SANS Stormcast Tuesday, May 6th: Mirai Exploiting Samsung magicInfo 9; Kali Signing Key Lost;
https://isc.sans.edu/podcastdetail/9438

Defensive Security Podcast Episode 305

In this episode, we discuss the Google Mandiant 2025 M-Trends report.  The report is available here: Like what we’re doing and want to help support us? Donate here: 

https://defensivesecurity.org/defensive-security-podcast-episode-305/

For the past year I’ve been working on a committee to produce a consensus report on Cyber Hard Problems for the National Academies of Science, Engineering and Medicine. The report, commissioned by the White House, is finally going to be released on May 15th, and you can join this public webinar to hear about it: https://www.nationalacademies.org/event/45017_05-2025_cyber-hard-problems-report-release-webinar

There are too many people to thank, from the NASEM staff to the committee members, subject matter experts who presented to us, and the anonymous reviewers (you know who you are, and now so do I 😉).

One of the points of exploitation of large orgs is they usually outsource their Service Desk to somewhere cheap offshore who don’t know the org staff, and when you call and say your name, they normally put big all caps bold red warning if the person is a VIP, eg C suite, so they get VIP service - ie anything goes.

I’ve been using Recall for a few weeks now on my daily driver.

It scooped up my credit card statements after I logged into online banking - both screenshots (text indexed) of the PDFs, transaction history from the website, and my name, date of birth and security question reminders.

Sensitive filtering mode only kicked in when I viewed my cards CVV number.

Worth excluding bank websites from Recall’s options, if you see it enabled.

SANS Stormcast Monday, May 5th: Steganography Challenge; Microsoft Makes Passkeys Default and Moves Away from Authenticator as Password Manager; Magento Components Backdoored.
https://isc.sans.edu/podcastdetail/9436

If you're a fan of cyber news but don't know where to begin, my free newsletter ~ this week in security ~ is a weekly roundup of all the cyber news you need to know, plus the happy corner and a weekly featured cyber cat. No email open or link tracking.

Out Sundays. Sign up now to get this week's edition.

https://this.weekinsecurity.com/

Attention Montréal! I’ll be tag-teaming with the amazing @hdm to bring you some fun talks to go with all the brilliant speakers making up @NorthSec this month. When I’m not at the conference, you’ll find me making a pilgrimage to St.-Viateur 🥯

https://nsec.io/schedule/

A wrote a piece about paying ransoms does not equal quick restoration - in fact, quite often it makes things worse. https://doublepulsar.com/big-game-ransomware-the-myths-experts-tell-board-members-03d5e1d1c4b7

New by me - breaking down the attacks on UK highstreet retailers

https://doublepulsar.com/dragonforce-ransomware-cartel-attacks-on-uk-high-street-retailers-walking-in-the-front-door-52ed8ba68534

I'm going to make this the new ongoing megathread for DragonForce Ransomware Cartel's attack on UK retailers as they're all connected.

Why it matters: these are some of the UK's largest retailers, think Target or some such in a US sense.

Prior threads

M&S: https://cyberplace.social/@GossiTheDog/114381946765071799

Co-op: https://cyberplace.social/@GossiTheDog/114426688834113446

Harrods:
https://cyberplace.social/@GossiTheDog/114433519351165250

SANS Stormcast Thursday, May 1st: More Steganography; Malicious Python Packages GMail C2; BEC to Steal Rent Payments
https://isc.sans.edu/podcastdetail/9434

I would also draw UK cyber defenders attention to review this document and strengthen MFA and their service desks.

In particular, high street brands visible in Greater London area.

https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider_0.pdf

Mastodon has taken the strategic decision not to accept venture capital investments for growth, but rather restructure to a European non-profit organisation. 👏

https://blog.joinmastodon.org/2025/05/evolving-the-team/

Remembering Ayrton Senna da Silva 🇧🇷
21st March, 1960 – 1st May, 1994
#F1 #Formula1

SANS Stormcast Thursday, May 1st: Sonicwall Attacks; Cached Windows RDP Credentials
https://isc.sans.edu/podcastdetail/9432

Two things about that -

You might look at 2341 orgs and think 'wow, that's more victims than all ransomware a year! how have I never heard of this group?'.

Answer: most groups don't have portals and don't list victims. They just extort SMBs. Ransomware is massively under reported. Threat intelligence has become scraping ransomware group portals, but a vast majority of victims aren't on them.

You might also think 'aren't all ransomware groups Russian?'.

Answer: Nope.

Thanks @faduda I was trying to place the tune.

If there's one thing I've learned about covering cybersecurity over the past decade or so, is that the cybersecurity community (the fixers and breakers) and the cybersecurity industry (profits above all else) are two very, very different things.

SANS Stormcast Wednesday, April 30th: SMS Attacks; Apple Airplay Vulnerabilities
https://isc.sans.edu/podcastdetail/9430