Byer-Nichols Threat Brief for January 1-15 2026
Digital Rage

Byer-Nichols Threat Brief for January 1-15 2026

Season: 2

Published: January 20, 2026

By: Phish Tank Digital

The Byer-Nichols Threat Brief provides a comprehensive analysis of the cybersecurity landscape during the first half of January 2026. This report highlights a significant surge in ransomware activity, specifically noting that the group Qilin remains a dominant threat to the manufacturing sector. It details how modern attackers are increasingly utilizing double-extortion tactics and exploiting both contemporary software bugs and decades-old vulnerabilities. The document also tracks specific adversary groups and malware strains, such as VoidLink and Ripper, while identifying the United States as the primary geographical target for these incidents. Furthermore, the brief offers actionable advice for organizations, emphasizing the critical importance of firmware updates, network segmentation, and multi-factor authentication. Small businesses are particularly vulnerable during this period, accounting for over 80% of reported victims.

Link: Byer-Nichols Threat Brief for January 1-15 2026

RSS Apple Spotify YouTube YouTube Amazon Music Overcast iHeart Radio Audacy

Keywords:

Episode Transcript

Download SRT file
00:00:00 - 00:00:02
(upbeat music)
00:00:02 - 00:00:11
- I wanna start today with a date
00:00:11 - 00:00:14
that feels like it belongs in a history book,
00:00:14 - 00:00:17
not a modern tech report, 2009.
00:00:17 - 00:00:21
- 2009, I mean, that is practically the Stone Age in tech years.
00:00:21 - 00:00:21
- Right.
00:00:21 - 00:00:23
- The iPhone 3GS was the hot new thing,
00:00:23 - 00:00:26
Windows 7 hadn't even fully taken over yet.
00:00:26 - 00:00:28
- Exactly, a completely different world.
00:00:28 - 00:00:30
- So picture this.
00:00:30 - 00:00:32
We're sitting here in January, 2026.
00:00:32 - 00:00:34
We're talking about AI agents managing our calendars,
00:00:34 - 00:00:37
quantum resistant encryption is rolling out, and yet.
00:00:37 - 00:00:38
- And yet.
00:00:38 - 00:00:40
- On January 7th, just two weeks ago,
00:00:40 - 00:00:42
CISA adds a new entry to its known
00:00:42 - 00:00:44
exploited vulnerability catalog,
00:00:44 - 00:00:47
a Microsoft vulnerability from 2009.
00:00:47 - 00:00:48
- It just stops you in your tracks, doesn't it?
00:00:48 - 00:00:49
It's a zombie bug.
00:00:49 - 00:00:54
17 years later, CVE 2009 0556 is back from the dead
00:00:54 - 00:00:55
and it's actively biting people.
00:00:55 - 00:00:57
- It's like fighting out your biometric smart home security
00:00:57 - 00:00:59
can be defeated by a rusty skeleton key
00:00:59 - 00:01:01
from the Victorian era.
00:01:01 - 00:01:04
And honestly, that bug, it sets the perfect stage
00:01:04 - 00:01:06
for the document we are tearing into today.
00:01:06 - 00:01:07
It really does.
00:01:07 - 00:01:10
We are doing a deep dive into the buyer nickel's threat brief,
00:01:10 - 00:01:12
specifically looking at the data
00:01:12 - 00:01:15
from the first half of January, 2026.
00:01:15 - 00:01:18
And the authors, Jeremy Nichols and Jeff Remitt,
00:01:18 - 00:01:23
they've painted a picture that is, well,
00:01:23 - 00:01:25
chaotic feels like an understatement.
00:01:25 - 00:01:26
- It's a collision, really.
00:01:26 - 00:01:29
You have this ancient history like that 2009 bug
00:01:29 - 00:01:31
and it's colliding with tools that feel like
00:01:31 - 00:01:33
they're ripped right out of a cyberpunk novel.
00:01:33 - 00:01:34
- And that's the mission for this deep dive.
00:01:34 - 00:01:36
We need to unpack that collision.
