtube.

Show notes

• FBI intervenes in Scattered Spider Salesforce leaksite
• Clop loots Oracle E-Biz deployments
• Plus so much more data extortion.. At least it’s not ransomware … we guess?
• The US still can’t decide who’s gonna be in charge of NSA & Cybercom
• Cambodian scam compounds get sanctioned and $15b in crypto is seized
• NSO gets sold for pocket-lint-grade money
• Bugs! Redis CVSS 10, Ivanti, Crowdstrike and… Internet Explorer?! zeroday?! In the wild?!!!?

This week’s episode is sponsored by Stairwell. Founder Mike Wiacek talks about how Stairwell brings VirusTotal-like visibility to private files, and about integrating the insights that brings into your SOC workflow.

This episode is also available on Youtube.

Show notes

• FBI takedown banner appears on BreachForums site as Scattered Spider promotes leak | The Record from Recorded Future News
• Dozens of Oracle customers impacted by Clop data theft for extortion campaign | CyberScoop
• Well, Well, Well. It’s Another Day. (Oracle E-Business Suite Pre-Auth RCE Chain - CVE-2025-61882)
• Clop is a Big Fish, But Not Worth Hunting - Risky Business Media
• ShinyHunters Wage Broad Corporate Extortion Spree – Krebs on Security
• The company Discord blamed for its recent breach says it wasn't hacked
• Qantas confirms cybercriminals released stolen customer data | The Record from Recorded Future News
• Red Hat confirms breach of GitLab instance, which stored company’s consulting data | CyberScoop
• Risky Bulletin: Microsoft revamps Edge's "IE Mode" after zero-day attacks - Risky Business Media
• Teenagers arrested in England over cyberattack on nursery chain Kido | The Record from Recorded Future News
• Acting US Cyber Command, NSA chief won’t be nominated for the job, sources say | The Record from Recorded Future News
• Layoffs, reassignments further deplete CISA | Cybersecurity Dive
• Trump’s scandalous directive to AG Pam Bondi reached the public by accident
• Feds sanction Cambodian conglomerate over cyber scams, seize $15 billion from chairman | The Record from Recorded Future News
• US Congress committee investigating Musk-owned Starlink over Myanmar scam centres | Myanmar | The Guardian
• Satellites Are Leaking the World’s Secrets: Calls, Texts, Military and Corporate Data | WIRED
• Netherlands invokes special powers against Chinese-owned semiconductor company Nexperia | The Record from Recorded Future News
• Spyware maker NSO Group confirms acquisition by US investors | TechCrunch
• Apple Announces $2 Million Bug Bounty Reward for the Most Dangerous Exploits | WIRED
• Wiz Finds Critical Redis RCE Vulnerability: CVE‑2025‑49844 | Wiz Blog
• SonicWall admits attacker accessed all customer firewall configurations stored on cloud portal | CyberScoop
• SonicWall SSLVPN devices compromised using valid credentials | Cybersecurity Dive
• Issues Affecting CrowdStrike Falcon Sensor for Windows
• ZDI Drops 13 Unpatched Ivanti Endpoint Manager Vulnerabilities - SecurityWeek
• Jaguar Land Rover launches phased restart at factories after cyber-attack | Jaguar Land Rover | The Guardian
• Windows 10 support ends today — here's who's affected and what you need to do

• Realm Security: A security focussed, AI-first data pipeline platform
• Horizon3: AI hackers! Pentesting robots!! They’re coming fer yur jerbs!
• Persona: Verify customer and staff identities with live capture

This episode is also available on Youtube.

Show notes

• Hackers learn that trying to coerce a journalist just makes for … a great story?
• A man in his 40s gets arrested over the European airport chaos. Yep, we’re surprised, too.
• Adam fanboys over Watchtowr Labs while bemoaning Fortra.
• Academics pick apart Tile trackers and find them lacking
• CISA tells agencies to patch their damn Cisco gear

This episode is also available on YouTube.

Show notes

• 'You'll never need to work again': Criminals offer reporter money to hack BBC
• Government to guarantee £1.5bn Jaguar Land Rover loan after cyber shutdown
• Feds Tie ‘Scattered Spider’ Duo to $115M in Ransoms – Krebs on Security
• UK authorities arrest man in connection with cyberattack against aviation vendor | Cybersecurity Dive
• Chinese scammer pleads guilty after UK seizes nearly $7 billion in bitcoin
• Cyberattack on Japanese beer giant Asahi limits shipping, call center operations | The Record from Recorded Future News
• Afghanistan plunged into nationwide internet blackout, disrupting air travel, medical care | The Record from Recorded Future News
• Tile trackers are a stalker's dream, say Georgia Tech researchers
• Intel and AMD trusted enclaves, the backbone of network security, fall to physical attacks - Ars Technica
• Supermicro server motherboards can be infected with unremovable malware - Ars Technica
• China-linked hackers use ‘BRICKSTORM’ backdoor to steal IP | The Record from Recorded Future News
• Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors
• Federal agencies given one day to patch exploited Cisco firewall bugs | The Record from Recorded Future News
• Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability
• Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035)
• It Is Bad (Exploitation of Fortra GoAnywhere MFT CVE-2025-10035) - Part 2

• Secret Service raids a SIM farm in New York
• MI6 launches a dark web portal
• Are the 2023 Scattered Spider kids finally getting their comeuppance?
• Production halt continues for Jaguar Land Rover
• GitHub tightens its security after Shai-Hulud worm

This week’s episode is sponsored by Sublime Security. In this week’s sponsor interview, Sublime founder and CEO Josh Kamdjou joins host Patrick Gray to chat about the pros and cons of using agentic AI in an email security platform.

This episode is also available on YouTube

Show notes

• U.S. Secret Service disrupts telecom network that threatened NYC during U.N. General Assembly
• MI6 launches darkweb portal to recruit foreign spies | The Record from Recorded Future News
• One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens | dirkjanm.io
• Github npm changes
• Flights across Europe delayed after cyberattack targets third-party vendor | Cybersecurity Dive
• Major European airports work to restore services after cyberattack on check-in systems | The Record from Recorded Future News
• When “Goodbye” isn’t the end: Scattered LAPSUS$ Hunters hack on | DataBreaches.Net
• UK arrests 2 more alleged Scattered Spider hackers over London transit system breach | Cybersecurity Dive
• Alleged Scattered Spider member turns self in to Las Vegas police | The Record from Recorded Future News
• Las Vegas police arrest minor accused of high-profile 2023 casino attacks | CyberScoop
• DOJ: Scattered Spider took $115 million in ransoms, breached a US court system | The Record from Recorded Future News
• vx-underground on X: "Scattered Spider ransoms company for 964BTC - wtf_thats_alot.jpeg - Document says "Cost of BTC at time was $36M" - $36M / 964BTC = $37.5K - BTC value was $37.5K in November, 2023 - Google "Ransomware, November, 2023" - omfg.exe https://t.co/uv2EzbL5HT" | X
• JLR ‘cyber shockwave ripping through UK industry’ as supplier share price plummets by 55% | The Record from Recorded Future News
• Jaguar Land Rover to extend production pause into October following cyberattack | Cybersecurity Dive
• New plan would give Congress another 18 months to revisit Section 702 surveillance powers | The Record from Recorded Future News
• AI-powered vulnerability detection will make things worse, not better, former US cyber official warns | Cybersecurity Dive

• Shai-Hulud worm propagates via npm and steals credentials
• Jaguar Land Rover attack may put smaller suppliers out of business
• Leaked data emerges from the vendor behind the Great Firewall of China
• Vastaamo hacker walks free while appeal is underway
• Why is a senator so mad about Kerberos?

This week’s episode is sponsored by Knocknoc. Chief exec Adam Pointon joins to talk through the surprising number of customers that are using Knocknoc’s identity-to-firewall glue to protect internal services and networks.

This week’s episode is also available on Youtube.

Show notes

• Self-Replicating Worm Hits 180+ Software Packages – Krebs on Security
• Jaguar Land Rover: Some suppliers 'face bankruptcy' due to hack crisis
• Jaguar Land Rover production shutdown could last until November
• U.S. Investors, Trump Close In on TikTok Deal With China - WSJ
• U.S. Investors, Trump Close In on TikTok Deal With China - WSJ
• How China’s Propaganda and Surveillance Systems Really Operate | WIRED
• Mythical Beasts: Diving into the depths of the global spyware market - Atlantic Council
• Hacker convicted of extorting 20,000 psychotherapy victims walks free during appeal | The Record from Recorded Future News
• US national charged in Finnish psychotherapy center extortion | The Record from Recorded Future News
• BreachForums administrator given three-year prison stint after resentencing | The Record from Recorded Future News
• Microsoft, Cloudflare disrupt RaccoonO365 credential stealing tool run by Nigerian national | The Record from Recorded Future News
• Senator blasts Microsoft for making default Windows vulnerable to “Kerberoasting” - Ars Technica
• Exclusive: US warns hidden radios may be embedded in solar-powered highway infrastructure | Reuters
• Israel announces seizure of $1.5M from crypto wallets tied to Iran | TechCrunch

With its new Nuclei integration, runZero is now able to get a very accurate picture of what’s vulnerable in your environment, without spraying highly privileged credentials at attackers on your network.

It can also integrate with your EDR platform, and other data sources, to give you powerful visibility into the true state of things on your network and in your cloud.

This episode is also available on Youtube.

Show notes

• Apple ruins exploit developers’ week with fresh memory corruption mitigations
• Feross Aboukhadijeh drops by to talk about the big, dumb npm supply chain attack
• Salesloft says its GitHub was the initial entry point for its compromise
• Sitecore says people should “patch” its using-the-keymat-from-the-documentation “zero day”
• Rogue certs for 1.1.1.1 appear to be just (stupid) testing
• Jaguar Land Rover ransomware attackers are courting trouble

This week’s episode is sponsored by open source cloud security tool, Prowler. Founder Toni de la Fuente joins to discuss their new support for Microsoft 365. Time to point Prowler at your OneDrive and Sharepoint!

This episode is also available on Youtube.

Show notes

• Blog - Memory Integrity Enforcement: A complete vision for memory safety in Apple devices - Apple Security Research
• Venezuela's president thinks American spies can't hack Huawei phones | TechCrunch
• 18 Popular Code Packages Hacked, Rigged to Steal Crypto – Krebs on Security
• Software packages with more than 2 billion weekly downloads hit in supply-chain attack - Ars Technica
• Salesloft platform integration restored after probe reveals monthslong GitHub account compromise | Cybersecurity Dive
• CISA orders federal agencies to patch Sitecore zero-day following hacking reports | The Record from Recorded Future News
• SAP warns of high-severity vulnerabilities in multiple products - Ars Technica
• The number of mis-issued 1.1.1.1 certificates grows. Here’s the latest. - Ars Technica
• Cyberattack on Jaguar Land Rover threatens to hit British economic growth | The Record from Recorded Future News
• Cyberattack forces Jaguar Land Rover to tell staff to stay at home | The Record from Recorded Future News
• Bridgestone Americas continues probe as it looks to restore operations | Cybersecurity Dive
• Qantas penalizes executives for July cyberattack | The Record from Recorded Future News
• Cyber Command, NSA to remain under single leader as officials shelve plan to end 'dual hat' | The Record from Recorded Future News
• GOP Cries Censorship Over Spam Filters That Work – Krebs on Security
• Risky Bulletin: APT report? No, just a phishing test! - Risky Business Media
• Post by @patrick.risky.biz — Bluesky

• Automated, AI-powered threat hunting with Nebulock

Damien Lewke from Nebulock joins the show to talk about how its agentic AI platform can surface attacker activity out of all those “low” and “informational” findings your detection team doesn’t have time to look at.

• Runtime security for hypervisors from Vali Cyber

Austin Gadient from Vali Cyber stops by to talk about ZeroLock, its hypervisor security product. It’s marketed as a counter-ransomware control but is just a generally useful security platform for virtualised environments.

• A secure mobile telco: Cape

The only thing American cell providers love more than providing patchy coverage is getting their customers’ data owned. Cape is here to change that. It’s a security and anonymity-focussed virtual mobile network operator (MVNO) that’s been spun up by a highly competent team. If we lived in the USA we would be customers, and a bunch of CISOs listening to this might want to consider Cape subscriptions for their workforce.

This episode is also available on Youtube

Show notes

• The Salesloft breach and why OAuth soup is a problem
• The Salt Typhoon telco hackers turn out to be Chinese private sector, but state-directed
• Google says it will stand up a “disruption unit”
• Microsoft writes up a ransomware gang that’s all-in on the cloud future
• Aussie firm hot-mics its work-from-home employees’ laptops
• Youtube scam baiters help the feds take down a fraud ring

This episode is sponsored by Dropzone.AI. Founder and CEO Edward Wu joins the show to talk about how AI driven SOC tools can help smaller organisations claw their way above the “security poverty line”. A dedicated monitoring team, threat hunting and alert triage, in a company that only has a couple of part time infosec people? Yes please!

This episode is also available on Youtube.

