1 00:00:00,360 --> 00:00:02,799 Cipherceval: So you ran your Windows Update this week, right? 2 00:00:02,799 --> 00:00:06,080 Cipherceval: You click the little Restart Now button and let it do its thing 3 00:00:06,080 --> 00:00:08,720 Cipherceval: well, because if you haven't, you may want to pause this 4 00:00:08,720 --> 00:00:10,080 Cipherceval: episode and go do that. 5 00:00:10,080 --> 00:00:14,099 Cipherceval: Seriously, Microsoft just dropped patches for six six, 6 00:00:14,099 --> 00:00:16,559 Cipherceval: zero day vulnerabilities that attackers were already 7 00:00:16,559 --> 00:00:18,000 Cipherceval: exploiting in the wild. 8 00:00:18,000 --> 00:00:20,039 Cipherceval: And that's just the appetizer. 9 00:00:20,039 --> 00:00:22,719 Cipherceval: Now, by the time that you're getting this, I'm hoping you 10 00:00:22,719 --> 00:00:25,800 Cipherceval: would have restarted it, but you should check out if you haven't. 11 00:00:25,800 --> 00:00:27,640 Cipherceval: Now, this week, we've also got 12 00:00:27,640 --> 00:00:29,039 Cipherceval: North Korean hackers posing as 13 00:00:29,039 --> 00:00:30,460 Cipherceval: job recruiters to poison your 14 00:00:30,460 --> 00:00:31,640 Cipherceval: npm packages. 15 00:00:31,640 --> 00:00:33,000 Cipherceval: Nation state actors using 16 00:00:33,000 --> 00:00:35,159 Cipherceval: Google's own AI against us, a 17 00:00:35,159 --> 00:00:36,439 Cipherceval: massive telecom breach affecting 18 00:00:36,439 --> 00:00:37,560 Cipherceval: over six million people in the 19 00:00:37,560 --> 00:00:38,960 Cipherceval: Netherlands, and a government 20 00:00:38,960 --> 00:00:40,280 Cipherceval: contract breach that just went 21 00:00:40,280 --> 00:00:42,679 Cipherceval: from bad to, oh no, potentially 22 00:00:42,679 --> 00:00:44,359 Cipherceval: affecting tens of millions of 23 00:00:44,359 --> 00:00:45,280 Cipherceval: Americans. 24 00:00:45,280 --> 00:00:46,719 Cipherceval: It's been a busy week. 25 00:00:46,719 --> 00:00:47,759 Cipherceval: Let's get into it. 26 00:00:51,159 --> 00:00:53,840 Speaker: Forge OS is online and operational. 27 00:00:53,840 --> 00:00:54,240 Speaker: Welcome. 28 00:00:54,240 --> 00:00:55,119 Speaker: Operator. 29 00:00:55,287 --> 00:00:56,728 Cipherceval: Hey, guys, I'm your host, 30 00:00:56,728 --> 00:00:58,868 Cipherceval: Cipherceval, And welcome to 31 00:00:58,868 --> 00:01:00,448 Cipherceval: Exploit Brokers by Forgebound 32 00:01:00,448 --> 00:01:01,287 Cipherceval: Research. 33 00:01:01,287 --> 00:01:02,527 Cipherceval: If you're watching on YouTube, 34 00:01:02,527 --> 00:01:03,847 Cipherceval: go ahead and drop a like on this 35 00:01:03,847 --> 00:01:04,287 Cipherceval: video. 36 00:01:04,287 --> 00:01:07,367 Cipherceval: Hit that subscribe button and ring the bell notification icon 37 00:01:07,367 --> 00:01:09,007 Cipherceval: so you don't miss an episode. 38 00:01:09,007 --> 00:01:10,587 Cipherceval: If you're listening on Spotify, 39 00:01:10,587 --> 00:01:12,128 Cipherceval: Apple Podcasts, or wherever you 40 00:01:12,128 --> 00:01:13,688 Cipherceval: get your podcasts, I'd really 41 00:01:13,688 --> 00:01:15,028 Cipherceval: appreciate a follow and a five 42 00:01:15,028 --> 00:01:15,888 Cipherceval: star rating. 43 00:01:15,888 --> 00:01:17,248 Cipherceval: It helps other people find the 44 00:01:17,248 --> 00:01:18,688 Cipherceval: show, and honestly, it means a 45 00:01:18,688 --> 00:01:19,168 Cipherceval: lot. 46 00:01:19,168 --> 00:01:20,727 Cipherceval: All right, let's jump into it. 47 00:01:20,528 --> 00:01:21,647 Cipherceval: Our lead story this week. 48 00:01:21,647 --> 00:01:22,808 Cipherceval: And it's a big one. 49 00:01:22,808 --> 00:01:25,207 Cipherceval: Microsoft's February 2026 Patch 50 00:01:25,207 --> 00:01:26,668 Cipherceval: Tuesday dropped on February 51 00:01:26,668 --> 00:01:27,048 Cipherceval: 10th. 52 00:01:27,048 --> 00:01:29,528 Cipherceval: And it is one of the months where you look at the numbers 53 00:01:29,528 --> 00:01:32,128 Cipherceval: and immediately start thinking about your patching timeline. 54 00:01:32,128 --> 00:01:33,408 Cipherceval: They addressed fifty eight 55 00:01:33,408 --> 00:01:35,087 Cipherceval: vulnerabilities across windows, 56 00:01:35,087 --> 00:01:36,567 Cipherceval: Office, Azure and Developer 57 00:01:36,567 --> 00:01:38,528 Cipherceval: tools, but the headline here is 58 00:01:38,528 --> 00:01:40,608 Cipherceval: six actively exploited zero day 59 00:01:40,608 --> 00:01:41,768 Cipherceval: vulnerabilities. 60 00:01:41,768 --> 00:01:44,567 Cipherceval: Now, for those who may not be familiar, a zero day means the 61 00:01:44,567 --> 00:01:47,688 Cipherceval: attackers were exploiting these flaws before Microsoft even had 62 00:01:47,688 --> 00:01:49,087 Cipherceval: a fix available. 63 00:01:49,087 --> 00:01:51,968 Cipherceval: The bad guys had the keys before the locksmith could change the 64 00:01:51,968 --> 00:01:55,447 Cipherceval: locks, and having six of them in a single patch Tuesday. 65 00:01:55,447 --> 00:01:56,367 Cipherceval: That's significant. 66 00:01:56,367 --> 00:01:57,567 Cipherceval: That's not normal. 67 00:01:57,567 --> 00:01:59,007 Cipherceval: Let's break down the big ones. 68 00:01:59,007 --> 00:02:04,347 Cipherceval: So first up, CVE-2026-21510 a 69 00:02:04,347 --> 00:02:05,768 Cipherceval: Windows Shell security feature 70 00:02:05,768 --> 00:02:06,608 Cipherceval: bypass. 71 00:02:06,608 --> 00:02:09,328 Cipherceval: This one has a Cvss score of eight point eight. 72 00:02:09,328 --> 00:02:10,888 Cipherceval: And it's nasty. 73 00:02:10,888 --> 00:02:14,038 Cipherceval: And the attacker can craft a malicious link or shortcut file. 74 00:02:14,038 --> 00:02:15,258 Cipherceval: and when the victim clicks it, 75 00:02:15,258 --> 00:02:16,877 Cipherceval: it completely bypasses windows 76 00:02:16,877 --> 00:02:17,717 Cipherceval: Smartscreen. 77 00:02:17,717 --> 00:02:18,677 Cipherceval: Those are the. 78 00:02:18,677 --> 00:02:19,478 Cipherceval: Are you sure? 79 00:02:19,478 --> 00:02:20,698 Cipherceval: Prompts that are supposed to 80 00:02:20,698 --> 00:02:21,758 Cipherceval: warn you about untrusted 81 00:02:21,758 --> 00:02:22,518 Cipherceval: content. 82 00:02:22,518 --> 00:02:24,117 Cipherceval: So you click a link and instead 83 00:02:24,117 --> 00:02:24,957 Cipherceval: of windows saying, hey, this 84 00:02:24,957 --> 00:02:26,677 Cipherceval: looks suspicious, it just lets 85 00:02:26,677 --> 00:02:28,337 Cipherceval: the malware through just right 86 00:02:28,337 --> 00:02:28,957 Cipherceval: on in. 87 00:02:28,957 --> 00:02:30,237 Cipherceval: Google's threat intelligence 88 00:02:30,237 --> 00:02:31,437 Cipherceval: group actually confirmed that 89 00:02:31,437 --> 00:02:33,157 Cipherceval: this one was under, and I quote 90 00:02:33,157 --> 00:02:35,397 Cipherceval: them on this wide spread active 91 00:02:35,397 --> 00:02:36,918 Cipherceval: exploitation. 92 00:02:36,918 --> 00:02:39,478 Cipherceval: That's Google telling you how bad it is. 93 00:02:39,478 --> 00:02:46,598 Cipherceval: Then we've got CVE-2026-21513 this targets MSHTML. 94 00:02:46,598 --> 00:02:48,157 Cipherceval: That's Microsoft HTML. 95 00:02:48,157 --> 00:02:50,478 Cipherceval: That's the old Internet Explorer rendering engine. 96 00:02:50,478 --> 00:02:52,157 Cipherceval: Now I know you're thinking Internet Explorer. 97 00:02:52,157 --> 00:02:53,437 Cipherceval: I haven't used that in years. 