00:01:36 - 00:01:38
It's not just about patching old stuff, you know?
00:01:38 - 00:01:41
It's about how the entire criminal business model
00:01:41 - 00:01:43
has shifted here in 2026.
00:01:43 - 00:01:44
- How so?
00:01:44 - 00:01:47
- We're seeing a total change in who is being targeted,
00:01:47 - 00:01:49
how money is being squeezed out of them,
00:01:49 - 00:01:51
and the specific weaponry things like void link
00:01:51 - 00:01:53
and Kim Wolf that are making it all happen.
00:01:53 - 00:01:55
- Okay, so let's start at the top, the leaderboard.
00:01:55 - 00:01:57
The bad guy Olympics.
00:01:57 - 00:01:59
Who's standing on the podium right now to kick off 2026?
00:01:59 - 00:02:02
- The gold medal unfortunately goes to Krillin.
00:02:02 - 00:02:05
They are just absolutely dominating the landscape right now.
00:02:05 - 00:02:06
- Dominating.
00:02:06 - 00:02:08
- Responsible for over 20% of the ransomware activity
00:02:08 - 00:02:11
in just the first two weeks in the year, 20%.
00:02:11 - 00:02:15
One group controlling a fifth of the market is massive.
00:02:15 - 00:02:17
That's like, I mean, that's a market dominance,
00:02:17 - 00:02:20
you usually see with legit tech giants, not criminal gangs.
00:02:20 - 00:02:22
- It's huge and they've been the most active player
00:02:22 - 00:02:27
for over a year now, which shows a terrifying level
00:02:27 - 00:02:28
of stability in their operations.
00:02:28 - 00:02:29
- Yeah, it was by them.
00:02:29 - 00:02:31
- Followed by Akira at roughly 15%,
00:02:31 - 00:02:35
and then a group called Sonoa becoming in just under 10%.
00:02:35 - 00:02:37
But honestly, looking at who is attacking
00:02:37 - 00:02:39
is less interesting than who they are attacking.
00:02:39 - 00:02:40
- This was the part of the report
00:02:40 - 00:02:43
that made me underline it twice.
00:02:43 - 00:02:45
Because when I picture a ransomware attack,
00:02:45 - 00:02:47
I have this movie scene in my head,
00:02:47 - 00:02:51
a Fortune 500 company, giant glass skyscraper.
00:02:52 - 00:02:55
A mission control room going red, millions in ransom.
00:02:55 - 00:02:58
- And that whole movie scene is completely outdated.
00:02:58 - 00:03:00
If you look at the victim organization size
00:03:00 - 00:03:04
in this report, the reality is just much grittier.
00:03:04 - 00:03:07
80.79% of victims are small businesses.
00:03:07 - 00:03:09
- 80% that is staggering.
00:03:09 - 00:03:11
We are not talking about multinational conglomerates.
00:03:11 - 00:03:14
- No, we're talking about companies with 500 employees
00:03:14 - 00:03:15
or fewer.
00:03:15 - 00:03:16
- So it's not whale hunting anymore.
00:03:16 - 00:03:18
It's industrial trolling.
00:03:18 - 00:03:20
- Precisely, it's a volume game.
00:03:20 - 00:03:23
- The big game hunting era hasn't ended.
00:03:23 - 00:03:24
The company still get hit.
00:03:24 - 00:03:27
But the small game farming era is in overdrive.
00:03:27 - 00:03:29
- And these smaller companies.
00:03:29 - 00:03:32
- They don't have a 247 security operations center.
00:03:32 - 00:03:35
They have maybe one, maybe two IT people
00:03:35 - 00:03:38
who are also fixing the printers and setting up the Wi-Fi.
00:03:38 - 00:03:40
- They're low hanging fruit.
00:03:40 - 00:03:41
And looking at the sectors,
00:03:41 - 00:03:43
manufacturing is taking the brunt of it, right?
00:03:43 - 00:03:46
Number one target at nearly 22%.
00:03:46 - 00:03:48
- Followed by retail and construction.
00:03:48 - 00:03:52
But manufacturing being number one just makes perfect sense
00:03:52 - 00:03:53
when you think about leverage.