Show notes

• The Ongoing Fallout from a Breach at AI Chatbot Maker Salesloft – Krebs on Security
• Salesloft: The Leading AI Revenue Orchestration Platform
• Palo Alto Networks, Zscaler customers impacted by supply chain attacks | Cybersecurity Dive
• The impact of the Salesloft Drift breach on Cloudflare and our customers
• China used three private companies to hack global telecoms, U.S. says
• CSA_COUNTERING_CHINA_STATE_ACTORS_COMPROMISE_OF_NETWORKS.PDF
• Google previews cyber ‘disruption unit’ as U.S. government, industry weigh going heavier on offense | CyberScoop
• Ransomware gang takedowns causing explosion of new, smaller groups | The Record from Recorded Future News
• Hundreds of Swedish municipalities impacted by suspected ransomware attack on IT supplier | The Record from Recorded Future News
• Storm-0501’s evolving techniques lead to cloud-based ransomware | Microsoft Security Blog
• The Era of AI-Generated Ransomware Has Arrived | WIRED
• Between Two Nerds: How threat actors are using AI to run wild - YouTube
• Affiliates Flock to ‘Soulless’ Scam Gambling Machine – Krebs on Security
• UK sought broad access to Apple customers’ data, court filing suggests
• ICE reactivates contract with spyware maker Paragon | TechCrunch
• WhatsApp fixes 'zero-click' bug used to hack Apple users with spyware | TechCrunch
• Safetrac turned staff laptops into covert recording devices to monitor WFH
• Risky Bulletin: YouTubers unmask and help dismantle giant Chinese scam ring - Risky Business Media

• Australia expels Iranian ambassador
• Hackers sabotage Iranian shipping satcoms
• APT hacker got doxxed in Phrack. Kind of. They’re probably Chinese, not DPRK?
• Trail of Bits uses image-downscaling to sneak prompts into Google Gemini
• The Com’s King Bob gets ten years in the slammer
• It’s a day that ends in -y, so of course there’s a new Citrix Netscaler RCE being used in the wild.

This week’s episode is brought to you by Corelight. Chief Strategy Officer Greg Bell talks through how they’ve been implementing AI for sifting through your network data. A model-context-protocol server that can rummage in all those packet logs for you while you keep investigating? Yes please.

This episode is also available on Youtube.

Show notes

• Embassy staff flee Canberra in dead of night | news.com.au — Australia’s leading news site for latest headlines
• Swedish security service says Iran uses criminal networks in Sweden | Reuters
• Risky Bulletin: Hackers sabotage Iranian ships at sea, again - Risky Business Media
• Microsoft scales back Chinese access to cyber early warning system | Reuters
• Microsoft Didn’t Disclose Key Details to U.S. Officials of China-Based Engineers, Record Shows — ProPublica
• .:: Phrack Magazine ::.
• Uncovering the Chinese Proxy Service Used in APT Campaigns
• Weaponizing image scaling against production AI systems -The Trail of Bits Blog
• FBI, Cisco warn of Russia-linked hackers targeting critical infrastructure organizations | Cybersecurity Dive
• CrowdStrike warns of uptick in Silk Typhoon attacks this summer | CyberScoop
• Kevin Beaumont: "There’s a bunch of new Netscal…" - Cyberplace
• US charges Oregon man in vast botnet-for-hire operation | Cybersecurity Dive
• South Korea arrests suspected Chinese hacker accused of targeting BTS singer and other celebrities | The Record from Recorded Future News
• SIM-Swapper, Scattered Spider Hacker Gets 10 Years – Krebs on Security
• Chinese national who sabotaged Ohio company’s systems handed four-year jail stint | The Record from Recorded Future News
• Nevada state offices close after wide-ranging 'network security incident' | Reuters
• DSLRoot, Proxies, and the Threat of ‘Legal Botnets’ – Krebs on Security
• Russia weighs Google Meet ban as part of foreign tech crackdown | The Record from Recorded Future News
• Kremlin-Mandated Messaging App Max Is Designed To Spy On Users
• Иеромонах РПЦ Макарий призвал помолиться за мессенджер MAX

Redmond has been using Chinese engineers to do everything from remotely support US DoD private cloud systems to maintain the on premise version of the SharePoint code base. It’s all blown up in the press over the last month, but how did we get here? Did Microsoft make these decisions to save money? Or was it more about getting access to the Chinese market? And how can we all make the world’s most important software company stop doing things like this? Tune in to the Wide World of Cyber podcast to find out!

This episode is also available on Youtube.

Show notes

• Oracle’s long term CSO departs, and we’re not that sad about it
• Canada’s House of Commons gets popped through a Microsoft bug
• Russia degrades voice calls via Whatsapp and Telegram to push people towards Max
• South-East Asian scam compounds are also behind child sextortion
• Reports that the UK has backed down on Apple crypto are… strange
• Oh and of course there’s a Fortinet bug! There’s always a Fortinet bug!

This week’s episode is sponsored by open source identity provider Authentik. CEO Fletcher Heisler joins the show this week, and explains the journey of implementing SSO backed login on Windows, Mac and Linux. You’ll never guess which one was a few lines of PAM config, and which was a multi-month engineering project!

This episode is also available on Youtube.

Show notes

• Is Oracle facing headwinds? After layoffs, its 4-decade veteran Chief Security Officer Mary Ann Davidson departs
• Oracle CSO blasted over anti-security research rant - iTnews
• New York lawsuit against Zelle creator alleges features allowed $1 billion in thefts | The Record from Recorded Future News
• Mobile Phishers Target Brokerage Accounts in ‘Ramp and Dump’ Cashout Scheme – Krebs on Security
• How we found TeaOnHer spilling users' driver's licenses in less than 10 minutes | TechCrunch
• UK has backed down on demand to access US Apple user data, spy chief says
• DNI Tulsi Gabbard on X: "As a result, the UK has agreed to drop its mandate for"
• Hackers target Workday in social engineering attack
• Russia curbs WhatsApp, Telegram calls to counter cybercrime | The Record from Recorded Future News
• Hackers reportedly compromise Canadian House of Commons through Microsoft vulnerability | The Record from Recorded Future News
• Norway police believe pro-Russian hackers were behind April dam sabotage | The Record from Recorded Future News
• US agencies, international allies issue guidance on OT asset inventorying | Cybersecurity Dive
• FortMajeure: Authentication Bypass in FortiWeb (CVE-2025-52970)
• U.S. State Dept - Near Eastern Affairs on X: "He did not claim diplomatic immunity and was released by a state judge"
• 493 Cases of Sextortion Against Children Linked to Notorious Scam Compounds | WIRED
• .:: Phrack Magazine ::.
• Accenture to buy Australian cyber security firm CyberCX - iTnews

It’s great to know there’s a CVE in a library you’re using, but it’s even better if you can say whether or not that vulnerability actually impacts your application.

They also talk about how Socket started out as a way to discover malicious packages in software projects, but these days it’s playing the CVE game as well.

This episode is also available on Youtube.

Show notes

• CISA warns about the path from on-prem Exchange to the cloud
• Microsoft awards a crisp zero dollar bill for a report about what a mess its internal Entra-authed apps are
• Everyone and their dog seems to have a shell in US Federal Court information systems
• Google pays $250k for a Chrome sandbox escape
• Attackers use javascript in adult SVG files to … farm facebook likes?!
• SonicWall says users aren’t getting hacked with an 0day… this time.

This week’s episode is sponsored by SpecterOps. Chief product officer Justin Kohler talks about how the flagship Bloodhound tool has evolved to map attack paths anywhere. Bring your own applications, directories and systems into the graph, and join the identity attacks together.

This episode is also available on Youtube.

Show notes

• CISA, Microsoft issue alerts on ‘high-severity’ Exchange vulnerability | The Record from Recorded Future News
• Advanced Active Directory to Entra ID lateral movement techniques
• Consent & Compromise: Abusing Entra OAuth for Fun and Access to Internal Microsoft Applications
• Cartels may be able to target witnesses after major court hack
• Federal judiciary tightens digital security as it deals with ‘escalated cyberattacks’ | The Record from Recorded Future News
• Citrix NetScaler flaws lead to critical infrastructure breaches | Cybersecurity Dive
• DARPA touts value of AI-powered vulnerability detection as it announces competition winners | Cybersecurity Dive
• Buttercup is now open-source!
• HTTP/1.1 must die: the desync endgame
• US confirms takedown of BlackSuit ransomware gang that racked up $370 million in ransoms | The Record from Recorded Future News
• North Korean cyber-espionage group ScarCruft adds ransomware in recent attack | The Record from Recorded Future News
• Adult sites are stashing exploit code inside racy .svg files - Ars Technica
• Google pays 250k for Chromium sandbox escape
• SonicWall says recent attack wave involved previously disclosed flaw, not zero-day | Cybersecurity Dive
• Two groups exploit WinRAR flaws in separate cyber-espionage campaigns | The Record from Recorded Future News
• Tornado Cash cofounder dodges money laundering conviction, found guilty of lesser charge | The Record from Recorded Future News
• Hackers Hijacked Google’s Gemini AI With a Poisoned Calendar Invite to Take Over a Smart Home | WIRED
• Malware in Open VSX: These Vibes Are Off
• How attackers are using Active Directory Federation Services to phish with legit office.com links
• Introducing our guide to phishing detection evasion techniques
• The State of Attack Path Management

This episode explores the rise of AI-powered bug hunting:

• Google’s Project Zero and Deepmind team up to find and report 20 bugs to open source projects
• The XBOW AI bug hunting platform sees success on HackerOne
• Is an AI James Kettle on the horizon?

There’s also plenty of regular cybersecurity news to discuss:

• On-prem Sharepoint’s codebase is maintained out of China… awkward!
• China frets about the US backdooring its NVIDIA chips, how you like ‘dem apples, China?
• SonicWall advises customers to turn off their VPNs
• Hardware controlling Dell laptop fingerprint and card readers has nasty driver bugs
• Russia uses its ISPs to in-the-middle embassy computers and backdoor ‘em.
• The Russian government pushes VK’s Max messenger for everything

This week’s show is sponsored by device management platform Devicie. Head of Solutions Sean Ollerton talks through the impending Windows 10 apocalypse, as Microsoft ends mainstream support. He says Windows 11 isn’t as scary as people make out, but if the update isn’t on your radar now, time is running out.

This episode is also available on Youtube.

Show notes

• Google says its AI-based bug hunter found 20 security vulnerabilities | TechCrunch
• Is XBOW’s success the beginning of the end of human-led bug hunting? Not yet. | CyberScoop
• James Kettle on X: "There I am being careful to balance hyping my talk without going too far and then this gets published 😂 maybe the countdown timer is just too ominous!
• Risky Bulletin: China with the accusations again - Risky Business Media
• 美情报机构频繁对我国防军工领域实施网络攻击窃密
• SharePoint Exploit: Microsoft Used China-Based Engineers to Maintain the Software — ProPublica
• China fears Nvidia chips could track, trace and shut down its AIs - Asia Times
• SonicWall urges customers to take VPN devices offline after ransomware incidents | The Record from Recorded Future News
• Gen 7 SonicWall Firewalls – SSLVPN Recent Threat Activity
• ReVault! When your SoC turns against you…
• Nearly 100,000 ChatGPT Conversations Were Searchable on Google
• Microsoft catches Russian hackers targeting foreign embassies - Ars Technica
• The Kremlin’s Most Devious Hacking Group Is Using Russian ISPs to Plant Spyware | WIRED
• Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats | Microsoft Security Blog
• Russia blocks popular US-made internet speed test tool over national security concerns | The Record from Recorded Future News

This episode is also available on Youtube.

Show notes

• Did the SharePoint bug leak out of the Microsoft MAPP program?
• Expel retracts its FIDO bypass writeup
• The mess surrounding the women-only dating-safety app Tea gets worse
• Broadcom customers struggle to get patches for VMWare hypervisor escapes
• Aeroflot gets hacked by the Cyber Partisans, disrupting flights

This week’s episode is sponsored by Push Security. Daniel Cuthbert joins and explains how having telemetry about identity from inside the browser is a key pillar for investigating intrusions in the browser-centric future.

This episode is also available on Youtube.

Show notes

• Microsoft Probing Whether Cyber Alert Tipped Off Chinese Hackers
• Microsoft says Warlock ransomware deployed in SharePoint attacks as governments scramble | The Record from Recorded Future News
• What we know about the Microsoft SharePoint attacks | Cybersecurity Dive
• An important update (and apology) on our PoisonSeed blog
• Tea User Files Class Action After Women’s Safety App Exposes Data
• A Second Tea Breach Reveals Users’ DMs About Abortions and Cheating
• Top Lawyer for National Security Agency Is Fired
• From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944
• VMware prevents some perpetual license holders from downloading patches
• Pro-Ukrainian hackers take credit for attack that snarls Russian flight travel - Ars Technica
• КИБЕРУДАР ПО АЭРОФЛОТУ РФ!v
• Treasury sanctions North Koreans involved in IT-worker schemes | Cybersecurity Dive
• Minnesota governor activates National Guard amid St. Paul cyberattack | StateScoop
• Outage was result of cyberattack, Post Luxembourg says
• Clorox files $380 million suit blaming Cognizant for 2023 cyberattack | Cybersecurity Dive
• Cisco network access security platform vulnerabilities under active exploitation | CyberScoop
• Arizona woman sentenced to 8.5 years for running North Korean laptop farm | The Record from Recorded Future News
• Cybercrime forum Leak Zone publicly exposed its users' IP addresses | TechCrunch

• Microsoft tried to make outsourcing the Pentagon’s cloud maintenance to China okay (it was not)
• She shells Sharepoint by the sea-shore (by ‘she’ we mean ‘China’)
• Four (alleged) Scattered Spider members arrested (and bailed) in the UK
• Hackers spend $2700 to buy creds for a Brazilian payment system, steal $100M
• Fortinet has SQLI in the auth header, Citrix mem leak is weaponised, HP hardcodes creds and Sonicwalls get user-moderootkits. Just security vendor things!

This week’s episode is sponsored by Airlock Digital. CEO David Cottingham talks through what it takes to build a mature, resilient management platform for a security critical system.

This episode is also available on Youtube.