98 00:02:53,437 --> 00:02:54,677 Cipherceval: At least I hope you haven't. 99 00:02:54,677 --> 00:02:56,837 Cipherceval: Well, neither have I. But here's the thing. 100 00:02:56,837 --> 00:02:58,918 Cipherceval: MSHTML is still baked into 101 00:02:58,918 --> 00:02:59,877 Cipherceval: windows for backwards 102 00:02:59,877 --> 00:03:00,957 Cipherceval: compatibility. 103 00:03:00,957 --> 00:03:03,638 Cipherceval: It's like that old plumbing in your house that you forgot about 104 00:03:03,638 --> 00:03:05,157 Cipherceval: until it starts leaking. 105 00:03:05,157 --> 00:03:06,258 Cipherceval: Attackers can trick you into 106 00:03:06,258 --> 00:03:08,677 Cipherceval: opening a malicious HTML or lnk 107 00:03:08,677 --> 00:03:10,837 Cipherceval: a link file to bypass security 108 00:03:10,837 --> 00:03:11,798 Cipherceval: controls. 109 00:03:11,798 --> 00:03:18,277 Cipherceval: And then there's CVE-2026-21514 targeting Microsoft Word. 110 00:03:18,277 --> 00:03:19,397 Cipherceval: Where opening a malicious 111 00:03:19,397 --> 00:03:21,138 Cipherceval: document lets attackers bypass 112 00:03:21,138 --> 00:03:23,358 Cipherceval: OLE mitigations. 113 00:03:23,358 --> 00:03:26,038 Cipherceval: In Microsoft 365 and Office. 114 00:03:26,038 --> 00:03:27,198 Cipherceval: All three of these security 115 00:03:27,198 --> 00:03:28,918 Cipherceval: bypass zero days were found by 116 00:03:28,918 --> 00:03:29,837 Cipherceval: both Google's threat 117 00:03:29,837 --> 00:03:30,798 Cipherceval: intelligence group and 118 00:03:30,798 --> 00:03:32,518 Cipherceval: Microsoft's own security team 119 00:03:32,518 --> 00:03:34,337 Cipherceval: working together, and all three 120 00:03:34,337 --> 00:03:36,117 Cipherceval: were publicly disclosed before 121 00:03:36,117 --> 00:03:36,997 Cipherceval: the patch. 122 00:03:36,997 --> 00:03:38,038 Cipherceval: Now, the last part is really 123 00:03:38,038 --> 00:03:38,957 Cipherceval: important because it means 124 00:03:38,957 --> 00:03:41,198 Cipherceval: details about how to exploit 125 00:03:41,198 --> 00:03:43,298 Cipherceval: these were already circulating 126 00:03:43,298 --> 00:03:45,157 Cipherceval: on the privilege escalation 127 00:03:45,157 --> 00:03:45,437 Cipherceval: side. 128 00:03:45,437 --> 00:03:52,818 Cipherceval: We have CVE-2026-21533 in Remote Desktop Services that lets a 129 00:03:52,818 --> 00:03:55,478 Cipherceval: local attacker escalate to a system that's right system. 130 00:03:55,478 --> 00:03:57,518 Cipherceval: And that's the equivalent of root for windows. 131 00:03:57,518 --> 00:04:00,117 Cipherceval: That's the highest privilege level in windows. 132 00:04:00,117 --> 00:04:01,717 Cipherceval: Now CrowdStrike found this one. 133 00:04:01,717 --> 00:04:04,518 Cipherceval: And they noted that the exploited binary was 134 00:04:04,518 --> 00:04:07,818 Cipherceval: sophisticated enough that threat actors will likely be racing to 135 00:04:07,818 --> 00:04:09,437 Cipherceval: use it or sell it. 136 00:04:09,437 --> 00:04:14,478 Cipherceval: And CVE-2026-21519 in Desktop 137 00:04:14,478 --> 00:04:16,958 Cipherceval: Window Manager also gives system 138 00:04:16,958 --> 00:04:18,838 Cipherceval: access through a type confusion 139 00:04:18,838 --> 00:04:19,677 Cipherceval: bug. 140 00:04:19,677 --> 00:04:21,918 Cipherceval: Both of these are the kind of vulnerabilities where once an 141 00:04:21,918 --> 00:04:24,838 Cipherceval: attacker has any foothold on your machine, they can become 142 00:04:24,838 --> 00:04:26,517 Cipherceval: the machine's superadmin. 143 00:04:26,517 --> 00:04:29,798 Cipherceval: The ultimate control, if you will. 144 00:04:29,798 --> 00:04:31,398 Cipherceval: Now, the last zero day we'll be 145 00:04:31,398 --> 00:04:32,497 Cipherceval: talking about for this one, 146 00:04:32,497 --> 00:04:38,237 Cipherceval: CVE-2026-21525 is a denial of 147 00:04:38,237 --> 00:04:39,598 Cipherceval: service flaw in the Remote 148 00:04:39,598 --> 00:04:41,098 Cipherceval: Access Connection Manager 149 00:04:41,098 --> 00:04:43,798 Cipherceval: RasMan, which handles your VPN 150 00:04:43,798 --> 00:04:44,598 Cipherceval: connections. 151 00:04:44,598 --> 00:04:47,737 Cipherceval: An unprivileged user, can crash the service. 152 00:04:47,737 --> 00:04:52,098 Cipherceval: If your organization uses always on VPN with fail close policies, 153 00:04:52,098 --> 00:04:56,197 Cipherceval: that crash means endpoints lose network access entirely and IT 154 00:04:56,197 --> 00:04:58,257 Cipherceval: can't even reach those machines to fix them. 155 00:04:58,257 --> 00:05:00,737 Cipherceval: It's a cascading failure scenario. 156 00:05:00,737 --> 00:05:02,137 Cipherceval: Acros security actually found 157 00:05:02,137 --> 00:05:03,577 Cipherceval: this exploit in a public malware 158 00:05:03,577 --> 00:05:05,757 Cipherceval: repository back in December, 159 00:05:05,757 --> 00:05:06,937 Cipherceval: meaning someone had weaponized 160 00:05:06,937 --> 00:05:07,898 Cipherceval: it before the patch was even 161 00:05:07,898 --> 00:05:08,458 Cipherceval: available. 162 00:05:08,458 --> 00:05:10,197 Cipherceval: What really stands out here is 163 00:05:10,197 --> 00:05:11,877 Cipherceval: the collaboration Google, 164 00:05:11,877 --> 00:05:13,557 Cipherceval: CrowdStrike, Acros Security and 165 00:05:13,557 --> 00:05:15,598 Cipherceval: Microsoft's own teams all 166 00:05:15,598 --> 00:05:16,918 Cipherceval: independently finding and 167 00:05:16,918 --> 00:05:18,598 Cipherceval: flagging these bugs suggests 168 00:05:18,598 --> 00:05:20,437 Cipherceval: they were active campaigns, 169 00:05:20,437 --> 00:05:21,517 Cipherceval: possibly by the same threat 170 00:05:21,517 --> 00:05:22,997 Cipherceval: actor chaining some of these 171 00:05:22,997 --> 00:05:23,798 Cipherceval: together. 172 00:05:23,798 --> 00:05:25,197 Cipherceval: When you see security bypass 173 00:05:25,197 --> 00:05:26,358 Cipherceval: flaws combined with privilege 174 00:05:26,358 --> 00:05:28,158 Cipherceval: escalation, that's a full attack 175 00:05:28,158 --> 00:05:28,677 Cipherceval: chain. 176 00:05:28,677 --> 00:05:29,838 Cipherceval: Get in, get root. 177 00:05:29,838 --> 00:05:31,197 Cipherceval: Do whatever you want. 178 00:05:31,197 --> 00:05:31,997 Cipherceval: It does you no good. 179 00:05:31,997 --> 00:05:33,918 Cipherceval: If you get in, you can't access anything. 180 00:05:33,918 --> 00:05:35,398 Cipherceval: And if you can get root but you 181 00:05:35,398 --> 00:05:36,918 Cipherceval: can't get in, well, then there's 182 00:05:36,918 --> 00:05:37,958 Cipherceval: already the chicken and the egg 183 00:05:37,958 --> 00:05:38,718 Cipherceval: problem. 184 00:05:38,718 --> 00:05:40,478 Cipherceval: To get a full attack chain means 185 00:05:40,478 --> 00:05:41,997 Cipherceval: that you can do multiple steps 186 00:05:41,997 --> 00:05:43,158 Cipherceval: in stages. 187 00:05:43,158 --> 00:05:44,557 Cipherceval: So here's where I give you the 188 00:05:44,557 --> 00:05:45,877 Cipherceval: advice you already know is 189 00:05:45,877 --> 00:05:46,437 Cipherceval: coming. 190 00:05:46,437 --> 00:05:47,358 Cipherceval: Update your stuff. 191 00:05:47,358 --> 00:05:49,997 Cipherceval: Seriously, a patch does you no good if it's not installed. 