00:03:53 - 00:03:54
- Because downtime just kills them.
00:03:54 - 00:03:55
- Exactly.
00:03:55 - 00:03:57
Manufacturing includes critical infrastructure,
00:03:57 - 00:03:59
supply chain vendors.
00:03:59 - 00:04:02
If a sauce company goes down for a day, it's annoying.
00:04:02 - 00:04:04
If a factory stops running, physical goods aren't moving,
00:04:04 - 00:04:08
and money is being incinerated every single second.
00:04:08 - 00:04:09
- The pressure to pay is immediate.
00:04:09 - 00:04:10
- It is.
00:04:10 - 00:04:13
Plus, manufacturing environments are notorious
00:04:13 - 00:04:16
for running older technology, operational technology,
00:04:16 - 00:04:19
or OT, that is often legacy, fragile,
00:04:19 - 00:04:21
and just very hard to patch.
00:04:21 - 00:04:24
- Which brings us right back to that 2009 bug.
00:04:24 - 00:04:25
- Right.
00:04:25 - 00:04:27
- You have these critical machines running on ancient software,
00:04:27 - 00:04:29
because if it ain't broke, don't fix it.
00:04:29 - 00:04:31
Until someone breaks it for you.
00:04:31 - 00:04:31
- Right.
00:04:31 - 00:04:33
But the way they break it has changed too.
00:04:33 - 00:04:37
The report really emphasizes that the tactics have shifted.
00:04:37 - 00:04:40
The old lock the files and ask for Bitcoin model.
00:04:40 - 00:04:43
That's practically vintage now.
00:04:43 - 00:04:44
- We're talking about double extortion.
00:04:44 - 00:04:45
- We are.
00:04:45 - 00:04:48
- This is such a crucial concept for anyone listening
00:04:48 - 00:04:51
to understand, because it changes your defense strategy
00:04:51 - 00:04:52
completely.
00:04:52 - 00:04:54
- So walk us through the evolution,
00:04:54 - 00:04:55
because I think a lot of people still assume
00:04:55 - 00:04:57
that if they just have a backup, they're safe.
00:04:57 - 00:05:00
- So in the good old days of ransomware,
00:05:00 - 00:05:05
if we can even call them that, the attack was about availability.
00:05:05 - 00:05:07
I encrypt your server.
00:05:07 - 00:05:08
You can open your files.
00:05:08 - 00:05:10
You pay me for the key.
00:05:10 - 00:05:13
If you had great offline backups, you could just tell the hackers
00:05:13 - 00:05:16
to get lost, wipe your systems, restore,
00:05:16 - 00:05:17
and your back in business.
00:05:17 - 00:05:18
No payment needed.
00:05:18 - 00:05:20
- You had to get out of jail free card.
00:05:20 - 00:05:24
- You did, but groups like Quellen and Akira are businesses.
00:05:24 - 00:05:27
They realize they were losing revenue to good backups,
00:05:27 - 00:05:29
so they pivoted.
00:05:29 - 00:05:31
Now, they don't just encrypt your data,
00:05:31 - 00:05:32
they steal it first.
00:05:32 - 00:05:34
- Exfiltration before encryption.
00:05:34 - 00:05:35
- Exactly.
00:05:35 - 00:05:37
So even if I restore my files perfectly,
00:05:37 - 00:05:39
my business is up and running.
00:05:39 - 00:05:41
They're still holding my secrets.
00:05:41 - 00:05:43
- Correct. As the report states,
00:05:43 - 00:05:47
there is little victims can do once their data is stolen.
00:05:47 - 00:05:50
The leverage shifts from availability to confidentiality.
00:05:50 - 00:05:52
They threaten to leak customer data,
00:05:52 - 00:05:54
intellectual property, internal email,
00:05:54 - 00:05:57
- Embarrassing HR records, anything.
00:05:57 - 00:05:58
- It's just blackmail.
00:05:58 - 00:05:59
Plain and simple.
00:05:59 - 00:06:00
It's not just a technical problem anymore.