Show notes

• Update on DOD’s cloud services
• Microsoft to stop using engineers in China for tech support of US military, Hegseth orders review
• A Little-Known Microsoft Program Could Expose the Defense Department to Chinese Hackers
• While DOD policy bans unauthorized apps like TikTok from being on employees phones over national security risks
• Microsoft Fix Targets Attacks on SharePoint Zero-Day – Krebs on Security
• National Guard was hacked by China's 'Salt Typhoon' group, DHS says
• Suspected contractor for China’s Hafnium group arrested in in Italy | Cybersecurity Dive
• Singapore accuses Chinese state-backed hackers of attacking critical infrastructure networks | The Record from Recorded Future News
• UK Arrests Four in ‘Scattered Spider’ Ransom Group – Krebs on Security
• Four people bailed after arrests over cyber attacks on M&S, Co-op and Harrods
• Brazilian police arrest IT worker over $100 million cyber theft | The Record from Recorded Future News
• At Least 750 US Hospitals Faced Disruptions During Last Year’s CrowdStrike Outage, Study Finds | WIRED
• Hacker returns cryptocurrency stolen from GMX exchange after $5 million bounty payment | The Record
• Indian crypto exchange CoinDCX says $44 million stolen from reserves | The Record
• Chainalysis: $2.17 billion in crypto stolen in first half of 2025, driven by North Korean hacks | The Record
• PoisonSeed bypassing FIDO keys to ‘fetch’ user accounts
• Risky Bulletin: Browser extensions hijacked for web scraping botnet
• A Startup is Selling Data Hacked from Peoples’ Computers to Debt Collectors
• A surveillance vendor was caught exploiting a new SS7 attack to track people's phone locations | TechCrunch
• Ukrainian hackers wipe databases at Russia's Gazprom in major cyberattack, intelligence source says
• File transfer company CrushFTP warns of zero-day exploit seen in the wild | The Record
• HPE warns of hardcoded passwords in Aruba access points
• Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257)
• Researchers, CISA confirm active exploitation of critical Citrix Netscaler flaw | Cybersecurity Dive
• Google finds custom backdoor being installed on SonicWall network devices - Ars Technica
• Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years

Toni explains how Prowler came to be, and how its journey followed his own learning about the cloud. The pair also discuss Prowler’s successful transition from an open-source project into a community, and now a growing business with an as-a-service platform.

This episode is also available on Youtube.

Show notes

• Australian airline Qantas looks like it got a Scattered Spider-ing
• Microsoft works towards blunting the next CrowdStrike disaster
• Changes are coming for Microsoft’s default enterprise app consenting setup
• Synology downplays hardcoded passwords for its M365 cloud backup agent
• The next Citrix Netscaler memory disclosure looks nasty
• Drug cartels used technical surveillance to find, fix and finish FBI informants and witnesses

This week’s episode is sponsored by RAD Security. Co-founder Jimmy Mesta joins to talk through how they use AI automation to assess the security posture of sprawling cloud environments.

This episode is also available on Youtube.

Show notes

• Qantas hit by cyber attack, leaving 6 million customer records at risk of data breach
• Scattered Spider appears to pivot toward aviation sector | Cybersecurity Dive
• Microsoft to make Windows more resilient following 2024 IT outage | Cybersecurity Dive
• (384) The Ultimate Guide to App Consent in Microsoft Entra - YouTube
• When Backups Open Backdoors: Accessing Sensitive Cloud Data via "Synology Active Backup for Microsoft 365" / modzero
• AT&T deploys new account lock feature to counter SIM swapping | CyberScoop
• Iran-linked hackers threaten to release Trump aides' emails | Reuters
• US government warns of new Iran-linked cyber threats on critical infrastructure | Cybersecurity Dive
• Actively exploited vulnerability gives extraordinary control over server fleets - Ars Technica
• Critical vulnerability in Citrix Netscaler raises specter of exploitation wave | Cybersecurity Dive
• Identities of More Than 80 Americans Stolen for North Korean IT Worker Scams | WIRED
• Cloudflare confirms Russia restricting access to services amid free internet crackdown | The Record from Recorded Future News
• Mexican drug cartel used hacker to track FBI official, then killed potential FBI informants, government audit says | CNN Politics
• Audit of the FBI's Efforts to Mitigate the Effects of Ubiquitous Technical Surveillance - Redacted Report
• NATO members aim for spending 5% of GDP on defense, with 1.5% eligible for cyber | The Record from Recorded Future News
• US sanctions bulletproof hosting provider for supporting ransomware, infostealer operations | CyberScoop
• US, French authorities confirm arrest of BreachForums hackers | TechCrunch
• Spanish police arrest five over $542 million crypto investment scheme | The Record from Recorded Future News
• Scam compounds labeled a 'living nightmare' as Cambodian government accused of turning a blind eye | The Record from Recorded Future News

• We roll our eyes over the “16 billion credentials” leak hitting mainstream news
• Some interesting cyber angles emerge from the conflict in Iran
• Opensource maintainer of libxml2 is fed up with this hacker crap
• Shockingly, there are yet more ways to trick people into pasting commands into Windows
• Veeam “patches” its backup software RCE like it’s 2002 … by breaking the public PoC

This week’s episode is sponsored by Internet-wide honeypot reconnaissance platform, Greynoise. Founder Andrew Morris joins to talk about their journey spotting Chinese ORB-builders hacking thousands of ASUS routers, and why they’re destined for the woodchipper.

This episode is also available on Youtube.

Show notes

• No, the 16 billion credentials leak is not a new data breach
• Canadian telecom hacked by suspected China state group - Ars Technica
• Telecom giant Viasat breached by China's Salt Typhoon hackers
• WarTranslated on X: "Iran’s jamming GPS in the Strait of Hormuz, messing with ~970 ships, per Windward. UKMTO confirms the interference. Faulty AIS coordinates are screwing up navigation in the Persian Gulf. The IRGC threatens to shut the strait down in hours. https://t.co/kdMJvshOGC" / X
• Dmitri Alperovitch on X: "Chairman of the Joint Chiefs Gen. Dan Caine says @US_CYBERCOM supported this strike mission" / X
• Top Pentagon spy pick rejected by White House - POLITICO
• DHS warns of heightened cyber threat as US enters Iran conflict | Cybersecurity Dive
• Exclusive: Early US intel assessment suggests strikes on Iran did not destroy nuclear sites, sources say
• U.S. braces for Iran's response after overnight strikes on nuclear sites
• Assessing the Damage to Iran’s Nuclear Program
• Iran Hacks Tirana Municipality in Retaliation Over MEK - Tirana Times
• Iran's government says it shut down internet to protect against cyberattacks | TechCrunch
• Aflac discloses cyber intrusion linked to wider crime spree targeting insurance industry | Cybersecurity Dive
• Tonga Ministry of Health hit with cyberattack affecting website, IT systems | The Record from Recorded Future News
• Alleged Ryuk ransomware gang member arrested in Ukraine and extradited to US | The Record from Recorded Future News
• Russia releases REvil members after convictions for payment card fraud | The Record from Recorded Future News
• OneLogin, Many Issues: How I Pivoted from a Trial Tenant to Compromising Customer Signing Keys - SpecterOps
• Triaging security issues reported by third parties (#913) · Issue · GNOME/libxml2
• README: Set expectations straight (35d04a08) · Commits · GNOME / libxml2 · GitLab
• What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia | Google Cloud Blog
• FileFix - A ClickFix Alternative | mr.d0x
• Address bar shows hp.com. Browser displays scammers’ malicious text anyway. - Ars Technica
• Researchers urge vigilance as Veeam releases patch to address critical flaw | Cybersecurity Dive
• ASUSpicious Flaw - Millions of Users’ Information Exposed Since 2022 | MrBruh's Epic Blog
• Perth dad who created ‘evil twin’ Wi-Fi did so to access pictures of women
• GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers

• Israeli “hacktivists” take out an Iranian state-owned bank
• Scattered-spider and friends pivot into attacking insurers
• Securing identities in a cloud-first world keeps us awake at night
• Microsoft takes the “aas” out of SaaS for Europe, leaving us with just software!
• An AI prompt injection into M365 exfils corporate data

This week’s episode is sponsored by Kroll’s Cyber practice. Kroll Cyber Associate Managing Director George Glass is based in London and talks through his experiences helping organisations in the UK deal with the Scattered Spider attacks.

This episode is also available on Youtube.

Show notes

• Iran’s Bank Sepah disrupted by cyberattack claimed by pro-Israel hacktivist group | CyberScoop
• Iran orders officials to ditch connected devices
• Heightened Cyberthreat Amidst Israel-Iran Conflict
• Threat group linked to UK, US retail attacks now targeting insurance industry | Cybersecurity Dive
• Coming to Apple OSes: A seamless, secure way to import and export passkeys - Ars Technica
• Cyberattack on Washington Post Compromises Email Accounts of Journalists
• Hackers impersonating US government compromise email account of prominent Russia researcher | The Record from Recorded Future News
• A good one to talk to Chris about:
• Breaking down ‘EchoLeak’, the First Zero-Click AI Vulnerability Enabling Data Exfiltration from Microsoft 365 Copilot
• CISA warns of supply chain risks as ransomware attacks exploit SimpleHelp flaws | Cybersecurity Dive
• Whole Foods supplier making progress on restoration after cyberattack left shelves empty | The Record from Recorded Future News
• Ransomware attack on ticketing platform upends South Korean entertainment industry | The Record from Recorded Future News
• Advisory: Cybersecurity incident

The debate about whether AI agents are going to wind up in the SOC is over, they’ve already arrived. But what are they good for? What are they NOT good for? And where else will we see AI popping up in security?

This episode is also available on Youtube.

Show notes

• New York Times gets a little stolen Russian FSB data as a treat
• iVerify spots possible evidence of iOS exploitation against the Harris-Walz campaign
• Researcher figures out a trick to get Google account holders’ full names and phone numbers
• Major US food distributor gets ransomwared
• The Com’s social engineering of Salesforce app authorisations is a harbinger of our future problems
• Australian Navy forgets New Zealand has computers, zaps Kiwis with their giant radar.

This week’s episode is sponsored by identity provider Okta. Long-time friend of the show Alex Tilley is Okta’s Global Threat Research Coordinator, and he joins to discuss how organisations can use both human and technical signals to spot North Koreans in their midst.

This episode is also available on Youtube.

Show notes

• How The Times Obtained Secret Russian Intelligence Documents - The New York Times
• Ukraine's military intelligence claims cyberattack on Russian strategic bomber maker | The Record from Recorded Future News
• Harris-Walz campaign may have been targeted by iPhone hackers, cybersecurity firm says
• iVerify Uncovers Evidence of Zero-Click Mobile Exploitation in the U.S.
• Spyware maker cuts ties with Italy after government refused audit into hack of journalist’s phone | The Record from Recorded Future News
• Italian lawmakers say Italy used spyware to target phones of immigration activists, but not against journalist | TechCrunch
• Android chipmaker Qualcomm fixes three zero-days exploited by hackers | TechCrunch
• Cellebrite to acquire mobile testing firm Corellium in $200 million deal | CyberScoop
• Apple Gave Governments Data on Thousands of Push Notifications
• A Researcher Figured Out How to Reveal Any Phone Number Linked to a Google Account
• Bruteforcing the phone number of any Google user
• Acreed infostealer poised to replace Lumma after global crackdown | The Record from Recorded Future News
• BidenCash darknet forum taken down by US, Dutch law enforcement | The Record from Recorded Future News
• NHS calls for 1 million blood donors as UK stocks remain low following cyberattack | The Record from Recorded Future News
• Major food wholesaler says cyberattack impacting distribution systems | The Record from Recorded Future News
• Kettering Health confirms attack by Interlock ransomware group as health record system is restored | The Record from Recorded Future News
• Hackers abuse malicious version of Salesforce tool for data theft, extortion | Cybersecurity Dive
• shubs on X: "IP whitelisting is fundamentally broken. At @assetnote, we've successfully bypassed network controls by routing traffic through a specific location (cloud provider, geo-location). Today, we're releasing Newtowner, to help test for this issue: https://t.co/X3dkMz9gwK" / X
• Ross Ulbricht Got a $31 Million Donation From a Dark Web Dealer, Crypto Tracers Suspect | WIRED
• Australian navy ship causes radio and internet outages to parts of New Zealand

• Cyber firms agree to deconflict and cross-reference hacker group names
• Russian nuclear facility blueprints gathered from public procurement websites
• Someone audio deepfaked the White House Chief of Staff, but for the dumbest reasons
• Germany identifies the Trickbot kingpin
• Google spots China’s MSS using Calendar events for malware C2
• Meta apps abuse localhost listeners to track web sessions.

This week’s episode is sponsored by automation vendor Tines. Its Field CISO, Matt Muller, joins the show to discuss an open letter penned by JP Morgan Chase’s CISO that pleads with Software as a Service suppliers to try to suck less at security.

This episode is also available on Youtube.

Show notes

• 'Forest Blizzard' vs 'Fancy Bear' - cyber companies hope to untangle weird hacker nicknames | Reuters
• Ukraine's Massive Drone Attack Was Powered by Open Source Software
• Massive security breach: Russian nuclear facilities exposed online
• How a Spyware App Compromised Assad’s Army - New Lines Magazine
• Exclusive | Federal Authorities Probe Effort to Impersonate White House Chief of Staff Susie Wiles - WSJ
• Malaysian home minister’s WhatsApp hacked, used to scam contacts | The Record from Recorded Future News
• U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams – Krebs on Security
• Top counter antivirus service disrupted in global takedown | CyberScoop
• Cops in Germany Claim They’ve ID’d the Mysterious Trickbot Ransomware Kingpin | WIRED
• Australian ransomware victims now must tell the government if they pay up | The Record from Recorded Future News
• Google: China-backed hackers hiding malware in calendar events | Cybersecurity Dive
• Coinbase breach linked to customer data leak in India, sources say | Reuters
• US military IT specialist arrested for allegedly trying to leak secrets to foreign government | The Record from Recorded Future News
• NSO appeals WhatsApp decision, says it can’t pay $168 million in ‘unlawful’ damages | The Record from Recorded Future News
• ConnectWise says nation-state attack targeted multiple ScreenConnect customers | The Record from Recorded Future News
• Google Online Security Blog: Sustaining Digital Certificate Security - Upcoming Changes to the Chrome Root Store
• Meta and Yandex are de-anonymizing Android users’ web browsing identifiers - Ars Technica
• An Open Letter to Third-Party Suppliers

• EXCLUSIVE: A Scattered Spider-style crew is hijacking DNS MX entries and compromising enterprises within minutes
• The SVG format brings the all horrors of HTML+JS to image files, and attackers have noticed
• Brian Krebs eats a 6.3Tbps DDoS … ‘cause that’s how you demo your packet cannon
• Law enforcement takes out Lumma Stealer, Qakbot, Danabot and some dark web drug traffickers
• Iranian behind 2019 Baltimore ransomware mysteriously appears in North Carolina and pleads guilty
• CISA’s leadership is fleeing in droves, even though the US needs them more than ever.