192 00:05:49,997 --> 00:05:51,317 Cipherceval: If you're running windows in any 193 00:05:51,317 --> 00:05:53,317 Cipherceval: capacity, personal enterprise 194 00:05:53,317 --> 00:05:54,677 Cipherceval: server, get the patches 195 00:05:54,677 --> 00:05:55,317 Cipherceval: deployed. 196 00:05:55,317 --> 00:05:56,278 Cipherceval: Get them out there. 197 00:05:56,278 --> 00:05:59,317 Cipherceval: Six actively exploited zero days in one month is not something 198 00:05:59,317 --> 00:06:00,278 Cipherceval: you sit on. 199 00:06:00,278 --> 00:06:01,637 Cipherceval: Microsoft also started rolling 200 00:06:01,637 --> 00:06:03,117 Cipherceval: out new secure boot certificates 201 00:06:03,117 --> 00:06:04,298 Cipherceval: this month to replace the twenty 202 00:06:04,298 --> 00:06:06,437 Cipherceval: eleven ones expiring in June, so 203 00:06:06,437 --> 00:06:07,478 Cipherceval: that's another thing to keep on 204 00:06:07,478 --> 00:06:08,317 Cipherceval: your radar. 205 00:06:08,637 --> 00:06:11,317 Cipherceval: Now let's talk about something that hits closer to home. 206 00:06:11,317 --> 00:06:14,358 Cipherceval: For a lot of us, especially if you're a software developer. 207 00:06:14,358 --> 00:06:15,918 Cipherceval: The Lazarus Group, that's North 208 00:06:15,918 --> 00:06:17,317 Cipherceval: Korea's most prolific state 209 00:06:17,317 --> 00:06:19,478 Cipherceval: sponsored hacking operation, or 210 00:06:19,478 --> 00:06:21,637 Cipherceval: hacking entity, which has been 211 00:06:21,637 --> 00:06:23,038 Cipherceval: running a sophisticated fake 212 00:06:23,038 --> 00:06:24,358 Cipherceval: recruiter campaign targeting 213 00:06:24,358 --> 00:06:25,637 Cipherceval: JavaScript and Python 214 00:06:25,637 --> 00:06:26,718 Cipherceval: developers. 215 00:06:26,718 --> 00:06:29,077 Cipherceval: For my developers out there, please be mindful. 216 00:06:29,077 --> 00:06:32,358 Cipherceval: And they're doing it through npm and PyPI, the package 217 00:06:32,358 --> 00:06:35,478 Cipherceval: repositories that most of us use every single day. 218 00:06:35,478 --> 00:06:36,677 Cipherceval: To give context, for those who 219 00:06:36,677 --> 00:06:38,918 Cipherceval: aren't developers, NPM and PyPI 220 00:06:38,918 --> 00:06:40,798 Cipherceval: are like app stores for code 221 00:06:40,798 --> 00:06:41,517 Cipherceval: libraries. 222 00:06:41,517 --> 00:06:43,877 Cipherceval: When developers build software, they pull in packages from these 223 00:06:43,877 --> 00:06:46,358 Cipherceval: repositories to avoid reinventing the wheel. 224 00:06:46,358 --> 00:06:49,158 Cipherceval: You trust that the code you're downloading is legitimate, and 225 00:06:49,158 --> 00:06:52,237 Cipherceval: that trust is exactly what the Lazarus Group is exploiting. 226 00:06:52,237 --> 00:06:53,958 Cipherceval: ReversingLabs published research 227 00:06:53,958 --> 00:06:55,418 Cipherceval: on this campaign, which they've 228 00:06:55,418 --> 00:06:58,478 Cipherceval: codenamed GraphAlgo after the 229 00:06:58,478 --> 00:06:59,677 Cipherceval: first malicious package they 230 00:06:59,677 --> 00:06:59,958 Cipherceval: found. 231 00:06:59,958 --> 00:07:02,677 Cipherceval: It's been active since at least May 2025. 232 00:07:02,677 --> 00:07:03,997 Cipherceval: And here's how it works. 233 00:07:03,997 --> 00:07:05,117 Cipherceval: The attacker creates fake 234 00:07:05,117 --> 00:07:07,197 Cipherceval: companies in the blockchain and 235 00:07:07,197 --> 00:07:08,517 Cipherceval: cryptocurrency space. 236 00:07:08,517 --> 00:07:10,867 Cipherceval: One was called "Veltrix Capital", 237 00:07:10,867 --> 00:07:12,848 Cipherceval: complete with professional 238 00:07:12,848 --> 00:07:14,267 Cipherceval: looking domains like 239 00:07:14,267 --> 00:07:17,127 Cipherceval: veltrixcap[.]org and GitHub organizations 240 00:07:17,127 --> 00:07:18,088 Cipherceval: with legitimate looking 241 00:07:18,088 --> 00:07:19,208 Cipherceval: projects. Then 242 00:07:19,208 --> 00:07:22,048 Cipherceval: they approach developers on LinkedIn, Facebook, and Reddit with 243 00:07:22,048 --> 00:07:23,288 Cipherceval: job offers. You're 244 00:07:23,288 --> 00:07:23,927 Cipherceval: a developer. You 245 00:07:23,927 --> 00:07:26,447 Cipherceval: get a message from what appears to be a recruiter at a crypto 246 00:07:26,447 --> 00:07:27,567 Cipherceval: trading firm. They 247 00:07:27,567 --> 00:07:29,567 Cipherceval: want you to complete a coding assessment. Makes 248 00:07:29,567 --> 00:07:30,947 Cipherceval: sense right? Every 249 00:07:30,947 --> 00:07:32,367 Cipherceval: developer doing anything, anywhere 250 00:07:32,367 --> 00:07:33,767 Cipherceval: usually does a coding assessment. 251 00:07:33,767 --> 00:07:34,487 Cipherceval: Now 252 00:07:34,487 --> 00:07:36,567 Cipherceval: that is how the industry works. But 253 00:07:36,567 --> 00:07:40,007 Cipherceval: the project they send you to clone and run contains a malicious 254 00:07:40,007 --> 00:07:43,608 Cipherceval: dependency hosted on NPM or PyPI. The 255 00:07:43,608 --> 00:07:47,408 Cipherceval: moment you run npm install, which every developer does without 256 00:07:47,408 --> 00:07:49,288 Cipherceval: thinking twice, it's just something you do to make sure 257 00:07:49,288 --> 00:07:52,827 Cipherceval: everything is installed and runs the way you need it to be. You've 258 00:07:52,827 --> 00:07:54,567 Cipherceval: just installed a downloader 259 00:07:54,567 --> 00:07:56,208 Cipherceval: for a remote access trojan. 260 00:07:56,208 --> 00:07:56,408 Cipherceval: You've 261 00:07:56,408 --> 00:07:58,968 Cipherceval: backdoored your own machine using the same exact steps 262 00:07:58,968 --> 00:08:01,007 Cipherceval: you would for legit stuff. And 263 00:08:01,007 --> 00:08:03,327 Cipherceval: the patience here is remarkable. One 264 00:08:03,327 --> 00:08:07,187 Cipherceval: package called "bigmathutils" racked up over ten 265 00:08:07,187 --> 00:08:11,048 Cipherceval: thousand downloads as a completely benign util library. It 266 00:08:11,048 --> 00:08:13,567 Cipherceval: wasn't until version 1.1.0 that 267 00:08:13,567 --> 00:08:15,648 Cipherceval: the malicious payload was introduced. 268 00:08:15,648 --> 00:08:15,947 Cipherceval: Build 269 00:08:15,947 --> 00:08:19,447 Cipherceval: up trust, build up download counts and then inject the 270 00:08:19,447 --> 00:08:22,387 Cipherceval: poison right after the malicious version was published. They 271 00:08:22,387 --> 00:08:24,927 Cipherceval: deprecated the package to cover their tracks. In 272 00:08:24,927 --> 00:08:27,648 Cipherceval: total, researchers found 192 malicious 273 00:08:27,648 --> 00:08:29,367 Cipherceval: packages connected to this 274 00:08:29,367 --> 00:08:30,487 Cipherceval: campaign. The 275 00:08:30,487 --> 00:08:33,087 Cipherceval: RAT they deployed is no joke either. It 276 00:08:33,087 --> 00:08:36,888 Cipherceval: can download and upload files, listen to running processes, 277 00:08:36,888 --> 00:08:40,268 Cipherceval: execute commands, create and delete folders. Basically 278 00:08:40,268 --> 00:08:42,288 Cipherceval: full remote control of your system. The 279 00:08:42,288 --> 00:08:43,847 Cipherceval: command and control communication 280 00:08:43,847 --> 00:08:45,168 Cipherceval: is protected by a token 281 00:08:45,168 --> 00:08:46,768 Cipherceval: based mechanism, meaning only 282 00:08:46,768 --> 00:08:48,327 Cipherceval: requests with a valid token are 283 00:08:48,327 --> 00:08:49,368 Cipherceval: accepted. That's 284 00:08:49,368 --> 00:08:51,967 Cipherceval: a level of