00:06:00 - 00:06:03
It's a PR crisis waiting to happen.
00:06:03 - 00:06:04
- It is, and the report highlights
00:06:04 - 00:06:06
they're moving faster than ever to do it.
00:06:06 - 00:06:08
We're seeing faster encryption windows.
00:06:08 - 00:06:12
They get in, grab the data, and lock the system in record time.
00:06:12 - 00:06:15
They're using commodity tooling to scale this up.
00:06:15 - 00:06:17
- So it's not a hacker in a hoodie typing furiously.
00:06:17 - 00:06:19
- No, it's an automated assembly line.
00:06:19 - 00:06:22
- And that assembly line requires specialized tools.
00:06:22 - 00:06:24
This is where I want to get technical,
00:06:24 - 00:06:28
because the specific weapons in the Byron Nichols report,
00:06:28 - 00:06:30
Gootloader, Kim Wolf, Voidlink,
00:06:30 - 00:06:31
these aren't just cool names.
00:06:31 - 00:06:35
They represent very different, very specific dangers.
00:06:35 - 00:06:37
- They cover the entire spectrum of the attack chain.
00:06:37 - 00:06:40
You've got access, evasion, and persistence.
00:06:40 - 00:06:43
- Let's start with access, the trap.
00:06:43 - 00:06:44
Gootloader.
00:06:44 - 00:06:47
The report calls it an opportunistic threat,
00:06:47 - 00:06:48
but that almost makes it sound passive.
00:06:48 - 00:06:50
It feels pretty aggressive to me.
00:06:50 - 00:06:53
- It's aggressive in how it manipulates human trust.
00:06:53 - 00:06:55
Gootloader weaponizes something we all use
00:06:55 - 00:06:56
dozens of times a day.
00:06:56 - 00:06:57
Search engines.
00:06:57 - 00:06:59
It uses SEO poisoning.
00:06:59 - 00:07:01
- Search engine optimization poisoning.
00:07:01 - 00:07:03
So they are hacking my computer directly.
00:07:03 - 00:07:05
They're hacking Google's rankings.
00:07:05 - 00:07:06
- Essentially yes.
00:07:06 - 00:07:08
They compromise legitimate websites,
00:07:08 - 00:07:11
often WordPress sites with poor security,
00:07:11 - 00:07:12
and they inject keywords.
00:07:12 - 00:07:13
They manipulate the algorithm.
00:07:13 - 00:07:16
So these compromise sites ranked very highly
00:07:16 - 00:07:19
for these boring specific business terms.
00:07:19 - 00:07:19
- Like what?
00:07:19 - 00:07:22
- Contract templates, lease agreement forms,
00:07:22 - 00:07:23
invoice examples.
00:07:23 - 00:07:25
- Oh, that's insidious.
00:07:25 - 00:07:26
Because if I'm a small business owner,
00:07:26 - 00:07:29
the exact target we just discussed,
00:07:29 - 00:07:32
I'm probably Googling standard consulting agreement
00:07:32 - 00:07:33
at two in the afternoon on a Tuesday.
00:07:33 - 00:07:35
- And you see a link, it looks legit.
00:07:35 - 00:07:37
It might even look like a forum
00:07:37 - 00:07:38
where people are discussing contracts.
00:07:38 - 00:07:41
You click it, you download a ZIP file,
00:07:41 - 00:07:42
you think is the document,
00:07:42 - 00:07:44
but inside is a JavaScript file.
00:07:44 - 00:07:46
- And the moment I double click that,
00:07:46 - 00:07:47
thinking it's a PDF.
00:07:47 - 00:07:49
- Gootloader executes.
00:07:49 - 00:07:51
But here's the clever part.
00:07:51 - 00:07:53
It checks your environment first.
00:07:53 - 00:07:55
It looks to see if your computer
00:07:55 - 00:07:57
is part of an active directory domain.
00:07:57 - 00:08:00
It wants to know if you're a corporate user.
00:08:00 - 00:08:02
If you're just a home user,
00:08:02 - 00:08:04
it might do nothing or just serve you ads.