This week’s episode is sponsored by Thinkst Canary. Long time friend of the show Haroon Meer joins and talks through where he feels the industry is at, having just returned home from the AI-fueled hype at this year’s RSA conference.

This episode is also available on Youtube.

Show notes

• China-linked ‘Silk Typhoon’ hackers accessed Commvault cloud environments, person familiar says - Nextgov/FCW
• Risky Bulletin: SVG use for phishing explodes in 2025 - Risky Business Media
• KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS – Krebs on Security
• Midwestern telco Cellcom confirms cyber incident after days of service outages | The Record from Recorded Future News
• Microsoft leads international takedown of Lumma Stealer | Cybersecurity Dive
• Who said what? on X: "Message from the administrator of Lumma Stealer on the forums about the recent events🕊️👀 https://t.co/MOjCSMMErK" / X
• Ransomware hackers charged, infrastructure dismantled in international law enforcement operation | The Record from Recorded Future News
• Oops: DanaBot Malware Devs Infected Their Own PCs – Krebs on Security
• DOJ charges man allegedly behind Qakbot malware | The Record from Recorded Future News
• US, Europol arrest 270 dark web drug traffickers in Operation RapTor | The Record from Recorded Future News
• Iranian pleads guilty to launching Baltimore ransomware attack, faces 30 years behind bars | The Record from Recorded Future News
• Decentralized crypto platform Cetus hit with $223 million hack | The Record from Recorded Future News
• Nearly 70,000 impacted by Coinbase breach involving $20 million ransom demand | The Record from Recorded Future News
• USA: Crypto investor charged with kidnapping, torturing man in an NYC apartment
• Vietnam orders ban on Telegram messaging app over security concerns | The Record from Recorded Future News
• Exclusive: Hacker who breached communications app used by Trump aide stole data from across US government | Reuters
• CISA loses nearly all top officials as purge continues | Cybersecurity Dive
• White House dismisses scores of National Security Council staff - The Washington Post

• TeleMessage memory dumps show up on DDoSecrets
• Coinbase contractor bribed to hand over user data
• Telegram does seem to be actually cooperating with law enforcement
• Britain’s legal aid service gets 15 years worth of applicant data stolen
• Shocking no one, Ivanti were weaseling when they blamed latest bugs on a third party library

This week’s episode is sponsored by Prowler, who make an open source cloud security tool. Founder and original project developer Toni de la Fuente joins to talk through the flexibility that open tooling brings. Prowler is also adding support for SaaS platforms like M365, and of course, an AI assistant to help you write checks!

This episode is also available on Youtube.

Show notes

• TeleMessage - Distributed Denial of Secrets
• How the Signal Knockoff App TeleMessage Got Hacked in 20 Minutes | WIRED
• Coinbase says thieves stole user data and tried to extort $20M
• Hack could cost Coinbase up to $400M: filing | Cybersecurity Dive
• Severed Fingers and ‘Wrench Attacks’ Rattle the Crypto Elite
• Money Stuff: US Debt Rates Itself | NewsletterHunt
• 2 massive black market services blocked by Telegram, messaging app says | Reuters
• Telegram Gave Authorities Data on More than 20,000 Users
• GovDelivery, an email alert system used by governments, abused to send scam messages | TechCrunch
• ATO warning as hackers steal $14,000 in tax returns: ‘Be wary’
• Hack of SEC social media account earns 14-month prison sentence for Alabama man | The Record from Recorded Future News
• 19-year-old accused of largest child data breach in U.S. agrees to plead guilty
• Beach mansion, Benz and Bitcoin worth $4.5m seized from League of Legends hacker Shane Stephen Duffy | 7NEWS
• Pegasus spyware maker rebuffed in efforts to get off trade blacklist - The Washington Post
• Ransomware attack hits supplier of refrigerated groceries to British supermarkets | The Record from Recorded Future News
• UK government confirms massive data breach following hack of Legal Aid Agency | The Record from Recorded Future News
• Ivanti Endpoint Mobile Manager customers exploited via chained vulnerabilities | Cybersecurity Dive
• Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)

Push has built an identity security platform that collects identity information and events from your users’ browsers. It can detect phish kits and shut down phishing attempts, protect SSO credentials, and find shadow/personal account that a user has spun up.

It’s extremely difficult to bypass. That’s because when you’re in the browser it doesn’t matter how a phishing link arrives, or how a threat actor has concealed it from your detection stack – if the user sees it, Push sees it.

There are solutions for protecting your users SSO credentials, like passkeys. But what about all the SaaS in your environment? Even if it’s enrolled into your SSO, are you sure that’s how your users are authenticating to it? What about the automation platforms your developers and admins use? What about data platforms like Snowflake? Are your using setting up passkeys for those accounts? How would you know, and what problems can it cause if those accounts are vulnerable?

This is a fun one!

This episode is also available on Youtube.

Show notes

• Struggling to find that pesky passwords.xlsx in Sharepoint? Copilot has your back!
• The ransomware ecosystem is finding life a bit tough lately
• SAP Netweaver bug being used by Chinese APT crew
• Academics keep just keep finding CPU side-channel attacks
• And of course… bugs! Asus, Ivanti, Fortinet… and a Nissan LEAF?

This week’s episode is sponsored by Resourcely, who will soothe your Terraform pains. Founder and CEO Tracis McPeak joins to talk about how to get from a very red dashboard full of cloud problems to a workable future.

This episode is also available on Youtube.

Show notes

• Exploiting Copilot AI for SharePoint | Pen Test Partners
• MrBruh's Epic Blog
• Ransomware group Lockbit appears to have been hacked, analysts say | Reuters
• "CONTI LEAK: Video they tried to bury! 6+ Conti members on a private jet. TARGET’s birthday — $10M bounty on his head. Filmed by TARGET himself. Original erased — we kept a copy."
• Mysterious hackers who targeted Marks and Spencer's computer systems hint at political allegiance as they warn other tech criminals not to attack former Soviet states
• The organizational structure of ransomware groups is evolving rapidly.
• SAP NetWeaver exploitation enters second wave of threat activity
• China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures
• DOGE software engineer’s computer infected by info-stealing malware
• Hackers hijack Japanese financial accounts to conduct nearly $2 billion in trades
• FBI and Dutch police seize and shut down botnet of hacked routers
• Poland arrests four in global DDoS-for-hire takedown
• School districts hit with extortion attempts after PowerSchool breach
• EU launches vulnerability database to tackle cybersecurity threats
• Training Solo - vusec
• Branch Privilege Injection: Exploiting Branch Predictor Race Conditions – Computer Security Group
• Remote Exploitation of Nissan Leaf: Controlling Critical Body Elements from the Internet
• PSIRT | FortiGuard Labs
• EPMM Security Update | Ivanti

From North Korean IT workers to Chinese supply chain attacks, SentinelOne and its competitors are constantly fending off sophisticated hacking campaigns.

This edition of the Wide World of Cyber was recorded in front of a live audience in San Francisco, with Patrick attending via Zoom.

The Wide World of Cyber podcast series is a wholly sponsored co-production between SentinelOne and Risky Business Media.

This episode is also available on Youtube.

Show notes

• White House’s off-brand Israeli Signal fork logs cleartext messages with hard coded creds while getting hacked (twice). Just … Wow.
• Ransomware attacks on UK retailers are linked, and Marks & Spencer has it extra bad
• After six years dormant, a Magento eCommerce platform backdoor comes to life
• The North Korean IT worker scam is truly webscale
• NSO group owes Meta $168m for hacking WhatsApp

This week’s episode is sponsored by vulnerability management wranglers, Nucleus Security. Aaron Unterberger joins to talk through the complexities of tracking vulnerabilities in cloud components - left to the source, right to the deployments, and …sideways into the sidecars?

This week’s show also features an excerpt from Pat’s interview with Senator Mark Warner - Scoot back one in your podcast feed to check out the full chat, or find it on Youtube.

This episode is available on Youtube too.

Show notes

• Mike Waltz Accidentally Reveals Obscure App the Government Is Using to Archive Signal Messages
• Despite misleading marketing, Israeli company TeleMessage, used by Trump officials, can access plaintext chat logs
• The Signal Clone the Trump Admin Uses Was Hacked
• App used by Mike Waltz suspends services after hacking claims
• Senator Demands Investigation into Trump Admin Signal Clone After 404 Media Investigation
• MG on X: "Looks like TeleMessage was probably procured and rolled out under Biden. There are public records for it. https://t.co/XCuZpi8PL3" / X
• Harrods becomes latest retailer to announce attempted cyberattack | The Record from Recorded Future News
• Co-op DragonForce cyber attack includes customer data, firm admits
• Co-op cyber attack: Staff told to keep cameras on in meetings
• Hundreds of e-commerce sites hacked in supply-chain attack - Ars Technica
• Microsoft’s new “passwordless by default” is great but comes at a cost - Ars Technica
• Windows RDP lets you log in using revoked passwords. Microsoft is OK with that. - Ars Technica
• North Korean operatives have infiltrated hundreds of Fortune 500 companies | CyberScoop
• US wants to cut off key player in Southeast Asian cybercrime industry | The Record from Recorded Future News
• Myanmar militia leader sanctioned by US over cyber scam connections | The Record from Recorded Future News
• Trump proposes major cut to CISA’s budget, citing false ‘censorship’ claims | Cybersecurity Dive
• NSA to cut up to 2,000 civilian roles as part of intel community downsizing | The Record from Recorded Future News
• NSO Group owes $168M in damages to WhatsApp over spyware infections, jury says | CyberScoop

• The latest developments in the Signalgate scandal
• Why America needs to be more aggressive in responding to Volt Typhoon
• How tariffs are affecting American alliances
• Why the Five Eyes alliance is sacrosanct

This episode is available on Youtube

Show notes

• British retail stalwart Marks & Spencer gets cybered
• South Korean telco sets out to replace all its subscriber SIMs after (we assume) it lost the keymat
• It’s a good exploit week! Bugs in Apple Airplay, SAP webservers, Erlang SSH and CommVault backups
• Juice jacking! No, really! Some researchers actually did it (so still not in the wild, then)
• Anti-DOGE whistleblower sure sounds like he has a point

This week’s episode is sponsored by Knocknoc, who let you glue your firewalls to your single sign on. Knocknoc’s CEO Adam Pointon talks about the joy that having end-to-end IPv6 would bring for zero-trust access control. He also touches on people using Knocknoc inside their network to isolate critical systems.

Editors Note : Pat also gives Adam (Boileau) stick in the sponsor interview about the Risky Biz webserver not having IPv6 enabled, which fact-checking during the edit says is FAKE NEWS. Just uh, don’t look at how fresh that AAAA record in the DNS is, friends 😉

This episode is also available on Youtube.

Show notes

• British retailer M&S confirms being hit by ‘cyber incident’ amid store delays | The Record from Recorded Future News
• M&S cyber-attack linked to hacking group Scattered Spider | Marks & Spencer | The Guardian
• Bina Puri shares, Warrant B close sharply lower day after hacking
• Bina Puri, Pos Malaysia tumble following hacking incident | FMT
• Japan warns of hundreds of millions of dollars in unauthorized trades from hacked accounts | The Record from Recorded Future News
• US conducts cyberattacks against major Chinese commercial encryption provider: report - Global Times
• Iran says major cyberattack on infrastructure repelled | Iran International
• Spain rules out cyber attack - but what could have caused power cut?
• South Korea's SK Telecom begins SIM card replacement after data breach
• AirBorne: Wormable Zero-Click RCE in Apple AirPlay Puts Billions of Devices at Risk | Oligo Security | Oligo Security
• iOS and Android juice jacking defenses have been trivial to bypass for years - Ars Technica
• How Android 16's new security mode will stop USB-based attacks - Android Authority
• Researchers warn of critical flaw found in Erlang OTP SSH | Cybersecurity Dive
• Critical vulnerability in SAP NetWeaver under threat of active exploitation | Cybersecurity Dive
• CVE-2025-31324: Critical SAP Flaw Explained | Strobes
• Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028)
• Risky Bulletin: NFC card malware keeps evolving in Russia, a bad omen for the future - Risky Business Media
• Hegseth had unsecured internet line in Pentagon for Signal, sources say | AP News
• Whistleblower: DOGE Siphoned NLRB Case Data – Krebs on Security
• 2025_0414_Berulis-Disclosure-with-Exhibits.s.pdf
• CISA gets a deputy director as it braces for major layoffs | Cybersecurity Dive
• Two top cyber officials resign from CISA | The Record from Recorded Future News
• Ex-CISA chief Chris Krebs leaving SentinelOne following Trump pressure | Reuters
• Former cyber official targeted by Trump speaks out after cuts to digital defense
• Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries | SentinelOne
• ZachXBT on X: "Nine hours ago a suspicious transfer was made from a potential victim for 3520 BTC ($330.7M)"

• LimaCharlie: A public cloud for SecOps
• Honeywell Cyber Insights: An OT security/discovery solution
• Fortra’s CobaltStrike and Outflank: Security tooling for red teamers

This episode is also available on Youtube.