sophistication that tells you this is not some script 285 00:08:51,967 --> 00:08:53,408 Cipherceval: kiddie operation. It's 286 00:08:53,408 --> 00:08:56,087 Cipherceval: not just something randomly listening for an commands. They 287 00:08:56,087 --> 00:08:59,748 Cipherceval: have a full auth mechanism built in. Now 288 00:08:59,748 --> 00:09:03,207 Cipherceval: the attribution to the Lazarus group is assessed at medium 289 00:09:03,207 --> 00:09:06,477 Cipherceval: to high confidence based on consistent patterns. Fake 290 00:09:06,477 --> 00:09:07,317 Cipherceval: job interviews. As 291 00:09:07,317 --> 00:09:09,057 Cipherceval: the initial vector, cryptocurrency 292 00:09:09,057 --> 00:09:10,918 Cipherceval: focused lures, multi-stage 293 00:09:10,918 --> 00:09:12,437 Cipherceval: encrypted malware, delayed 294 00:09:12,437 --> 00:09:13,798 Cipherceval: activation of malicious package 295 00:09:13,798 --> 00:09:15,677 Cipherceval: versions, and this is a nice 296 00:09:15,677 --> 00:09:17,557 Cipherceval: detail, Git commit timestamps 297 00:09:17,557 --> 00:09:20,298 Cipherceval: aligned with GMT+9, or 298 00:09:20,298 --> 00:09:22,217 Cipherceval: also known as North Korea's time 299 00:09:22,217 --> 00:09:22,758 Cipherceval: zone. The 300 00:09:22,758 --> 00:09:24,038 Cipherceval: reason this matters to you is 301 00:09:24,038 --> 00:09:25,677 Cipherceval: that North Korea is not a profitable 302 00:09:25,677 --> 00:09:26,638 Cipherceval: country. They 303 00:09:26,638 --> 00:09:30,278 Cipherceval: need money to fund their state operations and cybercrime, especially 304 00:09:30,278 --> 00:09:31,837 Cipherceval: cryptocurrency theft. It's 305 00:09:31,837 --> 00:09:34,197 Cipherceval: one of their major revenue sources. This 306 00:09:34,197 --> 00:09:35,898 Cipherceval: is a nation state, treating your 307 00:09:35,898 --> 00:09:38,317 Cipherceval: npm install as an attack surface. 308 00:09:38,317 --> 00:09:38,518 Cipherceval: If 309 00:09:38,518 --> 00:09:41,857 Cipherceval: you're a developer and you've installed any unfamiliar packages 310 00:09:41,857 --> 00:09:44,557 Cipherceval: as part of a coding challenge or job assessment in the 311 00:09:44,557 --> 00:09:48,118 Cipherceval: last year, ReversingLabs recommends rotating all tokens and 312 00:09:48,118 --> 00:09:52,018 Cipherceval: passwords and honestly consider full OS reinstall. The 313 00:09:52,018 --> 00:09:53,998 Cipherceval: IOCs are in the report and for 314 00:09:53,998 --> 00:09:55,918 Cipherceval: everyone, just be extremely cautious 315 00:09:55,918 --> 00:09:57,477 Cipherceval: about running code from strangers. 316 00:09:57,477 --> 00:09:57,758 Cipherceval: Even 317 00:09:57,758 --> 00:09:58,878 Cipherceval: if it looks like a legitimate 318 00:09:58,878 --> 00:10:00,197 Cipherceval: job assessment, you should 319 00:10:00,197 --> 00:10:01,477 Cipherceval: be cautious of anything and 320 00:10:01,477 --> 00:10:02,278 Cipherceval: everything. 321 00:10:02,077 --> 00:10:04,878 Cipherceval: Staying on the nation state theme for a moment, because this 322 00:10:04,878 --> 00:10:07,158 Cipherceval: next story ties in perfectly. 323 00:10:07,158 --> 00:10:11,278 Cipherceval: Google's threat intelligence group, GTIG, published a report 324 00:10:11,278 --> 00:10:14,038 Cipherceval: on February twelfth confirming what a lot of us in the security 325 00:10:14,038 --> 00:10:15,477 Cipherceval: space have been worried about. 326 00:10:15,477 --> 00:10:16,957 Cipherceval: State backed hackers from North 327 00:10:16,957 --> 00:10:19,357 Cipherceval: Korea, Iran, China and Russia 328 00:10:19,357 --> 00:10:20,998 Cipherceval: are actively using Google's 329 00:10:20,998 --> 00:10:22,918 Cipherceval: Gemini AI to accelerate their 330 00:10:22,918 --> 00:10:24,717 Cipherceval: cyber operations. 331 00:10:24,717 --> 00:10:25,957 Cipherceval: It's something we're seeing. 332 00:10:25,957 --> 00:10:27,957 Cipherceval: Okay, so before we jump in, let 333 00:10:27,957 --> 00:10:29,638 Cipherceval: me give some context on why this 334 00:10:29,638 --> 00:10:30,638 Cipherceval: is significant. 335 00:10:30,638 --> 00:10:32,118 Cipherceval: Generative AI models like 336 00:10:32,118 --> 00:10:34,118 Cipherceval: Gemini, ChatGPT, Claude, and 337 00:10:34,118 --> 00:10:35,597 Cipherceval: others are incredibly powerful 338 00:10:35,597 --> 00:10:37,118 Cipherceval: tools for research, coding, and 339 00:10:37,118 --> 00:10:38,038 Cipherceval: analysis. 340 00:10:38,038 --> 00:10:39,878 Cipherceval: But those same capabilities make 341 00:10:39,878 --> 00:10:41,118 Cipherceval: them force multipliers for 342 00:10:41,118 --> 00:10:41,998 Cipherceval: threat actors. 343 00:10:41,998 --> 00:10:44,878 Cipherceval: You don't need to spend weeks manually profiling a target when 344 00:10:44,878 --> 00:10:49,398 Cipherceval: you can have AI synthesized, open source Intel in minutes. 345 00:10:49,398 --> 00:10:50,597 Cipherceval: The headliner here is North 346 00:10:50,597 --> 00:10:54,158 Cipherceval: Korea's UNC2970, which overlaps 347 00:10:54,158 --> 00:10:56,077 Cipherceval: with, you guessed it, Lazarus 348 00:10:56,077 --> 00:10:56,878 Cipherceval: Group. 349 00:10:56,878 --> 00:10:58,918 Cipherceval: The same crew we just talked about. 350 00:10:58,918 --> 00:11:00,317 Cipherceval: So Google observed them using 351 00:11:00,317 --> 00:11:02,557 Cipherceval: Gemini to synthesize Osint or 352 00:11:02,557 --> 00:11:04,158 Cipherceval: open source intelligence and 353 00:11:04,158 --> 00:11:06,048 Cipherceval: profile high value targets in 354 00:11:06,048 --> 00:11:07,467 Cipherceval: the defence and cybersecurity 355 00:11:07,467 --> 00:11:08,207 Cipherceval: sectors. 356 00:11:08,207 --> 00:11:10,447 Cipherceval: They were searching for information on major 357 00:11:10,447 --> 00:11:13,187 Cipherceval: cybersecurity and defence companies, mapping specific 358 00:11:13,187 --> 00:11:16,888 Cipherceval: technical job roles and gathering salary information. 359 00:11:16,888 --> 00:11:18,488 Cipherceval: Why salary information? 360 00:11:18,488 --> 00:11:19,227 Cipherceval: Because if you're going to 361 00:11:19,227 --> 00:11:20,528 Cipherceval: impersonate a recruiter offering 362 00:11:20,528 --> 00:11:21,807 Cipherceval: a software engineer at a defence 363 00:11:21,807 --> 00:11:23,648 Cipherceval: contractor a new position, you 364 00:11:23,648 --> 00:11:24,807 Cipherceval: need to know what a realistic 365 00:11:24,807 --> 00:11:25,847 Cipherceval: offer looks like to make the 366 00:11:25,847 --> 00:11:26,888 Cipherceval: lure convincing. 367 00:11:26,888 --> 00:11:30,368 Cipherceval: That's Operation Dream Job, the same campaign now supercharged 368 00:11:30,368 --> 00:11:31,847 Cipherceval: with AI near you. 369 00:11:31,847 --> 00:11:33,168 Cipherceval: I know it's just. 370 00:11:33,168 --> 00:11:34,408 Cipherceval: What the heck? 371 00:11:34,408 --> 00:11:37,388 Cipherceval: So Iran's APT42 is using Gemini 372 00:11:37,388 --> 00:11:39,008 Cipherceval: for social engineering, creating 373 00:11:39,008 --> 00:11:39,967 Cipherceval: official looking email 374 00:11:39,967 --> 00:11:41,727 Cipherceval: addresses, researching targets, 375 00:11:41,727 --> 00:11:43,288 Cipherceval: and crafting personas with 376 00:11:43,288 --> 00:11:44,528 Cipherceval: natural native sounding 377 00:11:44,528 --> 00:11:45,288 Cipherceval: language. 