00:08:04 - 00:08:06
But if it smells a corporate network,
00:08:06 - 00:08:07
- It's draft to payload.
00:08:07 - 00:08:08
- Boom.
00:08:08 - 00:08:11
Often cobalt strike, which gives the attackers
00:08:11 - 00:08:12
remote control of your machine.
00:08:12 - 00:08:14
And from there, they move through the network
00:08:14 - 00:08:15
and deploy ransomware.
00:08:15 - 00:08:19
It turns a simple Google search into a full-blown crisis.
00:08:19 - 00:08:21
- It's a trap just waiting for someone to do their job.
00:08:21 - 00:08:23
Okay, so Gootloader gets them in.
00:08:23 - 00:08:25
But the next tool on the list, Kimoff,
00:08:25 - 00:08:29
that one scared me because of where it lives.
00:08:29 - 00:08:30
It's not attacking the office,
00:08:30 - 00:08:31
it's attacking the living room.
00:08:31 - 00:08:32
- Yes.
00:08:32 - 00:08:36
- Google is a botnet, but its target is unique.
00:08:36 - 00:08:40
It abuses residential proxy networks.
00:08:40 - 00:08:41
- Break that down for us.
00:08:41 - 00:08:43
Why does a hacker want a residential proxy?
00:08:43 - 00:08:46
- Okay, think about how corporate security works.
00:08:46 - 00:08:49
We have firewalls, threat intelligence feeds.
00:08:49 - 00:08:52
If a bank sees traffic coming from a known data center
00:08:52 - 00:08:54
in a country with high cybercrime,
00:08:54 - 00:08:55
they just block it.
00:08:55 - 00:08:56
It's an easy filter.
00:08:56 - 00:08:59
But if the traffic is coming from a residential IP address,
00:08:59 - 00:09:01
like a Comcast or Verizon connection
00:09:01 - 00:09:04
in suburban Ohio, the bank trusts it.
00:09:04 - 00:09:05
That looks like a customer.
00:09:05 - 00:09:08
- So Kimoff allows hackers to wear the skin of a normal user.
00:09:08 - 00:09:09
- Exactly.
00:09:09 - 00:09:12
And to do that, they have to infect devices in people's homes.
00:09:12 - 00:09:15
And Kimoff specifically targets cheap Android TV boxes.
00:09:15 - 00:09:17
- The kind you buy online for 30 bucks
00:09:17 - 00:09:19
to stream pirated movies.
00:09:19 - 00:09:20
- The very same.
00:09:20 - 00:09:22
A lot of these cheap devices are shipped
00:09:22 - 00:09:24
with essentially zero security.
00:09:24 - 00:09:27
They have the Android Debug Bridge ADB ports
00:09:27 - 00:09:29
left wide open to the internet.
00:09:29 - 00:09:30
- So Kimoff just scans for them.
00:09:30 - 00:09:33
It scans the web, finds these open boxes,
00:09:33 - 00:09:37
infects them, and turns them into a proxy.
00:09:37 - 00:09:38
- So my neighbor's TV box could be part
00:09:38 - 00:09:42
of a massive D-Dosha attack against a government website
00:09:42 - 00:09:44
or use for ad fraud and they'd have no idea.
00:09:44 - 00:09:47
- They just think their streaming is a little slow today.
00:09:47 - 00:09:49
It turns the consumer internet into a weapon
00:09:49 - 00:09:50
against the corporate internet.
00:09:50 - 00:09:52
It's hiding in plain sight.
00:09:52 - 00:09:56
- And speaking of hiding, we have to talk about VoidLink.
00:09:56 - 00:09:59
If Kim Wolf is the home invader, VoidLink is the ghost
00:09:59 - 00:10:00
in the machine.
00:10:00 - 00:10:03
The report calls it a cloud native threat.
00:10:03 - 00:10:04
What makes it so special?
00:10:04 - 00:10:06
- VoidLink is probably the most technically impressive
00:10:06 - 00:10:08
piece of malware in this whole report.
00:10:08 - 00:10:11
We often talk about malware running on Windows or Linux.