Show notes

• Pangea: Guardrails and security for AI agents and applications (https://pangea.cloud)

Worried about your AI apps going rogue, being mean to your customers or even disclosing sensitive information? Pangea exists to address these risks. Fascinating stuff.

• Cosive: A threat intelligence company that can host your MISP server in AWS. CloudMISP! (https://www.cosive.com/snakeoilers)

Are you running a MISP server on some old hardware under a desk in your SOC? There’s a better way! Cosive can run it for you on AWS so you can just use it instead of wrestling with maintaining it. They also do some CTI consulting to help you get better use out of MISP.

• Sysdig: A Linux runtime security platform (https://sysdig.com/)

The modern Windows network is an all-singing, all-dancing, perfectly orchestrated, EDR-protected ballet. The modern Linux production environment… isn’t. Find out how Sysdig can help you get some visibility and control over your Linux fleet.

This episode is also available on Youtube.

Show notes

They also talk through the week’s cybersecurity news, covering:

• Mitre’s stewardship of the CVE database gets its funding DOGE’d
• The US signs on to the Pall Mall anti-spyware agreement
• China tries to play the nationstate cyber-attribution game, but comedically badly
• Hackers run their malware inside the Windows sandbox, for security against EDR

This week’s episode is sponsored by open source identity provider Authentik. CEO Fletcher Heisler joins to talk through the increasing sprawl of the identity ecosystem.

This episode is also available on Youtube.

Show notes

• Cybersecurity industry falls silent as Trump turns ire on SentinelOne | Reuters
• U.S. cyber defenders shaken by Trump's attack on their former boss
• Trump Revenge Tour Targets Cyber Leaders, Elections – Krebs on Security
• Wyden to block Trump's CISA nominee until agency releases report on telecoms’ ‘negligent cybersecurity’ | The Record from Recorded Future News
• Gabbard sets up DOGE-style team to cut costs, uncover intel ‘weaponization’
• MITRE Warns CVE Program Faces Disruption Amid US Funding Uncertainty
• US to sign Pall Mall pact aimed at countering spyware abuses | The Record from Recorded Future News
• Court document reveals locations of WhatsApp victims targeted by NSO spyware | TechCrunch
• Spyware Maker NSO Group Is Paving a Path Back Into Trump’s America | WIRED
• NCSC shares technical details of spyware targeting Uyghur, Tibetan and Taiwanese groups | The Record from Recorded Future News
• Risky Bulletin: Chinese APT abuses Windows Sandbox to go invisible on infected hosts
• China escalates cyber fight with U.S., names alleged NSA hackers
• Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs - Ars Technica
• China-based SMS Phishing Triad Pivots to Banks – Krebs on Security
• Risky Bulletin: CA/B Forum approves 47-days TLS certs
• Ransomware in het mkb: Cybercriminelen verhogen losgeld bij cyberverzekering
• 4chan Is Down Following What Looks to Be a Major Hack Spurred By Meme War

This episode is also available on Youtube.

Show notes

• Oracle quietly cops to being hacked, but immediately pivots into pretending it didn’t matter
• NSA and CyberCom leaders fired for not being MAGA enough
• US Treasury had some dusty corners it hadn’t found China in yet, looked, found China in them
• …which is a great time to discuss slashing CISA’s staffing
• Ransomware crews and bullet proof hosting providers are getting rekt, and we love it
• And Microsoft patches yet another logging 0-day being used in the wild.

This episode is sponsored by Yubico, makers of Yubikey hardware authentication tokens. Yubico’s Vice President of Solutions Architecture and Alliances Derek Hanson joins to discuss how the consumer-centric passkey ecosystem has become a real challenge for enterprises. One that Yubico is actually ideally positioned to solve.

This episode is also available on Youtube.

Show notes

• Oracle privately confirms Cloud breach to customers
• Oracle have finally issued a written notification to customers about their cybersecurity incident.
• Head of NSA and US Cyber Command reportedly fired | Cybersecurity Dive
• Trump fires numerous National Security Council staff - The Washington Post
• Trump administration under scrutiny as it puts major round of CISA cuts on the table | Cybersecurity Dive
• Hackers Spied on US Bank Regulators’ Emails for Over a Year - Bloomberg
• This is how Jeffrey Goldberg got added to the Signal chat
• Cybercriminals are trying to loot Australian pension accounts in new campaign | The Record from Recorded Future News
• $500,000 stolen in Australian super fund data breach | Superannuation | The Guardian
• Australian regulator pulls licenses of 95 companies in effort to crack down on investment scams | The Record from Recorded Future News
• Everest ransomware group’s darknet site offline following defacement | The Record from Recorded Future News
• On March 28, 2025, a threat actor leaked internal data from Medialand, a major bulletproof hosting (BPH) provider long linked to Yalishanda (LARVA-34).
• There's a ransomware group named DragonForce going around hacking its rivals. After Mamona and BlackLock, the group has now hacked RansomHub
• The DragonForce ransomware group hacked two rivals this month
• CISA, experts warn of Crush file transfer attacks as ransomware gang makes threats | The Record from Recorded Future News
• Kill Security Campaign Targets CrushFTP Servers
• National Vulnerability Database | NIST
• Microsoft patches zero-day actively exploited in string of ransomware attacks | CyberScoop
• Exploitation of CLFS zero-day leads to ransomware activity | Microsoft Security Blog
• Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure (CVE-2025-22457)

• Yes, Oracle Health and Oracle Cloud did get hacked
• The fallout from Signalgate continues
• North Korean IT workers pivot to Europe
• Honeypot data suggests a storm is brewing for Palo Alto VPNs
• Canadian Anon gets arrested for hacking Texas GOP

This week’s episode is sponsored by Trail of Bits. Tjaden Hess, a Principal Security Engineer at Trail of Bits who specialises in cryptography, joins the show this week to talk about what a responsible crypto-currency exchange cold wallet setup looks like, and … contrasts that with Bybit.

This episode is also available on Youtube.

Show notes

• Oracle Health breach compromises patient data at US hospitals
• FBI probes Oracle hack tied to healthcare extortion: Report - Becker's Hospital Review | Healthcare News & Analysis
• Oracle Still Denies Breach as Researchers Persist
• Hacker linked to Oracle Cloud intrusion threatens to sell stolen data | Cybersecurity Dive
• Publius on X: "🚨 SIGNAL SCANDAL: Katherine Maher, the leftist NPR CEO, is currently the Chair of the Board of Signal! WHAT ARE THE ODDS? https://t.co/jWNTeAt3Jz" / X
• Mike Waltz Is Losing Support Inside the White House - WSJ
• Waltz and staff used Gmail for government communications, officials say - The Washington Post
• Pete Hegseth, Mike Waltz, Tulsi Gabbard: Private Data and Passwords of Senior U.S. Security Officials Found Online - DER SPIEGEL
• Even More Venmo Accounts Tied to Trump Officials in Signal Group Chat Left Data Public | WIRED
• You Need to Use Signal's Nickname Feature
• SignalGate Is Driving the Most US Downloads of Signal Ever | WIRED
• Wickr - Wikipedia
• When Getting Phished Puts You in Mortal Danger – Krebs on Security
• DPRK IT Workers Expanding in Scope and Scale | Google Cloud Blog
• How the FBI Tracked, and Froze, Millions Sent to Criminals in Massive Caesars Casino Hack
• Defense contractor to pay $4.6 million over third-party provider’s security weakness | The Record from Recorded Future News
• Surge in Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats
• CISA warns new malware targeting Ivanti zero-day vulnerability | Cybersecurity Dive
• Canadian hacker arrested for allegedly stealing data from Texas Republican Party | The Record from Recorded Future News
• British intel intern pleads guilty to smuggling top secret data out of protected facility | The Record from Recorded Future News

Do your Palo Alto and Fortinet devices really need to be discoverable by ransomware crews? Does your file transfer appliance need to be open to the whole world? What about your SSH and RDP? Your Citrix? Your (gasp) Exchange Online servers??

You can do a lot with IP allowlisting and simple Identity Aware Proxies (IAPs) to minimise your exposure.

Knocknoc is a bit of a “Risky Business special”, too. Pat helped Knocknoc to raise a seed round through Decibel Partners where he’s a founder advisor. He also serves on Knocknoc’s board of directors.

This episode is also available on Youtube.

Show notes

• Yes, the Trump admin really did just add a journo to their Yemen-attack-planning Signal group
• The Github actions hack is smaller than we thought, but was targeting crypto
• Remote code exec in Kubernetes, ouch
• Oracle denies its cloud got owned, but that sure does look like customer keymat
• Taiwanese hardware maker Clevo packs its private keys into bios update zip
• US Treasury un-sanctions Tornado Cash, party time in Pyongyang?

This week’s episode is sponsored by runZero. Long time hackerman HD Moore joins to talk about how network vulnerability scanning has atrophied, and what he’s doing to bring it back en vogue. Do you miss early 2000s Nessus? HD knows it, he’s got you fam.

This episode is also available on Youtube.

Show notes

• The Trump Administration Accidentally Texted Me Its War Plans - The Atlantic
• Using Starlink Wi-Fi in the White House Is a Slippery Slope for US Federal IT | WIRED
• Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories' CI/CD Secrets Exposed
• GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment (Updated 3/21)
• Critical vulnerabilities put Kubernetes environments in jeopardy | Cybersecurity Dive
• Researchers back claim of Oracle Cloud breach despite company’s denials | Cybersecurity Dive
• The Biggest Supply Chain Hack Of 2025: 6M Records Exfiltrated from Oracle Cloud affecting over 140k Tenants | CloudSEK
• Capital One hacker Paige Thompson got too light a sentence, appeals court rules | CyberScoop
• US scraps sanctions on Tornado Cash, crypto ‘mixer’ accused of laundering North Korea money | Reuters
• Tornado Cash Delisting | U.S. Department of the Treasury
• Major web services go dark in Russia amid reported Cloudflare block | The Record from Recorded Future News
• Clevo Boot Guard Keys Leaked in Update Package
• Six additional countries identified as suspected Paragon spyware customers | CyberScoop
• The Citizen Lab’s director dissects spyware and the ‘proliferating’ market for it | The Record from Recorded Future News
• Malaysia PM says country rejected $10 million ransom demand after airport outages | The Record from Recorded Future News
• Hacker defaces NYU website, exposing admissions data on 1 million students | The Record from Recorded Future News
• Notre Dame uni students say outage creating enrolment, graduation, assignment mayhem - ABC News
• DNA of 15 Million People for Sale in 23andMe Bankruptcy

• Github Actions supply chain attack loots keys and secrets from 23k projects
• Why a VC fund now owns a minority stake in Risky Business Media (!?!?)
• China doxes Taiwanese military hackers
• Microsoft thinks .lnk file whitespace trick isn’t worth patching but APTs sure love it
• CISA delivers government efficiency by re-hiring fired staff… to put them on paid leave
• …and Google acquires Wiz for $32bn

This week’s show is sponsored by Zero Networks, and they have sent along a happy customer to talk about their experience. Aaron Steinke is Head of Infrastructure at La Trobe Financial, an asset management firm in Australia. Aaron talks through bringing modern zero-trust goodness to the reality of a technology environment that’s been around 40 years.

This episode is also available on Youtube.

Show notes

• Risky Bulletin: GitHub supply chain attack prints everyone's secrets in build logs - Risky Business Media
• China says Taiwan's military is behind PoisonIvy APT
• China identifies Taiwanese hackers allegedly behind cyberattacks and espionage | The Record from Recorded Future News
• Crypto exchange OKX shuts down tool used by North Korean hackers to launder stolen funds | The Record from Recorded Future News
• Lazarus Group deceives developers with 6 new malicious npm packages | CyberScoop
• Poisoned Windows shortcuts found to be a favorite of Chinese, Russian, N. Korean state hackers | The Record from Recorded Future News
• 'Mora_001' ransomware gang exploiting Fortinet bug spotlighted by CISA in January | The Record from Recorded Future News
• Black Basta uses brute-forcing tool to attack edge devices | Cybersecurity Dive
• Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court | The Record from Recorded Future News
• CISA works to contact probationary employees for reinstatement after court order - Nextgov/FCW
• ‘People Are Scared’: Inside CISA as It Reels From Trump’s Purge | WIRED
• The Wiretap: CISA Staff Are Cautiously Optimistic About Trump’s Pick For Director
• White House instructs agencies to avoid firing cybersecurity staff, email says | Reuters
• Signal no longer cooperating with Ukraine on Russian cyberthreats, official says | The Record from Recorded Future News
• Telegram CEO Pavel Durov allowed to leave France amid investigation
• Appellate court upholds sentence for former Uber cyber executive Joe Sullivan | The Record from Recorded Future News
• Google buys cloud security provider Wiz for $32 billion | The Record from Recorded Future News
• Pat Gray, Founder of Risky Business, Joins Decibel as Founder Advisor - Decibel

They talk through:

• A realistic bluetooth-proximity phishing attack against Passkeys
• A very patient ransomware actor encrypts an entire enterprise with a puny linux webcam processor
• The ESP32 backdoor that is neither a door nor at the back
• The X DDoS that Elon said was Ukraine is claimed by pro-Palestinian hacktivists
• Years later, LastPass hackers are still emptying crypto-wallets
• …and it turns out North Korea nailed {Safe}Wallet with a malicious docker image. Nice!

Rob Joyce recently testified to the US House Select Committee on the Chinese Communist Party, and he explains why DOGE kicking probationary employees to the curb is “devastating” for the national security staff pipeline.

This week’s episode is sponsored by SpecterOps, makers of the BloodHound identity attack path mapping tool. Chief Product Officer Justin Kohler and Principal Security Researcher Lee Chagolla-Christensen discuss their pragmatic approach to disabling NTLM authentication in Active Directory using BloodHound’s insight.

This episode is also available on Youtube.