378 00:11:45,288 --> 00:11:46,607 Cipherceval: This is a big deal because one 379 00:11:46,607 --> 00:11:47,648 Cipherceval: of the classic tales for 380 00:11:47,648 --> 00:11:49,368 Cipherceval: phishing has always been 381 00:11:49,368 --> 00:11:49,807 Cipherceval: awkward. 382 00:11:49,807 --> 00:11:51,768 Cipherceval: Grammar and syntax. 383 00:11:51,768 --> 00:11:54,807 Cipherceval: AI eliminates that red flag and pretty well most of the time. 384 00:11:54,807 --> 00:11:57,207 Cipherceval: Now, China's Mustang Panda used 385 00:11:57,207 --> 00:11:59,268 Cipherceval: it to compile dossiers on 386 00:11:59,268 --> 00:12:00,707 Cipherceval: individuals in Pakistan and 387 00:12:00,707 --> 00:12:02,028 Cipherceval: gather data on separatist 388 00:12:02,028 --> 00:12:03,107 Cipherceval: organizations. 389 00:12:03,107 --> 00:12:05,908 Cipherceval: Russia's UNC795 used it for 390 00:12:05,908 --> 00:12:07,268 Cipherceval: technical troubleshooting and 391 00:12:07,268 --> 00:12:08,707 Cipherceval: building web based attack 392 00:12:08,707 --> 00:12:09,947 Cipherceval: infrastructure. 393 00:12:09,947 --> 00:12:11,187 Cipherceval: I mean, that's pretty much what 394 00:12:11,187 --> 00:12:12,347 Cipherceval: private individual developers 395 00:12:12,347 --> 00:12:12,947 Cipherceval: would do. 396 00:12:12,947 --> 00:12:16,388 Cipherceval: You're using AI as a way to amplify your output. 397 00:12:16,388 --> 00:12:18,668 Cipherceval: Yeah, some people Vibe coding and they don't know what they're 398 00:12:18,668 --> 00:12:20,827 Cipherceval: doing, but you also have legitimate developers and 399 00:12:20,827 --> 00:12:23,268 Cipherceval: software engineers who can read and debug where it's like, cool. 400 00:12:23,268 --> 00:12:26,668 Cipherceval: You use it as a way to just 10x your output. 401 00:12:26,668 --> 00:12:29,827 Cipherceval: So here's where it gets really interesting. 402 00:12:29,827 --> 00:12:33,508 Cipherceval: Google also identified a new malware called HONESTCUE that 403 00:12:33,508 --> 00:12:37,467 Cipherceval: actually uses Gemini's API as part of its attack chain. 404 00:12:37,467 --> 00:12:40,847 Cipherceval: It's a downloader that sends prompts to Gemini and receives 405 00:12:40,847 --> 00:12:44,187 Cipherceval: C#(CSharp) source code as responses, then compiles and 406 00:12:44,187 --> 00:12:48,388 Cipherceval: executes that directly in memory, leaving no file on disk. 407 00:12:48,388 --> 00:12:50,347 Cipherceval: I want you to think about that for a second. 408 00:12:50,347 --> 00:12:52,327 Cipherceval: The malware is using the AI to 409 00:12:52,327 --> 00:12:54,028 Cipherceval: write its own payload on the 410 00:12:54,028 --> 00:12:54,908 Cipherceval: fly. 411 00:12:54,908 --> 00:12:59,837 Cipherceval: That's fileless polymorphic and AI generated all in one package. 412 00:12:59,837 --> 00:13:02,077 Cipherceval: This is just like some next level stuff. 413 00:13:02,077 --> 00:13:05,158 Cipherceval: This is where there's a bunch of red alerts going off in my head. 414 00:13:05,158 --> 00:13:07,918 Cipherceval: And they also found something else a phisphing kit called 415 00:13:07,918 --> 00:13:11,798 Cipherceval: COINBAIT that impersonates a major cryptocurrency exchange. 416 00:13:11,798 --> 00:13:14,878 Cipherceval: And the kit itself was built using an AI coding platform 417 00:13:14,878 --> 00:13:16,638 Cipherceval: called lovable AI. 418 00:13:16,638 --> 00:13:20,158 Cipherceval: So we've got AI being used for recon, social engineering, code 419 00:13:20,158 --> 00:13:23,798 Cipherceval: generation, and now the actual construction of attack tools. 420 00:13:23,798 --> 00:13:25,337 Cipherceval: The last one doesn't surprise me 421 00:13:25,337 --> 00:13:26,457 Cipherceval: as much as you would think, 422 00:13:26,457 --> 00:13:27,778 Cipherceval: because we're already seeing 423 00:13:27,778 --> 00:13:29,138 Cipherceval: developers using AI to build 424 00:13:29,138 --> 00:13:29,697 Cipherceval: stuff. 425 00:13:29,697 --> 00:13:31,138 Cipherceval: So malicious developers using it 426 00:13:31,138 --> 00:13:32,437 Cipherceval: to build malicious stuff kind of 427 00:13:32,437 --> 00:13:33,418 Cipherceval: makes sense. 428 00:13:33,418 --> 00:13:35,538 Cipherceval: Now, Google also detected and 429 00:13:35,538 --> 00:13:37,618 Cipherceval: blocked model extraction attacks 430 00:13:37,618 --> 00:13:38,977 Cipherceval: that attempt to clone Gemini's 431 00:13:38,977 --> 00:13:40,577 Cipherceval: reasoning abilities from private 432 00:13:40,577 --> 00:13:42,357 Cipherceval: sector entities and researchers 433 00:13:42,357 --> 00:13:43,418 Cipherceval: globally. 434 00:13:43,418 --> 00:13:46,778 Cipherceval: And model extraction is where you're doing kind of what the 435 00:13:46,778 --> 00:13:47,778 Cipherceval: attack sounds like. 436 00:13:47,778 --> 00:13:49,738 Cipherceval: You're using the AI and the 437 00:13:49,738 --> 00:13:52,697 Cipherceval: model to train another AI model, 438 00:13:52,697 --> 00:13:53,738 Cipherceval: so you can pull all the 439 00:13:53,738 --> 00:13:55,498 Cipherceval: information it has without 440 00:13:55,498 --> 00:13:57,238 Cipherceval: having to do every, like, all 441 00:13:57,238 --> 00:13:58,498 Cipherceval: the legwork that you would have 442 00:13:58,498 --> 00:14:00,738 Cipherceval: needed to create the AI from the 443 00:14:00,738 --> 00:14:01,937 Cipherceval: bottom up. 444 00:14:01,937 --> 00:14:05,357 Cipherceval: Now, the takeaway here is that AI is becoming an integral part 445 00:14:05,357 --> 00:14:06,638 Cipherceval: of the threat landscape. 446 00:14:06,638 --> 00:14:08,357 Cipherceval: It's not hypothetical anymore. 447 00:14:08,357 --> 00:14:12,118 Cipherceval: The defenders are using AI and the attackers are using AI. 448 00:14:12,118 --> 00:14:14,477 Cipherceval: And the question is who adapts faster? 449 00:14:14,477 --> 00:14:17,378 Cipherceval: We're cat and mouse amplified with AI, Essentially. 450 00:14:17,378 --> 00:14:19,118 Cipherceval: For organizations, this means 451 00:14:19,118 --> 00:14:20,077 Cipherceval: you're phishing awareness 452 00:14:20,077 --> 00:14:21,077 Cipherceval: training needs to account for 453 00:14:21,077 --> 00:14:22,418 Cipherceval: the fact that phishing emails 454 00:14:22,418 --> 00:14:23,638 Cipherceval: are going to look a lot more 455 00:14:23,638 --> 00:14:25,677 Cipherceval: polished going forward, and have 456 00:14:25,677 --> 00:14:27,498 Cipherceval: a lot more realistic aspects to 457 00:14:27,498 --> 00:14:28,077 Cipherceval: them. 458 00:14:28,077 --> 00:14:31,038 Cipherceval: Now that bad grammar red flag, it's disappearing. 459 00:14:31,038 --> 00:14:32,597 Cipherceval: Focus on verifying requests 460 00:14:32,597 --> 00:14:34,077 Cipherceval: through out-of-band channels and 461 00:14:34,077 --> 00:14:36,158 Cipherceval: maintaining healthy skepticism 462 00:14:36,158 --> 00:14:38,597 Cipherceval: even when comms look perfectly 463 00:14:38,597 --> 00:14:39,477 Cipherceval: legitimate. 464 00:14:39,477 --> 00:14:40,878 Cipherceval: You should always do essentially 465 00:14:40,878 --> 00:14:42,638 Cipherceval: two factor authentication of 466 00:14:42,638 --> 00:14:42,898 Cipherceval: sorts. 467 00:14:42,898 --> 00:14:44,898 Cipherceval: If you get a text claiming to be 468 00:14:44,898 --> 00:14:46,418 Cipherceval: your boss, shoot them a teams 469 00:14:46,418 --> 00:14:48,298 Cipherceval: message, shoot them a slack 470 00:14:48,298 --> 00:14:49,018 Cipherceval: message. 