00:10:11 - 00:10:13
VoidLink goes a layer deeper.
00:10:13 - 00:10:14
It is context aware.
00:10:14 - 00:10:15
- Context aware.
00:10:15 - 00:10:16
Like it knows where it is.
00:10:16 - 00:10:18
- Precisely.
00:10:18 - 00:10:20
When VoidLink infects a Linux system,
00:10:20 - 00:10:22
it doesn't just run blindly.
00:10:22 - 00:10:23
It checks its environment.
00:10:23 - 00:10:27
It asks, "Am I in an AWS EC2 instance?
00:10:27 - 00:10:29
Am I in a Azure container?
00:10:29 - 00:10:31
Am I running inside Docker or Kubernetes?"
00:10:31 - 00:10:32
- So it has situational awareness.
00:10:32 - 00:10:34
It's like a burglar checking if they're in a bank vault
00:10:34 - 00:10:35
or a grocery store.
00:10:35 - 00:10:38
- And based on the answer, it loads custom plugins.
00:10:38 - 00:10:41
The report mentions over 30 different ones.
00:10:41 - 00:10:45
If it's in AWS, it loads tools to exploit AWS metadata
00:10:45 - 00:10:46
services.
00:10:46 - 00:10:49
If it's in Docker, it loads container escape tools.
00:10:49 - 00:10:51
It adapts to whatever infrastructure it's inhabiting.
00:10:51 - 00:10:52
- That's terrifying.
00:10:52 - 00:10:54
It's not just smashing Windows.
00:10:54 - 00:10:57
It's finding the specific blueprints for the building
00:10:57 - 00:10:59
it's in and using them against the owner.
00:10:59 - 00:11:02
- The report calls it the cloud era equivalent
00:11:02 - 00:11:03
of cobalt strike.
00:11:03 - 00:11:06
Cobalt strike was the standard for Windows networks.
00:11:06 - 00:11:08
VoidLink is positioning itself to be the standard
00:11:08 - 00:11:09
for cloud networks.
00:11:09 - 00:11:11
It's designed to be persistent, stealthy,
00:11:11 - 00:11:14
and incredibly hard to dig out because it just blends in
00:11:14 - 00:11:16
with legitimate cloud processes.
00:11:16 - 00:11:19
- So we have SEO traps, infected TV boxes,
00:11:19 - 00:11:22
and cloud hopping ghosts.
00:11:22 - 00:11:23
But there was one more name that stood out
00:11:23 - 00:11:25
because it wasn't about theft or spying.
00:11:25 - 00:11:29
It was about pure maliciousness.
00:11:29 - 00:11:29
Sikari.
00:11:29 - 00:11:31
- Right, Sikari.
00:11:31 - 00:11:33
They claim an Israeli affiliation, though, you know,
00:11:33 - 00:11:36
attribution in these cases is always a bit tricky,
00:11:36 - 00:11:38
but their behavior is distinct.
00:11:38 - 00:11:40
Most ransomware is transactional.
00:11:40 - 00:11:42
Give me money, I give you files.
00:11:42 - 00:11:46
Sikari is what we call a destructive threat, a wiper.
00:11:46 - 00:11:48
- They just want to watch the world burn.
00:11:48 - 00:11:49
- Effectively, yeah.
00:11:49 - 00:11:52
Beyond just encrypting files, Sikari corrupts
00:11:52 - 00:11:54
the bootloader of the system.
00:11:54 - 00:11:54
- The bootloader.
00:11:54 - 00:11:56
That's the very first thing that loads
00:11:56 - 00:11:57
when you press the power button, right?
00:11:57 - 00:11:58
The ignition sequence.
00:11:58 - 00:11:59
- Correct.
00:11:59 - 00:12:00
So if you corrupt the bootloader,
00:12:00 - 00:12:02
the computer doesn't know how to be a computer anymore.
00:12:02 - 00:12:03
It just breaks the machine.
00:12:03 - 00:12:04
- So even if I pay to ransom.
00:12:04 - 00:12:06
- You can't just decrypt the files.