Show notes

• CVE-2024-9956 - PassKey Account Takeover in All Mobile Browsers | Tobia Righi - Security Researcher
• Feds Link $150M Cyberheist to 2022 LastPass Hacks – Krebs on Security
• Camera off: Akira deploys ransomware via webcam
• Tarlogic detects a hidden feature in the mass-market ESP32 chip that could infect millions of IoT devices
• Alleged Co-Founder of Garantex Arrested in India – Krebs on Security
• 37K+ VMware ESXi instances vulnerable to critical zero-day | Cybersecurity Dive
• Apple patches 0-day exploited in “extremely sophisticated attack” - Ars Technica
• What Really Happened With the DDoS Attacks That Took Down X | WIRED
• Eleven11bot estimates revised downward as researchers point to Mirai variant | Cybersecurity Dive
• Previously unidentified botnet infects unpatched TP-Link Archer home routers | The Record from Recorded Future News
• Safe.eth on X: "Investigation Updates and Community Call to Action" / X
• How to verify Safe{Wallet} transactions on a hardware wallet | Safe{Wallet} Help Center and Support.
• US charges Chinese nationals in cyberattacks on Treasury, dissidents and more | The Record from Recorded Future News
• Former top NSA cyber official: Probationary firings ‘devastating’ to cyber, national security | CyberScoop
• U.S. pauses intelligence sharing with Ukraine used to target Russian forces - The Washington Post

• Did the US decide to stop caring about Russian cyber, or not?
• Adam stans hard for North Korea’s massive ByBit crypto-theft
• Cellebrite firing Serbia is an example of the system working
• Starlink keeps scam compounds in Myanmar running
• Biggest DDoS botnet yet pushes over 6Tbps

This week’s episode is sponsored by network visibility company Corelight. Vincent Stoffer, field CTO at Corelight joins to talk through where eyes on your network can spot attackers like Salt and Volt Typhoon.

This episode is also available on Youtube.

Show notes

• Sygnia Preliminary Bybit Investigation Report
• Verichains Bybit Incident Investigation Preliminary Report
• North Koreans finish initial laundering stage after more than $1 billion stolen from Bybit | The Record from Recorded Future News
• Risky Bulletin: Trump administration stops treating Russian hackers as a threat - Risky Business
• Did Trump Admin Order U.S. Cyber Command and CISA to Stand Down on Russia? (Story updated)
• Russia to redeploy resources freed up by end of war in Ukraine, warns Finnish intelligence | The Record from Recorded Future News
• FBI urges crypto community to avoid laundering funds from Bybit hack | The Record from Recorded Future News
• Risky Bulletin: Cellebrite bans bad boy Serbia - Risky Business
• Belgium probes suspected Chinese hack of state security service | The Record from Recorded Future News
• Gabbard: UK demand to Apple for backdoor access is 'grave concern' to US | The Record from Recorded Future News
• Elon Musk’s Starlink Is Keeping Modern Slavery Compounds Online | WIRED
• U.S. Soldier Charged in AT&T Hack Searched “Can Hacking Be Treason” – Krebs on Security
• Google Password Manager finally syncs to iOS—here’s how - Ars Technica
• Gmail Security Alert: Google To Ditch SMS Codes For Billions Of Users
• Massive Iran-linked botnet launches DDoS attacks against telecom, gaming platforms | Cybersecurity Dive
• Microsoft-signed driver used in ransomware attacks | Cybersecurity Dive
• London member of ‘Com’ network convicted of making indecent images of children | The Record from Recorded Future News
• Volt Typhoon & Salt Typhoon Attackers Are Evading EDR: What Can You Do? | Corelight

• North Korea pulls off a 1.5 billion dollar crypto heist
• Apple pulls Advanced Data Protection from the UK
• Black Basta ransomware gang’s internal chats leak
• Russians snoop on Signal with QR codes
• And Myanmar ships thousands of freed scam compound workers to Thailand

Regular guest Lina Lau joins to discuss her work reading Chinese incident response reports on WeChat, and how that has people thinking that … she outed the NSA?

This week’s episode is sponsored by Airlock Digital, and allow-listing tragics Daniel Schell and David Cottingham are along with an amusing tale of using Windows’ own allow-listing software to block EDR from loading.

This episode is also available on Youtube.

Show notes

• Hackers drained $1.4 billion of cryptocurrency from Bybit exchange, CEO confirms | The Record from Recorded Future News
• CertiK - Bybit Incident Technical Analysis
• Hackers use ‘sophisticated’ macOS malware to steal cryptocurrency, Microsoft says | The Record from Recorded Future News
• EU sanctions North Korean tied to Lazarus group over involvement in Ukraine war | The Record from Recorded Future News
• Sanctions: Iranians Flock to Crypto; Int'l Actions Target Russia - Chainalysis
• Apple turns off iCloud encryption feature in UK following reported government legal order | The Record from Recorded Future News
• Swedish authorities seek backdoor to encrypted messaging apps | The Record from Recorded Future News
• Leaked chat logs expose inner workings of secretive ransomware group - Ars Technica
• Russian state hackers spy on Ukrainian military through Signal app | The Record from Recorded Future News
• Meta Sues Alleged Violent Extortionist For Holding Instagram Accounts Hostage
• Weathering the storm: In the midst of a Typhoon
• Thailand to take in 7,000 rescued from illegal cyber scam hubs in Myanmar | The Record from Recorded Future News
• Genea confirms cyber breach after ‘unauthorised third party’ accesses data | news.com.au — Australia’s leading news site
• Managed healthcare defense contractor to pay $11 million over alleged cyber failings | The Record from Recorded Future News
• Botnet looks for quiet ways to try stolen logins in Microsoft 365 environments | The Record from Recorded Future News
• Director-General's Annual Threat Assessment 2025 | ASIO
• An inside look at NSA (Equation Group) TTPs from China’s lense

From its bad transport security to its Chinese ownership and the economic implications of China “entering the chat”, everyone’s freaking out over this new model. But should they be?

Pat, Alex and Chris dissect the model’s significance, the politics of it all and how AI regulation in Europe, the US and China will shape the future of LLMs.

This episode is also available on Youtube.

Show notes

• Australian spooks scrubbed Medibank data off Zservers bulletproof hosting
• Why device code phishing is the latest trick in confusing poor users about cloud authentication
• Cloudflare gets blocked in Spain, but only on weekends and because of… football?
• Palo Alto has yet another dumb bug
• Adam gushes about Qualys’ latest OpenSSH vulns

Enterprise browser maker Island is this week’s sponsor and Chief Customer Officer Bradon Rogers joins the show to talk about how the adoption of AI everywhere is causing headaches.

This episode is also available on Youtube.

Show notes

• Five Russians went out drinking. When they got back, Australia had struck
• Dutch police say they took down 127 servers used by sanctioned hosting service | The Record from Recorded Future News
• Further cyber sanctions in response to Medibank Private cyberattack | Defence Ministers
• What is device code phishing, and why are Russian spies so successful at it? - Ars Technica
• Anyone Can Push Updates to the DOGE.gov Website
• Piracy Crisis: Cloudflare Says LaLiga Knew Dangers, Blocked IP Address Anyway (Update) * TorrentFreak
• Palo Alto Networks warns firewall vulnerability is under active exploitation | Cybersecurity Dive
• Qualys TRU Discovers Two Vulnerabilities in OpenSSH: CVE-2025-26465 & CVE-2025-26466 | Qualys Security Blog
• China’s Salt Typhoon hackers targeting Cisco devices used by telcos, universities | The Record from Recorded Future News
• RedMike Exploits Unpatched Cisco Devices in Global Telecommunications Campaign
• A Hacker Group Within Russia’s Notorious Sandworm Unit Is Breaching Western Networks | WIRED
• How Phished Data Turns into Apple & Google Wallets – Krebs on Security
• New hack uses prompt injection to corrupt Gemini’s long-term memory
• Arizona woman pleads guilty to running laptop farm for N. Korean IT workers, faces 9-year sentence | The Record from Recorded Future News
• US reportedly releases Russian cybercrime figure Alexander Vinnik in prisoner swap | The Record from Recorded Future News
• EXCLUSIVE: A Russia-linked Telegram network is inciting terrorism and is behind hate crimes in the UK – HOPE not hate
• Remembering David Jorm - fundraising for Mental Health research

The whole idea of Authentik is you can take control of an essential IT and security function: identity. Because Authentik is open source it’s extremely flexible, and if you’re running it yourself, you get to decide where your IDP should sit in your architecture. You can run it on prem if you’re an emergency call centre or you’re operating an airgapped network, or you can spin it up in your cloud environment if you’re a typical enterprise.

Fletcher talks through the reasons Authentik users are decoupling themselves from the major SaaS Identity Providers, and the flexibility that comes from being able to assemble exactly what you need.

This episode is also available on Youtube.

Show notes

• Musk’s DOGE kid has a history with The Com
• Paragon fires Italy as a spyware customer
• Thailand cuts power to scam compounds…
• … and arrests Phobos/8Base Russian cybercrims
• The CyberCX DFIR report shows non-U2F MFA is well and truly over
• And much, much more.

This week’s episode is sponsored by Dropzone.AI. They make an AI SOC analysis platform that relieves your analysts of the necessary but tedious work, so they can focus on the value of human insight. Dropzone’s founder and CEO Edward Wu joins to talk about how they approach the problem.

This episode is also available on Youtube.

Show notes

• Teen on Musk’s DOGE Team Graduated from ‘The Com’ – Krebs on Security
• ACLU Warns DOGE’s ‘Unchecked’ Access Could Violate Federal Law | WIRED
• Lawsuit accuses Trump administration of violating federal information security law | The Record from Recorded Future News
• The Recruitment Effort That Helped Build Elon Musk’s DOGE Army | WIRED
• States prepare privacy lawsuit against DOGE over access to federal data | The Record from Recorded Future News
• Union groups sue Treasury over giving DOGE access to sensitive data | The Record from Recorded Future News
• Student group sues Education Department over reported DOGE access to financial aid databases | The Record from Recorded Future News
• Hackers exploiting bug in popular Trimble Cityworks tool used by local gov’ts | The Record from Recorded Future News
• DeepSeek iOS app sends data unencrypted to ByteDance-controlled servers - Ars Technica
• DeepSeek Is a Win for Chinese Hackers - Risky Business
• Owner of spyware used in alleged WhatsApp breach ends contract with Italy | WhatsApp | The Guardian
• Another person targeted by Paragon spyware comes forward | TechCrunch
• Apple fixes security flaw allowing third-party access to locked devices | The Record from Recorded Future News
• U.S. sanctions bulletproof hosting provider for supplying LockBit infrastructure | CyberScoop
• Thailand cuts power supply to Myanmar scam hubs | The Record from Recorded Future News
• 8Base ransomware site taken down as Thai authorities arrest 4 connected to operation | The Record from Recorded Future News
• Two Russian nationals arrested in takedown of Phobos ransomware infrastructure | The Record from Recorded Future News
• The Company Man: Binance exec detained in Nigeria breaks his silence | The Record from Recorded Future News
• Deloitte pays $5M in connection with breach of Rhode Island benefits site | Cybersecurity Dive
• DFIR - Threat Report 2025 | CyberCX
• Request a Demo | Dropzone AI

• DeepSeek leaves an unauthed database on the internet
• Russia hacked UK prime minister’s personal mail
• Australia sanctions a Telegram group… which is more sensible than it sounds
• Medical device backdoor turns out to be just poorly thought out upgrade feature
• Google abuses weak hashing to patch AMD CPU microcode
• And much, much more.

This week’s episode is sponsored by email security boffins Sublime. Their co-founder and CEO Josh Kamdjou joins to talk about how attackers’ abuse of legitimate services like Docusign is a challenge for email security vendors.

This episode is also available on Youtube.

Show notes

• Exclusive: Musk aides lock workers out of OPM computer systems | Reuters
• Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History | Wiz Blog
• Криптостилер SparkCat в магазинах Google Play и App Store | Securelist
• Russian hackers suspected of compromising British PM’s personal email account | The Record from Recorded Future News
• PowerSchool hack: missed basic security step resulted in data breach
• Australia sanctions ‘Terrorgram’ white supremacist online group | The Record from Recorded Future News
• ‘Paid actors’ could be behind some antisemitic attacks, Albanese says | Australian security and counter-terrorism | The Guardian
• Interview with James Glenday, ABC News Breakfast | Australian Minister for Foreign Affairs
• WhatsApp says spyware company Paragon Solutions targeted journalists
• Spyware maker Paragon confirms US government is a customer | TechCrunch
• Former Polish justice minister arrested in sprawling spyware probe | The Record from Recorded Future News
• Sweden releases suspected ship, says cable break ‘clearly’ not sabotage | The Record from Recorded Future News
• Backdoor found in two healthcare patient monitors, linked to IP in China
• Attackers exploit zero-day vulnerability in Zyxel CPE devices | Cybersecurity Dive
• AMD: Microcode Signature Verification Vulnerability · Advisory · google/security-research · GitHub
• 22-year-old math wiz indicted for alleged DeFI hack that stole $65M - Ars Technica
• A method to assess 'forgivable' vs 'unforgivable'... - NCSC.GOV.UK
• Living Off the Land: Credential Phishing via Docusign abuse
• Living Off the Land: Callback Phishing via Docusign comment
• B2B freight-forwarding scams on the rise to evade financial fraud crackdowns
• Callback phishing via invoice abuse and distribution list relays
• Enhanced message groups: Improving efficiency in email incident response

• Sonicwall firewalls hand out remote code exec like candy
• Mastercard make a slapstick-grade mistake with their DNS
• The data breach at PowerSchool and other niche SaaS providers
• Academic research proposes taking down Europe’s power grid
• Apple CPUs get a new speculative execution side channel
• And much, much more.

This week’s episode is sponsored by Push Security, who make an identity security product that runs inside browsers. Luke Jennings joins to discuss some of the pitfalls of federated authentication, like attackers using unexpected identity providers to log in to your apps.