471 00:14:49,018 --> 00:14:52,677 Cipherceval: Hit them up directly via email somewhere that you are 472 00:14:52,677 --> 00:14:55,298 Cipherceval: contacting at a known thing. 473 00:14:55,298 --> 00:14:57,857 Cipherceval: Now that's just what we're seeing right now. 474 00:14:57,857 --> 00:15:00,258 Cipherceval: And granted, there might be some other mitigations that come out 475 00:15:00,258 --> 00:15:02,937 Cipherceval: later, but that's what's going on right now and the 476 00:15:02,937 --> 00:15:05,097 Cipherceval: recommendations that I can give. 477 00:15:05,817 --> 00:15:08,217 Cipherceval: Okay. So moving on to our next story. 478 00:15:08,217 --> 00:15:12,357 Cipherceval: And this is a big data breach coming out of the Netherlands, 479 00:15:12,357 --> 00:15:15,298 Cipherceval: Odido which is the largest mobile network operator in the 480 00:15:15,298 --> 00:15:18,977 Cipherceval: Netherlands, formerly known as T-Mobile Netherlands confirmed 481 00:15:18,977 --> 00:15:22,258 Cipherceval: on February twelfth that hackers breached their customer contact 482 00:15:22,258 --> 00:15:25,577 Cipherceval: system and stole personal data affecting approximately six 483 00:15:25,577 --> 00:15:27,097 Cipherceval: point two million people. 484 00:15:27,097 --> 00:15:28,857 Cipherceval: To put that into perspective, 485 00:15:28,857 --> 00:15:30,378 Cipherceval: the Netherlands has a population 486 00:15:30,378 --> 00:15:32,118 Cipherceval: of about seventeen and a half 487 00:15:32,118 --> 00:15:34,097 Cipherceval: million, so the breach impacted 488 00:15:34,097 --> 00:15:35,258 Cipherceval: about a third of the entire 489 00:15:35,258 --> 00:15:35,778 Cipherceval: country. 490 00:15:35,778 --> 00:15:37,018 Cipherceval: It's pretty big. 491 00:15:37,018 --> 00:15:41,738 Cipherceval: Now, to give context, Odido was formed in 2023 when T-Mobile 492 00:15:41,738 --> 00:15:45,618 Cipherceval: Netherlands rebranded after merging with Tele2 Netherlands. 493 00:15:45,618 --> 00:15:49,618 Cipherceval: They offer mobile broadband and TV services and the breach also 494 00:15:49,618 --> 00:15:54,097 Cipherceval: affected customers of their subsidiary Ben Just Ben. 495 00:15:54,097 --> 00:15:56,618 Cipherceval: The company first detected signs of the breach over the weekend 496 00:15:56,618 --> 00:15:58,898 Cipherceval: of February seventh and eighth. 497 00:15:58,898 --> 00:16:02,097 Cipherceval: Now here's what was stolen and where it gets concerning. 498 00:16:02,097 --> 00:16:04,057 Cipherceval: The attackers got names, home 499 00:16:04,057 --> 00:16:05,577 Cipherceval: addresses, email addresses, 500 00:16:05,577 --> 00:16:07,577 Cipherceval: phone numbers, dates of birth, 501 00:16:07,577 --> 00:16:09,158 Cipherceval: customer account numbers, bank 502 00:16:09,158 --> 00:16:12,018 Cipherceval: account numbers, IBANs and this 503 00:16:12,018 --> 00:16:13,258 Cipherceval: is one that really jumps out, 504 00:16:13,258 --> 00:16:15,337 Cipherceval: Passport or driver's license 505 00:16:15,337 --> 00:16:16,878 Cipherceval: numbers, including the validity 506 00:16:16,878 --> 00:16:17,577 Cipherceval: dates. 507 00:16:17,577 --> 00:16:20,998 Cipherceval: That combination is, as one Dutch ethical hacker put it, 508 00:16:20,998 --> 00:16:23,097 Cipherceval: worth gold to criminals. 509 00:16:23,097 --> 00:16:24,337 Cipherceval: It's everything you need for 510 00:16:24,337 --> 00:16:25,758 Cipherceval: highly convincing identity 511 00:16:25,758 --> 00:16:27,778 Cipherceval: fraud, spear phishing or social 512 00:16:27,778 --> 00:16:28,778 Cipherceval: engineering attacks. 513 00:16:28,778 --> 00:16:31,697 Cipherceval: You got everything you need to build profiles on whoever you 514 00:16:31,697 --> 00:16:32,498 Cipherceval: want to attack. 515 00:16:32,498 --> 00:16:33,898 Cipherceval: It's insane. 516 00:16:33,898 --> 00:16:37,298 Cipherceval: Now, Odido emphasized that no passwords, call records, billing 517 00:16:37,298 --> 00:16:41,097 Cipherceval: data, or scans of the actual ID documents were compromised. 518 00:16:41,097 --> 00:16:42,857 Cipherceval: But you have enough of the information. 519 00:16:42,857 --> 00:16:45,398 Cipherceval: You don't necessarily need the image of it. 520 00:16:45,398 --> 00:16:47,817 Cipherceval: Now they're operational services. 521 00:16:47,817 --> 00:16:50,538 Cipherceval: Calling internet and TV were unaffected. 522 00:16:50,538 --> 00:16:53,798 Cipherceval: But that's cold comfort when your IBAN and passport number 523 00:16:53,798 --> 00:16:56,217 Cipherceval: are in someone else's hands. 524 00:16:56,217 --> 00:16:57,378 Cipherceval: The attackers apparently 525 00:16:57,378 --> 00:16:59,097 Cipherceval: contacted Odido directly to say 526 00:16:59,097 --> 00:17:00,258 Cipherceval: they had stolen millions of 527 00:17:00,258 --> 00:17:01,857 Cipherceval: records, though no group has 528 00:17:01,857 --> 00:17:03,498 Cipherceval: publicly claimed the attack and 529 00:17:03,498 --> 00:17:05,298 Cipherceval: no data has surfaced on dark web 530 00:17:05,298 --> 00:17:06,377 Cipherceval: forums yet. 531 00:17:06,377 --> 00:17:08,057 Cipherceval: As of the latest reports, the 532 00:17:08,057 --> 00:17:09,038 Cipherceval: company shut down the 533 00:17:09,038 --> 00:17:10,978 Cipherceval: unauthorized access, brought in 534 00:17:10,978 --> 00:17:12,617 Cipherceval: external cybersecurity experts 535 00:17:12,617 --> 00:17:14,097 Cipherceval: and reported to the Dutch Data 536 00:17:14,097 --> 00:17:15,778 Cipherceval: Protection Authority. 537 00:17:15,778 --> 00:17:19,018 Cipherceval: Now, this story is part of a larger pattern we are seeing. 538 00:17:19,018 --> 00:17:21,897 Cipherceval: Telecom companies are prime targets because they aggregate 539 00:17:21,897 --> 00:17:25,018 Cipherceval: massive amounts of personal data in centralized systems. 540 00:17:25,018 --> 00:17:26,853 Cipherceval: We saw salt typhoon compromise 541 00:17:26,853 --> 00:17:28,647 Cipherceval: hundreds of telecoms globally 542 00:17:28,647 --> 00:17:29,688 Cipherceval: for espionage. 543 00:17:29,688 --> 00:17:31,968 Cipherceval: SK Telecom in South Korea saw a 544 00:17:31,968 --> 00:17:33,528 Cipherceval: ninety percent drop in operating 545 00:17:33,528 --> 00:17:35,048 Cipherceval: profit from breach related 546 00:17:35,048 --> 00:17:36,087 Cipherceval: costs. 547 00:17:36,087 --> 00:17:40,488 Cipherceval: French regulators fined free SaaS forty two million euros. 548 00:17:40,488 --> 00:17:41,887 Cipherceval: The message here is that if 549 00:17:41,887 --> 00:17:43,708 Cipherceval: you're an Odido or Ben customer, 550 00:17:43,708 --> 00:17:44,968 Cipherceval: be prepared for targeted 551 00:17:44,968 --> 00:17:46,448 Cipherceval: phishing attempts that use your 552 00:17:46,448 --> 00:17:47,907 Cipherceval: real personal details to look 553 00:17:47,907 --> 00:17:48,768 Cipherceval: legit. 554 00:17:48,768 --> 00:17:50,728 Cipherceval: Now, verify any comms that you 555 00:17:50,728 --> 00:17:52,167 Cipherceval: get through official channels, 556 00:17:52,167 --> 00:17:53,807 Cipherceval: and be especially wary of anyone 557 00:17:53,807 --> 00:17:55,807 Cipherceval: claiming to be from your bank or 558 00:17:55,807 --> 00:17:57,387 Cipherceval: telecom asking you to take on 559 00:17:57,387 --> 00:17:58,567 Cipherceval: urgent action. 