00:12:06 - 00:12:09
You have to rebuild the entire operating system
00:12:09 - 00:12:10
from scratch.
00:12:10 - 00:12:13
It makes system recovery exponentially harder and longer.
00:12:13 - 00:12:15
It's a scorched earth tactic.
00:12:15 - 00:12:17
- It's designed to cause maximum pain.
00:12:17 - 00:12:20
- Maximum pain and operational paralysis,
00:12:20 - 00:12:22
not just financial loss.
00:12:22 - 00:12:25
- It's incredible how specialized this whole ecosystem is.
00:12:25 - 00:12:29
You have tools for stealth, destruction, access.
00:12:29 - 00:12:33
But behind every tool is a human or a group.
00:12:33 - 00:12:36
The report highlights a few trending adversaries
00:12:36 - 00:12:40
and one that stood out as a standout risk was APT 41.
00:12:40 - 00:12:43
- APT 41 is fascinating because they really break the mold.
00:12:43 - 00:12:46
Usually we categorize hackers into two buckets.
00:12:46 - 00:12:50
State sponsored the spies or cyber criminals, the thieves.
00:12:50 - 00:12:51
- And APT 41 says, why not both?
00:12:51 - 00:12:53
They're the ultimate moonlighters.
00:12:53 - 00:12:56
They are a Chinese state sponsored group.
00:12:56 - 00:12:59
So they conduct espionage for the government stealing secrets,
00:12:59 - 00:13:00
tracking dissidents.
00:13:00 - 00:13:01
But then on the side,
00:13:01 - 00:13:03
they conduct financial crime for personal gain.
00:13:03 - 00:13:04
- They're blurring the lines.
00:13:04 - 00:13:07
- Completely between cyber warfare and cyber crime.
00:13:07 - 00:13:09
- And the report mentions they are masters
00:13:09 - 00:13:12
of living off the land or L-O-T-L.
00:13:12 - 00:13:14
I see this turn a lot, but I feel like we should define it.
00:13:14 - 00:13:15
It's not camping.
00:13:15 - 00:13:17
- No tense involved, no.
00:13:17 - 00:13:19
Living off the land means using the tools
00:13:19 - 00:13:21
that are already installed on the victim's computer
00:13:21 - 00:13:22
to conduct the attack.
00:13:22 - 00:13:25
- I like the analogy of a burglar breaking into your house.
00:13:25 - 00:13:26
But instead of bringing a crowbar,
00:13:26 - 00:13:29
they just use your own kitchen knives
00:13:29 - 00:13:31
and the spare key under the mat.
00:13:31 - 00:13:32
- That is a perfect analogy.
00:13:32 - 00:13:35
They use PowerShell, Windows Management instrumentation,
00:13:35 - 00:13:37
standard admin tools.
00:13:37 - 00:13:40
So if an IT security guard sees a PowerShell script running,
00:13:40 - 00:13:43
they might just assume it's the system admin doing maintenance.
00:13:43 - 00:13:45
- Oh, that's just Bob updating the server.
00:13:45 - 00:13:48
- But it's actually APT 41 stealing the database.
00:13:48 - 00:13:50
And by using legitimate tools,
00:13:50 - 00:13:52
they don't trigger antivirus alarms
00:13:52 - 00:13:54
that look for known malware signatures.
00:13:54 - 00:13:57
It makes detection incredibly difficult
00:13:57 - 00:13:59
because the activity looks normal.
00:13:59 - 00:14:00
- Sneaky.
00:14:00 - 00:14:03
But hey, it's not all bad news in the report, right?
00:14:03 - 00:14:05
We did see some handcuffs clicking.
00:14:05 - 00:14:06
- We did.
00:14:06 - 00:14:08
A significant win for the good guys.
00:14:08 - 00:14:10
The Spanish National Police arrested 34 suspects
00:14:10 - 00:14:13
linked to the Black Axe Cybercrime Group.
00:14:13 - 00:14:16
- Black Axe sounds like a villain group from a comic book.
00:14:16 - 00:14:19
- They are a very real, very dangerous,
00:14:19 - 00:14:20
organized crime syndicate.