This episode is also available on Youtube.

Show notes

• SonicWall warns hackers targeting critical vulnerability in SMA 1000 series appliances | Cybersecurity Dive
• MasterCard DNS Error Went Unnoticed for Years – Krebs on Security
• Data breach hitting PowerSchool looks very, very bad - Ars Technica
• OpenAI rival DeepSeek limits registration after ‘large-scale malicious attacks’ | The Record from Recorded Future News
• Hackers imitate Kremlin-linked group to target Russian entities | The Record from Recorded Future News
• UK to examine undersea cable vulnerability as Russian spy ship spotted in British waters | The Record from Recorded Future News
• Questions grow over whether Baltic Sea cable damage was sabotage or accidental | The Record from Recorded Future News
• Researchers say new attack could take down the European power grid - Ars Technica
• At least $69 million stolen from crypto platform Phemex in suspected cyberattack | The Record from Recorded Future News
• BreachForums admin to be resentenced after appeals court slams supervised release | The Record from Recorded Future News
• Apple chips can be hacked to leak secrets from Gmail, iCloud, and more - Ars Technica
• Apple fixes zero-day flaw affecting all devices | TechCrunch
• I’m Lovin’ It: Exploiting McDonald’s APIs to hijack deliveries and order food for a penny
• Government websites vanish under Trump, from the Constitution to DEI
• Trail of Bits: Director, Technical Marketing
• Push Security: Security Researcher (remote in the USA)
• A new class of phishing: Verification phishing and cross-IdP impersonation

• The incoming Trump administration guts the CSRB
• Biden’s last cyber Executive Order has sensible things in it
• China’s breach of the US Treasury gets our reluctant admiration
• Ross Ulbricht - the Dread Pirate Roberts of Silk Road fame - gets his Trump pardon
• New year, same shameful comedy Forti- and Ivanti- bugs
• US soldier behind the Snowflake hacks faces charges after a solid Krebs-ing
• And much, much (much! after a month off) more.

This week’s episode is sponsored by Sandfly Security, who make a Linux EDR solution. Founder Craig Rowland joins to talk about how the Linux ecosystem struggles with its lack of standardised approaches to detection and response. If you’ve got a telco full of unix, and people are asking how much Salt Typhoon you’ve got in there… Sandfly’s tools are probably what you’re looking for.

If you like your Business like us… - Risky - then we’re hiring! We’re looking for someone to help with audio and video production for our work, manage our socials, and if you’re also into the Cybers… even better. Position is remote, with a preference for timezones amenable to Australia/NZ. Drop us a line: editorial at risky.biz.

This episode is also available on Youtube.

Show notes

• POLITICO Pro | Article | Acting DHS chief ousts CSRB experts, other department advisers
• Treasury’s sanctions office hacked by Chinese government, officials say
• Strengthening America’s Resilience Against the PRC Cyber Threats | CISA
• AT&T, Verizon say they evicted Salt Typhoon from their networks
• Risky Bulletin: Looking at Biden's last cyber executive order - Risky Business
• Internet-connected devices can now have a label that rates their security | Reuters
• US sanctions prominent Chinese cyber company for role in Flax Typhoon attacks
• FCC ‘rip and replace’ provision for Chinese tech tops cyber provisions in defense bill
• CIA nominee tells Senate he, too, wants to go on cyber offense | CyberScoop
• Trump tells Justice Department not to enforce TikTok ban for 75 days
• Judge rules NSO Group is liable for spyware hacks targeting 1,400 WhatsApp user devices | The Record from Recorded Future News
• Unpacking WhatsApp’s Legal Triumph Over NSO Group | Lawfare
• Time to check if you ran any of these 33 malicious Chrome extensions
• Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls - Arctic Wolf
• Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware
• Researchers warn of active exploitation of critical Apache Struts 2 flaw
• DOJ deletes China-linked PlugX malware off more than 4,200 US computers
• Russian internet provider confirms its network was ‘destroyed’ following attack claimed by Ukrainian hackers | The Record from Recorded Future News
• Ukraine restores state registers after suspected Russian cyberattack | The Record from Recorded Future News
• Hackers claim to breach Russian state agency managing property, land records | The Record from Recorded Future News
• U.S. Army Soldier Arrested in AT&T, Verizon Extortions – Krebs on Security

This is largely a conversation about compliance, but it’s actually interesting and fun. These are words we never thought we’d type!

You can find Island at https://island.io/

This episode is also available on Youtube.

Show notes

• The SEC’s cyber incident reporting isn’t very exciting after all
• China Telecom on the way to being thrown out of the US
• The NSA/Cybercom might get two separate hats
• The Cl0p ransomware crew are back and taking responsibility for the Cleo hacks
• (Yet another) File upload bug in Struts makes Java admins weep
• And much, much more.

This episode is sponsored by SpecterOps, who run a pretty top notch offsec/pentest team when they’re not busy making the Bloodhound Enterprise identity attack path enumeration software. SpecterOps’ Robby Winchester joins to talk about how pentest has changed, and how their customers get value from their testing.

This episode is also available Youtube.

Show notes

• SEC cyber incident reporting rule generates 71 filings in 11 months | Cybersecurity Dive
• US senators, green groups call for accountability over hacking of Exxon critics | Reuters
• Biden Administration Takes First Step to Retaliate Against China Over Hack - The New York Times
• Unfinished business for Trump: Ending the Cyber Command and NSA 'dual hat' | The Record from Recorded Future News
• EU opens investigation into TikTok and the Romanian election – POLITICO
• Clop ransomware claims responsibility for Cleo data theft attacks
• CISA warns of ransomware gangs exploiting Cleo, CyberPanel bugs | The Record from Recorded Future News
• CVE-2024-55956 | AttackerKB
• Apache issues patches for critical Struts 2 RCE bug • The Register
• Japanese game and anime publisher reportedly pays $3 million ransom to Russia-linked hackers | The Record from Recorded Future News
• Israeli spyware firm Paragon acquired by US investment group, report says | Reuters
• How Cryptocurrency Turns to Cash in Russian Banks – Krebs on Security
• Arizona man arrested for alleged involvement in violent online terror networks | CyberScoop
• Russia bans Viber, claiming app facilitates terrorism and drug trafficking | The Record from Recorded Future News

They look at the Salt Typhoon and Volt Typhoon campaigns, the last 20 years of Chinese operations, and the evolution of the cyber roles of China’s Ministry of State Security and People’s Liberation Army.

It’s a very dense hour of conversation!

This podcast was recorded in front of an audience at the Museum of Contemporary Art in Sydney.

This episode is also available on Youtube.

Show notes

• Cleo file transfer products have a remote code exec, here we go again!
• Snowflake phases out password-based auth
• Chinese Sophos-exploit-dev company gets sanctioned
• Romania’s election gets rolled back after Tiktok changed the outcome
• AMD’s encrypted VM tech bamboozled by RAM with one extra address bit
• Some cool OpenWRT research
• And much, much more.

This week’s episode is sponsored by Thinkst, who love sneaky canary token traps. Jacob Torrey previews an upcoming Blackhat talk filled with interesting operating system tricks you can use to trigger canaries in your environment. You wont believe the third trick! Attackers hate him!

This episode is also available on Youtube.

Show notes

• Cleo Software Actively Being Exploited in the Wild CVE-2024-50623 | Huntress
• Blue Yonder investigating data leak claim following ransomware attack | Cybersecurity Dive
• Snowflake to phase out single-factor authentication by late 2025 | Cybersecurity Dive
• Treasury Sanctions Cybersecurity Company Involved in Compromise of Firewall Products and Attempted Ransomware Attacks | U.S. Department of the Treasury
• Another teenage hacker charged as feds continue Scattered Spider crackdown | The Record from Recorded Future News
• Germany arrests suspected admin of country’s largest criminal marketplace | The Record from Recorded Future News
• FCC, for first time, proposes cybersecurity rules tied to wiretapping law | CyberScoop
• Russian state hackers abuse Cloudflare services to spy on Ukrainian targets | The Record from Recorded Future News
• Cloudflare’s pages.dev and workers.dev Domains Increasingly Abused for
• Romania annuls presidential election over alleged Russian interference | The Record from Recorded Future News
• EU demands TikTok 'freeze and preserve data' over alleged Russian interference in Romanian elections | The Record from Recorded Future News
• Research Note: Meta’s Role in Romania’s 2024 Presidential Election - CheckFirst
• Key electricity distributor in Romania warns of ‘cyber attack in progress’ | The Record from Recorded Future News
• Backdoor slipped into popular code library, drains ~$155k from digital wallets - Ars Technica
• AMD’s trusted execution environment blown wide open by new BadRAM attack - Ars Technica
• New dog, old tricks: DaMAgeCard attack targets memory directly thru SD card reader – PT SWARM
• Telegram partners with child safety group to scan content for sexual abuse material
• Apple hit with $1.2B lawsuit after killing controversial CSAM-detecting tool - Ars Technica
• Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection - Flatt Security Research
• How do I turn on the Do Not Track feature? | Firefox Help

You can now ship pre-registered Yubikeys to your staff so you don’t need to rely on your staff to enrol them. They’ve achieved this with really slick Okta and Entra ID integrations.

Jerrod also talks about a recent trip to Singapore and concerns he has about the cybersecurity of critical infrastructure in the energy sector.

• The FTC decides its time to take another look at Microsoft
• Exxon’s opponents targeted by hackers
• Russian hackers keep getting sentenced and it confuses us
• The Feds recommend Signal, because throwing hackers out of telcos ain’t gonna happen
• A South Korean set-top-box manufacturer shipped a DDoS client for corpo-combat
• And much, much more.

This week’s sponsor interview with Vijit Nair from Corelight. We talk to him about doing detection in cloud environments, and how the varied nature of cloud systems makes the old ways - network monitoring - useful in new and interesting ways.

If you’re in Sydney, Pat is recording a live episode of the Wide World of Cyber with Chris Krebs on 5 December. There might still be tickets left!

This episode is also available on Youtube.

Show notes

• SentinelOne: Risky Business LIVE
• FTC opens Microsoft antitrust investigation | AP News
• Exclusive: Exxon lobbyist investigated over hack-and-leak of environmentalist emails, sources say | Reuters
• Costa Rica state energy company calls in US experts to help with ransomware attack | The Record from Recorded Future News
• Blue Yonder Security Rating, Vendor Risk Report, and Data Breaches
• ENGlobal IT systems impacted by ransomware attack | Cybersecurity Dive
• Ransomware suspect Wazawaka reportedly arrested by Russia | The Record from Recorded Future News
• Russia delivers historic life sentence to suspected founder of darknet marketplace | The Record from Recorded Future News
• Vodka maker Stoli says August ransomware attack contributed to bankruptcy filing | The Record from Recorded Future News
• Hacker in Snowflake Extortions May Be a U.S. Soldier – Krebs on Security
• Uganda confirms cyberattack on central bank but minimizes extent of breach | The Record from Recorded Future News
• Press Release: HOME > Announcements/News > Announcements > Press Release
• U.S. officials urge Americans to use encrypted apps amid cyberattack
• With Threats to Encryption Looming, Signal’s Meredith Whittaker Says ‘We’re Not Changing’ | WIRED
• Japanese crypto service shuts down after theft of bitcoin worth $308 million | The Record from Recorded Future News
• He Got Banned From X. Now He Wants to Help You Escape, Too | WIRED
• cyberundergroundfeed on X: "🚨 Pro-Russian Group Allegedly Hacks #Australia #Melbourne Sewage System 🚨 Hackers claim to have compromised the Riversdale sewage pumping station in #Melbourne, #Australia, switching it to manual control and placing it in emergency mode."
• Pump station fears rebuffed - New Zealand News - NZ Herald
• NZ Navy ship runs aground off Samoa, catches fire and sinks

• A ransomware attack has crippled US supply chain software provider Blue Yonder
• Russian spies hack nearby wifi to get to their targets, but that doesn’t seem surprising?
• Salt Typhoon’s attacks on telcos are hard to solve and big on impact
• China’s surveillance state workers sell their access at home
• Palo Alto is bad and should feel bad
• And much, much more.

In this week’s sponsor interview Patrick Gray chats with Matt Muller from Tines about Gartner’s “spicy take” that the SOAR category is dead. SOAR is dead! Long live SOAR!

This episode is also available on Youtube.

Show notes

• Retailers struggle after ransomware attack on supply chain tech provider Blue Yonder | The Record from Recorded Future News
• Customer Update
• Russian Spies Jumped From One Network to Another Via Wi-Fi in an Unprecedented Hack | WIRED
• China’s Salt Typhoon hackers target telecom firms in Southeast Asia with new malware | The Record from Recorded Future News
• Emerging Details of Chinese Hack Leave U.S. Officials Increasingly Concerned
• Top senator calls Salt Typhoon “worst telecom hack in our nation’s history” - The Washington Post
• Privacy-focused mobile phone launches for high-risk individuals | CyberScoop
• China’s Surveillance State Is Selling Citizen Data as a Side Hustle | WIRED
• Former Verizon employee gets four-year sentence for sharing cyber secrets with Chinese government | The Record from Recorded Future News
• Surveillance Legislation (Confirmation of Application) Bill 2024 – Parliament of Australia
• ParlInfo - BILLS : Surveillance Legislation (Confirmation of Application) Bill 2024 : Second Reading
• ParlInfo - Surveillance Legislation (Confirmation of Application) Bill 2024
• ParlInfo - Surveillance Legislation (Confirmation of Application) Bill 2024
• Chris Bing: "Regarding the reported hack of the Gaetz-ethics committee report, the file storage platform (FileShare) that held the document said they weren't hacked. But rather: "this file was shared anonymously which allowed anyone to download. This was not a breach"" — Bluesky
• Tether Has Become a Massive Money Laundering Tool for Mexican Drug Traffickers, Feds Say
• Palo Alto Networks boasts as customers coalesce on its platforms | Cybersecurity Dive
• Palo Alto Networks pushes back as Shadowserver spots 2K of its firewalls exploited | Cybersecurity Dive
• RSF investigation: the Indian cyber-security giant silencing media outlets worldwide | RSF
• Patrick Gray (@patrick.risky.biz) — Bluesky
• metlstorm (@metlstorm.risky.biz) — Bluesky
• Catalin Cimpanu (@campuscodi.risky.biz) — Bluesky
• Tom Uren (@tom.risky.biz) — Bluesky

• Microsoft introduces some sensible sounding post-Crowdstrike changes
• Palo Alto patches hella-stupid bugs in its firewall management webapp
• CISA head Jen Easterly to depart as Trump arrives
• AI grandma tarpits phone scammers in family-tech-support hell
• Academic research supports your gut-reaction; phishing training doesn’t work
• And much, much more.