560 00:17:58,567 --> 00:17:59,887 Cipherceval: If they say it's urgent, if they 561 00:17:59,887 --> 00:18:00,887 Cipherceval: say you gotta do this, like 562 00:18:00,887 --> 00:18:02,647 Cipherceval: right now, there's still a lot 563 00:18:02,647 --> 00:18:04,988 Cipherceval: of flags that you can use as 564 00:18:04,988 --> 00:18:06,948 Cipherceval: like your little radar or your 565 00:18:06,948 --> 00:18:08,008 Cipherceval: threat detector. 566 00:18:08,008 --> 00:18:10,387 Cipherceval: If they want you to do something right now or everything's going 567 00:18:10,387 --> 00:18:11,327 Cipherceval: to go horrible. 568 00:18:11,327 --> 00:18:14,268 Cipherceval: If there's ever like a if you don't verify this, you're going 569 00:18:14,268 --> 00:18:15,327 Cipherceval: to go to jail. 570 00:18:15,327 --> 00:18:17,928 Cipherceval: Those are just examples of red flags. 571 00:18:17,928 --> 00:18:20,528 Cipherceval: You ultimately have to be skeptical and always try to 572 00:18:20,528 --> 00:18:23,768 Cipherceval: verify things outside of wherever you were contacted. 573 00:18:23,768 --> 00:18:24,847 Cipherceval: Look for official channels. 574 00:18:24,847 --> 00:18:26,728 Cipherceval: Look for an official way to get Ahold of it. 575 00:18:26,728 --> 00:18:28,008 Cipherceval: If you have anywhere that you 576 00:18:28,008 --> 00:18:30,667 Cipherceval: can go in store to just get some 577 00:18:30,667 --> 00:18:32,887 Cipherceval: kind of second authentication or 578 00:18:32,887 --> 00:18:34,748 Cipherceval: some kind of second verification 579 00:18:34,748 --> 00:18:36,347 Cipherceval: on whatever you're doing before 580 00:18:36,347 --> 00:18:37,867 Cipherceval: you just give away anything 581 00:18:37,867 --> 00:18:38,587 Cipherceval: else. 582 00:18:38,387 --> 00:18:41,228 Cipheceval: Okay, so our last story this week. 583 00:18:41,228 --> 00:18:45,307 Cipheceval: And it's one of those situations where a breach that was already 584 00:18:45,307 --> 00:18:47,188 Cipheceval: bad just got a lot worse. 585 00:18:47,188 --> 00:18:50,948 Cipheceval: Government technology giant Conduent, a company that 586 00:18:50,948 --> 00:18:53,748 Cipheceval: provides IT services to government agencies across the 587 00:18:53,748 --> 00:18:58,988 Cipheceval: US, just suffered a ransomware attack back in January 2025, and 588 00:18:58,988 --> 00:19:01,708 Cipheceval: it knocked out their operations for several days. 589 00:19:01,708 --> 00:19:05,508 Cipheceval: At the time, they disclosed it that it affected about four 590 00:19:05,508 --> 00:19:07,587 Cipheceval: million people in Texas. 591 00:19:07,587 --> 00:19:09,228 Cipheceval: Well, TechCrunch reported on 592 00:19:09,228 --> 00:19:11,188 Cipheceval: February 5th that the actual 593 00:19:11,188 --> 00:19:13,307 Cipheceval: numbers in Texas alone is now at 594 00:19:13,307 --> 00:19:15,748 Cipheceval: 15.4 million. 595 00:19:15,748 --> 00:19:17,948 Cipheceval: That's half of the state's population. 596 00:19:17,948 --> 00:19:21,428 Cipheceval: And another 10.5 million people are affected in Oregon. 597 00:19:21,428 --> 00:19:23,887 Cipheceval: And notifications have been going out to hundreds of 598 00:19:23,887 --> 00:19:28,228 Cipheceval: thousands more in Delaware and Massachusetts and New Hampshire 599 00:19:28,228 --> 00:19:29,587 Cipheceval: and other states. 600 00:19:29,587 --> 00:19:32,667 Cipheceval: The total number could stretch into the tens of millions across 601 00:19:32,667 --> 00:19:34,708 Cipheceval: the entire country. 602 00:19:34,708 --> 00:19:35,667 Cipheceval: For those who may not be 603 00:19:35,667 --> 00:19:37,147 Cipheceval: familiar with Conduent, they're 604 00:19:37,147 --> 00:19:38,188 Cipheceval: one of those companies most 605 00:19:38,188 --> 00:19:40,347 Cipheceval: people have never heard of, but 606 00:19:40,347 --> 00:19:41,428 Cipheceval: that touches their lives 607 00:19:41,428 --> 00:19:42,867 Cipheceval: significantly. 608 00:19:42,867 --> 00:19:44,137 Cipheceval: They process government 609 00:19:44,137 --> 00:19:45,617 Cipheceval: payments, handle benefits 610 00:19:45,617 --> 00:19:47,538 Cipheceval: administration, manage toll 611 00:19:47,538 --> 00:19:49,337 Cipheceval: collection systems, provide 612 00:19:49,337 --> 00:19:51,498 Cipheceval: child support payment services, 613 00:19:51,498 --> 00:19:52,837 Cipheceval: critical infrastructure, 614 00:19:52,837 --> 00:19:54,458 Cipheceval: government stuff. 615 00:19:54,458 --> 00:19:56,657 Cipheceval: Now the data stolen includes 616 00:19:56,657 --> 00:19:58,458 Cipheceval: names, social security numbers, 617 00:19:58,458 --> 00:19:59,958 Cipheceval: medical data and health 618 00:19:59,958 --> 00:20:01,998 Cipheceval: insurance information that is 619 00:20:01,998 --> 00:20:03,738 Cipheceval: deeply that is a deeply 620 00:20:03,738 --> 00:20:05,478 Cipheceval: sensitive combination. 621 00:20:05,478 --> 00:20:08,557 Cipheceval: The Safeway ransomware gang, not to be confused with the grocery 622 00:20:08,557 --> 00:20:12,377 Cipheceval: store, claimed responsibility, saying they stole over 8 623 00:20:12,377 --> 00:20:13,998 Cipheceval: Terabytes of data. 624 00:20:13,998 --> 00:20:15,798 Cipheceval: In an SEC filing, Conduent 625 00:20:15,798 --> 00:20:16,837 Cipheceval: acknowledged that the stolen 626 00:20:16,837 --> 00:20:18,178 Cipheceval: datasets contained a 627 00:20:18,178 --> 00:20:19,597 Cipheceval: "significant number of 628 00:20:19,597 --> 00:20:20,758 Cipheceval: individuals' personal 629 00:20:20,758 --> 00:20:22,718 Cipheceval: information associated with our 630 00:20:22,718 --> 00:20:24,417 Cipheceval: clients' end-users." 631 00:20:24,417 --> 00:20:25,837 Cipheceval: Clients being the government 632 00:20:25,837 --> 00:20:27,438 Cipheceval: agencies, end-users being 633 00:20:27,438 --> 00:20:28,877 Cipheceval: everyday citizens who use 634 00:20:28,877 --> 00:20:30,678 Cipheceval: government services. 635 00:20:30,678 --> 00:20:32,518 Cipheceval: What makes this story particularly frustrating? 636 00:20:32,518 --> 00:20:36,877 Cipheceval: As a timeline, the attack happened in January 2025. The company 637 00:20:36,877 --> 00:20:40,998 Cipheceval: originally said four million affected and then over a year later 638 00:20:40,998 --> 00:20:43,958 Cipheceval: in February 2026. We're learning 639 00:20:43,958 --> 00:20:47,347 Cipheceval: it's potentially ten times that number. This is 640 00:20:47,347 --> 00:20:49,548 Cipheceval: exactly the kind of slow drip disclosure 641 00:20:49,548 --> 00:20:51,107 Cipheceval: that erodes public trust. 642 00:20:51,107 --> 00:20:51,428 Cipheceval: If your 643 00:20:51,428 --> 00:20:53,268 Cipheceval: data was stolen in this breach. You may 644 00:20:53,268 --> 00:20:55,867 Cipheceval: not know about it for months after the fact. The lesson 645 00:20:55,867 --> 00:20:57,948 Cipheceval: here is twofold. First, if 646 00:20:57,948 --> 00:20:59,587 Cipheceval: you interact with government services 647 00:20:59,587 --> 00:21:00,887 Cipheceval: and most of us do 648 00:21:00,887 --> 00:21:02,827 Cipheceval: monitor your credit, freeze it 649 00:21:02,827 --> 00:21:04,548 Cipheceval: if you can, and be vigilant for 650 00:21:04,548 --> 00:21:06,508 Cipheceval: any unusual activity. Second, 651 00:21:06,508 --> 00:21:06,708 Cipheceval: for 652 00:21:06,708 --> 00:21:10,948 Cipheceval: organizations, nothing's hack proof, but your incident response 653 00:21:10,948 --> 00:21:15,307 Cipheceval: plan needs to be honest, timely, and disclose everything that 654 00:21:15,307 --> 00:21:16,647 Cipheceval: you know. The cover 655 00:21:16,647 --> 00:21:19,188 Cipheceval: up is always worse than the crime. You are 656 00:21:19,188 --> 00:21:21,627 Cipheceval: just eroding trust. Now, the 657 00:21:21,627 --> 00:21:22,708 Cipheceval: other thing to also keep in 658 00:21:22,708 --> 00:21:24,788 Cipheceval: mind, with enough information, as 659 00:21:24,788 --> 00:21:25,708 Cipheceval: one of the previous stories 660 00:21:25,708 --> 00:21:27,167 Cipheceval: that we just covered said, 661 00:21:27,167 --> 00:21:29,268 Cipheceval: they can start building profiles. 