Episodes

  • Credential harvesters in the cloud.

    Credential harvesters in the cloud.
    Nov 16 2024
    This week we are joined by, Blake Darché, Head of Cloudforce One at Cloudflare, to discuss their work on "Unraveling SloppyLemming’s Operations Across South Asia." Cloudforce One's investigation into the advanced threat actor "SloppyLemming" reveals an extensive espionage campaign targeting South and East Asia, with a focus on Pakistan's government, defense, telecommunications, and energy sectors. Leveraging multiple cloud service providers, SloppyLemming employs tactics like credential harvesting, malware delivery, and command-and-control (C2) operations, often relying on open-source adversary emulation tools like Cobalt Strike. Despite its activities, the actor's poor operational security (OPSEC) has allowed investigators to gain valuable insights into its infrastructure and tooling. The research can be found here: Unraveling SloppyLemming’s operations across South Asia Learn more about your ad choices. Visit megaphone.fm/adchoices
    Show more Show less
    19 mins
  • A firewall wake up call.

    A firewall wake up call.
    Nov 9 2024
    Enjoy this special encore episode, where we are joined by Jon Williams from Bishop Fox, as he is sharing their research on "It’s 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable." SonicWall published advisories for CVE-2022-22274 and CVE-2023-0656 a year apart after finding that NGFW series 6 and 7 devices are affected by two unauthenticated denial-of-service vulnerabilities. The research states "Our research found that the two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern." They also found that when they scanned SonicWall firewalls with management interfaces exposed to the internet, they found that 76% are vulnerable to one or both issues. The research can be found here: It’s 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable Learn more about your ad choices. Visit megaphone.fm/adchoices
    Show more Show less
    23 mins
  • Velvet Ant's silent invasion.

    Velvet Ant's silent invasion.
    Nov 2 2024
    This week, we are joined by, Amnon Kushnir from Sygnia, who is sharing their work on "China-Nexus Threat Group ‘Velvet Ant’ Leverages a Zero-Day to Deploy Malware on Cisco Nexus Switches." In early 2024, Sygnia observed the ‘Velvet Ant’ threat group exploiting a zero-day vulnerability (CVE-2024-20399) to infiltrate Cisco Switch appliances and operate undetected within enterprise networks. This attack enables threat actors to escape Cisco’s command interface and install malware directly on the device’s OS, bypassing standard security tools. The incident underscores the risks posed by third-party appliances and the importance of enhanced monitoring and threat detection to counter advanced persistent threats. The research can be found here: China-Nexus Threat Group ‘Velvet Ant’ Leverages a Zero-Day to Deploy Malware on Cisco Nexus Switches Learn more about your ad choices. Visit megaphone.fm/adchoices
    Show more Show less
    22 mins
  • LLM security 101.

    LLM security 101.
    Oct 26 2024
    This week, we are pleased to be joined by Mick Baccio, global security advisor for Splunk SURGe, sharing their research on "LLM Security: Splunk & OWASP Top 10 for LLM-based Applications." The research dives into the rapid rise of AI and Large Language Models (LLMs) that initially seem magical, but behind the scenes, they are sophisticated systems built by humans. Despite their impressive capabilities, these systems are vulnerable to numerous cyber threats. Splunk's research explores the OWASP Top 10 for LLM Applications, a framework that highlights key vulnerabilities such as prompt injection, training data poisoning, and sensitive information disclosure. The research can be found here: LLM Security: Splunk & OWASP Top 10 for LLM-based Applications Learn more about your ad choices. Visit megaphone.fm/adchoices
    Show more Show less
    21 mins
  • New targets, new tools, same threat.

    New targets, new tools, same threat.
    Oct 19 2024
    This week we are joined by Chester Wisniewski, Global Field CTO from Sophos X-Ops team, to discuss their work on "Crimson Palace returns: New Tools, Tactics, and Targets." Sophos X-Ops has observed a resurgence in cyberespionage activity, tracked as Operation Crimson Palace, targeting Southeast Asian government organizations. After a brief lull, Cluster Charlie resumed operations in September 2023, using new tactics such as web shells and open-source tools to bypass detection, re-establish access, and map target network infrastructure, demonstrating ongoing efforts to exfiltrate data and expand their foothold. The research can be found here: Crimson Palace returns: New Tools, Tactics, and Targets Learn more about your ad choices. Visit megaphone.fm/adchoices
    Show more Show less
    27 mins
  • Ransomware on repeat.

    Ransomware on repeat.
    Oct 12 2024
    In this episode, Trevor Hilligoss, VP of SpyCloud Labs at SpyCloud, discusses the increasing threat of ransomware, emphasizing the role of infostealer malware in facilitating these attacks. He draws from SpyCloud's 2024 Malware and Ransomware Defense Report, highlighting how compromised identity data from infostealers creates opportunities for ransomware operators. With 75% of organizations experiencing multiple ransomware attacks in the past year, Trevor explores findings from over 500 security leaders in the US and UK, discussing the challenges businesses face and how they can use insights from this research to defend against ransomware and other cybercrimes. The research can be found here: MALWARE AND RANSOMWARE DEFENSE REPORT Learn more about your ad choices. Visit megaphone.fm/adchoices
    Show more Show less
    29 mins
  • Podcast bait, malware switch.

    Podcast bait, malware switch.
    Oct 5 2024
    Joshua Miller from Proofpoint is discussing their work on "Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset." Proofpoint identified Iranian threat actor TA453 targeting a prominent Jewish figure with a fake podcast interview invitation, using a benign email to build trust before sending a malicious link. The attack attempted to deliver new malware called BlackSmith, containing a PowerShell trojan dubbed AnvilEcho, designed for intelligence gathering and exfiltration. This malware consolidates all of TA453's known capabilities into a single script rather than the previously used modular approach. The research can be found here: Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset Learn more about your ad choices. Visit megaphone.fm/adchoices
    Show more Show less
    23 mins
  • Beyond the permissions wall.

    Beyond the permissions wall.
    Sep 28 2024
    We are joined by Yves Younan, Senior Manager, Talos Vulnerability Discovery and Research from Cisco, discussing their work on "How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions." Cisco Talos has uncovered eight vulnerabilities in Microsoft applications for macOS that could allow attackers to exploit the system's permission model by injecting malicious libraries. By leveraging permissions already granted to these apps, attackers could gain access to sensitive resources like the microphone, camera, and screen recording without user consent. While Microsoft considers these issues low risk and has declined to fix them, the vulnerabilities pose a potential threat to user privacy and security. The research can be found here: How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions Learn more about your ad choices. Visit megaphone.fm/adchoices
    Show more Show less
    18 mins