This week’s episode is sponsored by Greynoise. The always excitable Andrew Morris joins to remind us that the edge-device vulnerabilities Pat and Adam complain about on the show are in fact actually even worse than we make them out to be. Andrew also tells us about a zero-day Greynoise’ AI system truffle-pigged out of their data set.

This episode is also available on Youtube.

Show notes

• Windows security and resiliency: Protecting your business | Windows Experience Blog
• Microsoft revamps how it will disclose vulnerabilities | Cybersecurity Dive
• NIST says exploited vulnerability backlog cleared but end-of-year goal for full list unlikely
• Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474
• Palo Alto Networks customers grapple with another actively exploited zero-day | Cybersecurity Dive
• Unpatched zero-days in Fortinet and Palo Alto Networks software
• Palo Alto Networks’ customer migration tool hit by trio of CVE exploits | Cybersecurity Dive
• Readout of President Joe Biden’s Meeting with President Xi Jinping of the People’s Republic of China | The White House
• Easterly to step down from CISA director role on Inauguration Day | Cybersecurity Dive
• Top White House cyber official urges Trump to focus on ransomware, China
• Ransomware gang Akira leaks unprecedented number of victims’ data in one day
• Hacker Is Said to Have Gained Access to File With Damaging Testimony About Gaetz
• 1,400 Pegasus spyware infections detailed in WhatsApp’s lawsuit filings
• NSO Group admits cutting off 10 customers because they abused its Pegasus spyware, say unsealed court documents | TechCrunch
• Ransomware gang Akira leaks unprecedented number of victims’ data in one day
• Ohio man behind Helix cryptocurrency mixer gets 3-year sentence
• O2 unveils Daisy, the AI granny wasting scammers’ time - Virgin Media O2
• Understanding the Efficacy of Phishing Training in Practice
• Bunnings facial recognition cameras breach Privacy Act, retailer to challenge ruling | news.com.au — Australia’s leading news site
• Nudity, punches in newly released Bunnings CCTV as company found to breach Privacy Act | news.com.au — Australia’s leading news site
• Bitfinex Hack Launderer Heather 'Razzlekhan' Morgan Sentenced to 18 Months in Prison

• Apple frustrates law enforcement with iOS auto-reboot
• CISA says most KEV vulnerabilities in 2023 were first used as zero days
• Russians roll incident response on some sweet Linux spookware
• Regular users can create mailboxes in M365?
• Tor tracks down the source of its joe-job abuse complaints
• And much, much more.

This week’s feature guest is former FBI agent Chris Tarbell, who arrested Silk Road operator Ross Ulbricht way back in 2013. As suggestions swirl that an incoming Trump administration might release Ulbricht, Chris talks about the reality of the Dread Pirate Roberts.

This episode is sponsored by software supply chain security firm Socket.dev. Founder Feross Aboukhadijeh thinks that we need a CVE-like catalogue for supply-chain attacks, and he makes a solid argument.

The show is also available on Youtube.

Show notes

• Jason Koebler: "New: We’ve confirmed Apple quietly introduced a feature in the new iOS that is preventing cops from hacking iPhones that they have confiscated as evidence. Apple really did say ACAB www.404media.co/apple-quietl..." — Bluesky
• Apple Quietly Introduced iPhone Reboot Code Which is Locking Out Cops
• Exclusive | U.S. Agency Warns Employees About Phone Use Amid Ongoing China Hack - WSJ
• Surge in exploits of zero-day vulnerabilities is ‘new normal’ warns Five Eyes alliance
• The Elusive GoblinRAT: How a Linux Backdoor Infiltrated Government Infrastructures
• Microsoft Bookings – Facilitating Impersonation | Cyberis Limited
• TrustedSec | EKUwu: Not just another AD CS ESC
• Russia’s internet watchdog blocks thousands of websites that use Cloudflare's privacy service
• Defending the Tor network: Mitigating IP spoofing against Tor | The Tor Project
• Law enforcement operation takes down 22,000 malicious IP addresses worldwide - Ars Technica
• Press Conference - Parliament House, Canberra | Prime Minister of Australia
• DHS nominee Kristi Noem stood alone for rejecting department cyber grants to state, local governments | CyberScoop
• Patrick Gray: "Allies will feel comfortable until these guys get fired in their first 100 days for opposing Trump’s proposed annexation of Iceland or something. People have forgotten… Trump is out of his gourd" — Bluesky

Email security is one of the oldest product categories in security, but as you’ll hear, Josh thinks the incumbents are just doing it wrong. He joins Risky Business host Patrick Gray for this interview about Sublime’s origin story and its new approach to email security.

• Sophos drops implants on Chinese firewall exploit devs
• Microsoft workshops better just-in-time Windows admin privileges
• Snowflake hacker arrested in Canada
• Okta has a fun, but not very impactful auth-bypass bug
• Russians bring dumb-but-smart RDP client attacks
• And much, much more.

Special guest Sophos CISO Ross McKerchar joined us to talk about its “hacking back” campaign. The full interview is available on Youtube for those who want to really live vicariously through Sophos doing what every vendor probably wants to do.

This week’s episode is sponsored by attack surface mapping vendor runZero. Founder and CEO HD Moore joins to talk about marrying up the outside and inside views of your network.

You can also watch this episode on Youtube

Show notes

• Okta AD/LDAP Delegated Authentication - Username Above 52 Characters Security Advisory
• Does bcrypt have a maximum password length? - Information Security Stack Exchange
• Local Administrator Protection | Privilege Protection
• Inside Sophos' 5-Year War With the Chinese Hackers Hijacking Its Devices | WIRED
• A Deeper Look at FortiJump (FortiManager CVE-2024-47575) | Bishop Fox
• Man Arrested for Snowflake Hacking Spree Faces US Extradition | WIRED
• Google uses large language model to discover real-world vulnerability
• GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI
• Thousands of hacked TP-Link routers used in yearslong account takeover attacks - Ars Technica
• CISA warns of foreign threat group launching spearphishing campaign using malicious RDP files | Cybersecurity Dive
• Chinese state-backed hackers breached 20 Canadian government networks over four years, agency warns
• India-Canada row: Canadian officials confess to leaking 'intel' against India to Washington Post - India Today
• Amid diplomatic row, Canada names India in ‘cyberthreat adversary’ list, accuses it of ‘likely spying’ | World News - The Indian Express
• The Untold Story of Trump's Failed Attempt to Overthrow Venezuela's President | WIRED
• Risky Biz News: The mystery at Mango Park
• North Korean hackers seen collaborating with Play ransomware group, researchers say

• CSRB to investigate China’s telco-wiretapping hacks
• Euro law enforcement takes down the Redline infostealer
• Someone steals Fed crypto… and then tries to quietly sneak it back in
• Russia sentences REvil guys to … jail? Really?
• Apple private cloud compute gets a proper bug bounty program
• And much, much more.

This week’s episode is sponsored by Material Security, who help navigate the mess of cloud productivity data security. Daniel Ayala - Chief Security and Trust Officer at Dotmatics - is a Material customer, and joins Pat and Material Security’s Rajan Kapoor to talk about how to wrangle securing data that ends up in corporate cloud email and file stores.

This episode is also available on Youtube.

Show notes

• Apple 10 day certificates
• Chinese hackers said to have collected audio of American calls
• U.S. Panel to Probe Cyber Failures in Massive Chinese Hack of Telecoms
• How a series of opsec failures led US authorities to the alleged developer of the Redline password-stealing malware
• Operation Magnus
• Hacker Returns $19.3 Million to Drained US Government Crypto Wallet
• Meet ZachXBT, the Masked Vigilante Tracking Down Billions in Crypto Scams and Thefts | WIRED
• Radar systems in Iran breached prior to Israel's Saturday counter-strike - report
• Delta sues CrowdStrike after widespread IT outage that caused thousands of cancellations
• Tens of thousands of taxpayer accounts hacked as CRA repeatedly paid out millions in bogus refunds
• Microsoft CEO asked board to cut pay in connection with security overhaul | Cybersecurity Dive
• Four REvil members sentenced to more than four years in prison
• Russia says it might build its own Linux community after removal of several kernel maintainers
• Nigerian court drops charges against detained Binance executive Tigran Gambaryan
• Apple will pay security researchers up to $1 million to hack its private AI cloud | TechCrunch
• SonicWall firewalls the common access point in spreading ransomware campaign | Cybersecurity Dive
• Fortinet zero-day attack spree hits at least 50 customers | Cybersecurity Dive
• Cisco warns actively exploited CVE can lead to DoS attacks against VPN services | Cybersecurity Dive
• Chinese influence operation targets US down-ballot races, Microsoft says | Reuters
• Exclusive: Accused Iranian hackers successfully peddle stolen Trump emails | Reuters
• Viral video of ripped-up Pennsylvania ballots is fake and Russian-made, intelligence agencies say
• Product Demo: Securing M365 and Google Workspace with Material Security

• A history of Thinkst Canary including a recap of what they actually do
• A look at why they’re still really the only major player in the deception game
• A look at what companies like Microsoft are doing with deception
• Why security startups should have conference booths

• SEC fines tech firms for downplaying the Solarwinds hacks
• Anonymous Sudan still looks and quacks like a Russian duck
• Apple proposes max 10 day TLS certificate life
• Oopsie! Microsoft loses a bunch of cloud logs
• Veeam and Fortinet are bad and should feel bad
• North Koreans are good (at hacking)
• And much, much more.

This week’s episode is sponsored by Proofpoint. Chief Strategy Officer Ryan Kalember joins to talk about their work keeping up with prolific threat actor SocGholish.

This episode is also available on Youtube.

Show notes

• Four cyber companies fined for SolarWinds disclosure failures
• U.S. charges Sudanese men with running powerful cyberattack-for-hire gang
• Hacker Charged With Seeking to Kill Using Cyberattacks on Hospitals | WIRED
• Risky Biz News: Anonymous Sudan's Russia Links Are (Still) Obvious
• Microsoft confirms partial loss of security log data on multiple platforms | Cybersecurity Dive
• Risky Biz News: Apple wants to reduce the lifespan of TLS certificates to 10 days
• Encrypted Chat App ‘Session’ Leaves Australia After Visit From Police
• Crypto platform Radiant Capital says $50 million in digital coins stolen following account compromises
• North Korean hackers use newly discovered Linux malware to raid ATMs - Ars Technica
• Brazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach – Krebs on Security
• Here’s how SIM swap in alleged bitcoin pump-and-dump scheme worked - Ars Technica
• Critical Veeam CVE actively exploited in ransomware attacks | Cybersecurity Dive
• FortiGate admins report active exploitation 0-day. Vendor isn’t talking. - Ars Technica
• Hackers reportedly impersonate cyber firm ESET to target organizations in Israel
• The latest in North Korea’s fake IT worker scheme: Extorting the employers

• Chinese spooks all up in western telco lawful intercept
• Jerks ruin the Internet Archive’s day
• Microsoft drops a great report with a bad chart
• The feds make their own crypto currency and get it pumped
• Forti-, Palo- and Ivanti-fail
• And much, much more.

This week’s episode is sponsored by detection-as-code vendor Panther. Casey Hill, Panther’s Director Product Management joins to discuss why the old “just bung it all in a data lake and… ???… “ approach hasn’t worked out, and what smart teams do to handle their logs.

This episode is also available on [Youtube].(https://youtu.be/86zy6DcwtbE)

Show notes

• White House forms emergency team to deal with China espionage hack - The Washington Post
• DDoS attacks on Internet Archive continue after data breach impacting 31 million
• Microsoft Digital Defense Report 2024
• Ransomware encryption down amid surge of attacks, Microsoft says | CyberScoop
• Russian court websites down after breach claimed by pro-Ukraine hackers
• Ukrainian anti-corruption agency reportedly finds no violations in disclosures of top cyber official
• Trump campaign turns to secure hardware after hacking incident | Reuters
• FBI creates its own crypto token to nab suspects in alleged fraud scheme
• District of Massachusetts | Eighteen Individuals and Entities Charged in International Operation Targeting Widespread Fraud and Manipulation in the Cryptocurrency Markets | United States Department of Justice
• Critical CVE in 4 Fortinet products actively exploited | Cybersecurity Dive
• Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024
• Palo Alto Expedition: From N-Day to Full Compromise
• Ivanti up against another attack spree as hackers target its endpoint manager | Cybersecurity Dive
• 1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies · GitHub
• Recently-patched Firefox bug exploited against Tor browser users
• Two never-before-seen tools, from same group, infect air-gapped devices - Ars Technica
• A Single Cloud Compromise Can Feed an Army of AI Sex Bots – Krebs on Security
• Opinion | The Cyber Sleuth - Washington Post

• Sandfly Security: An agentless Linux security platform that actually sounds very cool
• Permiso: An identity security platform founded by ex FireEye folks
• Wiz: The cloud security giant is getting in on code security scanning

You can watch this edition of Snake Oilers on YouTube here.