662 00:21:29,268 --> 00:21:29,508 Cipheceval: So you 663 00:21:29,508 --> 00:21:32,147 Cipheceval: should be cautious of anything that's 664 00:21:32,147 --> 00:21:33,748 Cipheceval: messaging you with urgency 665 00:21:33,748 --> 00:21:37,147 Cipheceval: or any call, text or whatever. 666 00:21:37,147 --> 00:21:37,587 Cipheceval: If it 667 00:21:37,587 --> 00:21:41,428 Cipheceval: sounds urgent, be extremely skeptical. Your data 668 00:21:41,428 --> 00:21:42,428 Cipheceval: is out there. A lot 669 00:21:42,428 --> 00:21:46,508 Cipheceval: of people's data is out there, and the more that is getting built 670 00:21:46,508 --> 00:21:49,028 Cipheceval: up by attackers, the more realistic things are going to 671 00:21:49,028 --> 00:21:50,208 Cipheceval: sound. And AI 672 00:21:50,208 --> 00:21:52,008 Cipheceval: lends to the credibility because AI 673 00:21:52,008 --> 00:21:54,067 Cipheceval: can make them sound more legitimate 674 00:21:54,067 --> 00:21:55,387 Cipheceval: than they actually are. 675 00:21:55,188 --> 00:21:58,268 Cipherceval: Okay. So let's just kind of recap things. 676 00:21:58,268 --> 00:22:01,647 Cipherceval: Number one patch like it's urgent. 677 00:22:01,647 --> 00:22:04,048 Cipherceval: Six actively exploited zero days 678 00:22:04,048 --> 00:22:05,887 Cipherceval: in a single patch Tuesday is an 679 00:22:05,887 --> 00:22:06,728 Cipherceval: emergency. 680 00:22:06,728 --> 00:22:10,248 Cipherceval: If you manage windows systems in any capacity, this can't wait. 681 00:22:10,248 --> 00:22:12,048 Cipherceval: Update your stuff. 682 00:22:12,048 --> 00:22:15,688 Cipherceval: Number two, your package manager is an attack surface. 683 00:22:15,688 --> 00:22:17,728 Cipherceval: Lazarus group is poisoning NPM 684 00:22:17,728 --> 00:22:19,728 Cipherceval: and PyPI through fake job 685 00:22:19,728 --> 00:22:20,567 Cipherceval: assessments. 686 00:22:20,567 --> 00:22:23,248 Cipherceval: If a recruiter asks you to run code as part of a hiring 687 00:22:23,248 --> 00:22:26,048 Cipherceval: process, treat it with the same caution you treat an email 688 00:22:26,048 --> 00:22:27,528 Cipherceval: attachment from a stranger. 689 00:22:27,528 --> 00:22:28,647 Cipherceval: Sandbox it. 690 00:22:28,647 --> 00:22:29,968 Cipherceval: Audit the dependencies. 691 00:22:29,968 --> 00:22:32,488 Cipherceval: Don't just blindly npm install. 692 00:22:32,488 --> 00:22:38,087 Cipherceval: Now number three AI is a force multiplier for good or bad. 693 00:22:38,087 --> 00:22:41,248 Cipherceval: Nation state hackers are using generative AI to craft better 694 00:22:41,248 --> 00:22:44,688 Cipherceval: phisphing lures, profile targets faster, and even generate 695 00:22:44,688 --> 00:22:46,127 Cipherceval: malware on the fly. 696 00:22:46,127 --> 00:22:48,688 Cipherceval: Your security awareness training needs to evolve. 697 00:22:48,688 --> 00:22:52,228 Cipherceval: Bad grammar is no longer reliable phishing indicator. 698 00:22:52,228 --> 00:22:56,008 Cipherceval: Number four Telecom data is a goldmine. 699 00:22:56,008 --> 00:22:58,768 Cipherceval: The Odido breach shows that centralized customer contact 700 00:22:58,768 --> 00:23:01,327 Cipherceval: systems are high value targets. 701 00:23:01,327 --> 00:23:03,928 Cipherceval: If your provider is breached, expect convincing social 702 00:23:03,928 --> 00:23:06,288 Cipherceval: engineering attacks that use your real data. 703 00:23:06,288 --> 00:23:07,407 Cipherceval: Verify everything through 704 00:23:07,407 --> 00:23:09,347 Cipherceval: official channels and always do 705 00:23:09,347 --> 00:23:11,028 Cipherceval: a two factor style approach 706 00:23:11,028 --> 00:23:12,347 Cipherceval: where just because you think 707 00:23:12,347 --> 00:23:14,228 Cipherceval: something's real, you always go 708 00:23:14,228 --> 00:23:15,587 Cipherceval: through your known channels, 709 00:23:15,587 --> 00:23:16,748 Cipherceval: your official channels, through 710 00:23:16,748 --> 00:23:18,807 Cipherceval: official websites that you know 711 00:23:18,807 --> 00:23:20,307 Cipherceval: to actually verify what's going 712 00:23:20,307 --> 00:23:21,268 Cipherceval: on. 713 00:23:21,268 --> 00:23:23,028 Cipherceval: And number five, breach 714 00:23:23,028 --> 00:23:25,448 Cipherceval: disclosures can be Iceberg's 715 00:23:25,448 --> 00:23:27,407 Cipherceval: Conduent went from four million 716 00:23:27,407 --> 00:23:29,048 Cipherceval: to potentially tens of million 717 00:23:29,048 --> 00:23:30,548 Cipherceval: affected over the course of a 718 00:23:30,548 --> 00:23:31,387 Cipherceval: year. 719 00:23:31,387 --> 00:23:33,347 Cipherceval: Monitor your identity proactively. 720 00:23:33,347 --> 00:23:34,827 Cipherceval: Don't wait for notification letter. 721 00:23:34,827 --> 00:23:36,268 Cipherceval: Keep an eye on your credit. 722 00:23:36,268 --> 00:23:38,107 Cipherceval: Keep an eye on your accounts. 723 00:23:38,107 --> 00:23:39,508 Cipherceval: The whole thing. 724 00:23:39,508 --> 00:23:41,228 Cipherceval: And as always, remember security 725 00:23:41,228 --> 00:23:43,468 Cipherceval: is a combination of person and 726 00:23:43,468 --> 00:23:44,147 Cipherceval: tech. 727 00:23:44,147 --> 00:23:46,907 Cipherceval: You can have the best firewall in the world, but if someone 728 00:23:46,907 --> 00:23:49,387 Cipherceval: clicks the wrong link, well, none of that mattered. 729 00:23:49,387 --> 00:23:50,948 Cipherceval: Stay informed, stay skeptical, 730 00:23:50,948 --> 00:23:52,147 Cipherceval: and make it as hard as possible 731 00:23:52,147 --> 00:23:54,067 Cipherceval: for attackers. 732 00:23:54,067 --> 00:23:57,508 Cipherceval: Now that's going to do it for this week's episode of HN, and I 733 00:23:57,508 --> 00:23:58,667 Cipherceval: want to thank you for tuning in. 734 00:23:58,667 --> 00:24:01,428 Cipherceval: Whether you're watching on YouTube, listening on Spotify or 735 00:24:01,428 --> 00:24:04,907 Cipherceval: Apple Podcast, or catching this wherever you get your content. 736 00:24:04,907 --> 00:24:05,988 Cipherceval: If you found value in this 737 00:24:05,988 --> 00:24:07,268 Cipherceval: episode, please share it with 738 00:24:07,268 --> 00:24:08,548 Cipherceval: someone who needs to hear it a 739 00:24:08,548 --> 00:24:09,988 Cipherceval: colleague, a friend, someone who 740 00:24:09,988 --> 00:24:11,228 Cipherceval: still hasn't updated the windows 741 00:24:11,228 --> 00:24:12,028 Cipherceval: machine. 742 00:24:12,028 --> 00:24:13,508 Cipherceval: We're all in this together. 743 00:24:13,508 --> 00:24:16,548 Cipherceval: This has been your host, Cipherceval, and I'll catch you 744 00:24:16,548 --> 00:24:17,627 Cipherceval: in the next one.