00:14:20 - 00:14:22
Originally out of West Africa,
00:14:22 - 00:14:23
but with a global footprint,
00:14:23 - 00:14:26
they deal in everything from business email compromise
00:14:26 - 00:14:29
to romance scams and arresting 34 people.
00:14:29 - 00:14:31
That's not just a slap on the wrist
00:14:31 - 00:14:32
that disrupts their infrastructure.
00:14:32 - 00:14:34
It takes knowledge and personnel off the board.
00:14:34 - 00:14:38
- It shows law enforcement is coordinating across borders.
00:14:38 - 00:14:40
And speaking of criminals having a bad day,
00:14:40 - 00:14:42
I admit I did chuckle at one of the news items.
00:14:42 - 00:14:45
The breach forums hacking database was itself leaked.
00:14:45 - 00:14:47
- The irony is delicious, isn't it?
00:14:47 - 00:14:50
Breach forums is a marketplace where hackers go to buy
00:14:50 - 00:14:51
and sell stolen data.
00:14:51 - 00:14:53
Here's a million credit cards.
00:14:53 - 00:14:54
Here's a database of passwords.
00:14:54 - 00:14:57
And yet their own database was leaked,
00:14:57 - 00:15:01
exposing 324,000 of their own accounts.
00:15:01 - 00:15:02
- So the hackers got hacked.
00:15:02 - 00:15:04
The predator became the prey.
00:15:04 - 00:15:06
- It just goes to show in this ecosystem,
00:15:06 - 00:15:08
there is no honor among thieves
00:15:08 - 00:15:11
and apparently very little operational security among them either.
00:15:11 - 00:15:12
- I love that.
00:15:12 - 00:15:13
But I want to pivot to something
00:15:13 - 00:15:16
that I think is the most mind bending part of this deep dive.
00:15:16 - 00:15:18
We're in 2026.
00:15:18 - 00:15:22
But there's a new story here about a crypto theft,
00:15:22 - 00:15:25
eight and a half million dollars stolen from Trust Wallet
00:15:25 - 00:15:28
that is being traced back to a breach from 2022.
00:15:28 - 00:15:31
- The last past breach, yes.
00:15:31 - 00:15:34
This is a crucial lesson in the long tail of data breaches.
00:15:34 - 00:15:36
- 2022, as four years ago,
00:15:36 - 00:15:38
in the tech world that's ancient history.
00:15:38 - 00:15:40
How is a breach from four years ago
00:15:40 - 00:15:42
still draining wallets today?
00:15:42 - 00:15:44
- Because of what was stolen,
00:15:44 - 00:15:47
the last past breach exposed vault data.
00:15:47 - 00:15:48
Now, people change their email passwords,
00:15:48 - 00:15:50
their banking passwords.
00:15:50 - 00:15:51
But in the crypto world,
00:15:51 - 00:15:53
people store seed phrases or private keys
00:15:53 - 00:15:55
in those secure notes.
00:15:55 - 00:15:56
- And a seed phrase is forever.
00:15:56 - 00:15:57
You can't just reset it
00:15:57 - 00:15:59
unless you create a whole new wallet and move the funds.
00:15:59 - 00:16:00
- Exactly.
00:16:00 - 00:16:02
And the threat actors have been playing the long game.
00:16:02 - 00:16:05
They downloaded those encrypted vaults in 2022.
00:16:05 - 00:16:06
They've spent the last four years
00:16:06 - 00:16:09
using massive computing power to brute force
00:16:09 - 00:16:11
the master passwords protecting those vaults.
00:16:11 - 00:16:12
- They're cracking them one by one.
00:16:12 - 00:16:14
It's a slow motion robbery.
00:16:14 - 00:16:16
- And once they crack a vault,
00:16:16 - 00:16:20
if they find a seed phrase, the money is gone.
00:16:20 - 00:16:23
It just emphasizes that a data breach
00:16:23 - 00:16:25
isn't a one-time event like a car crash.
00:16:25 - 00:16:26
It's radioactive fallout.
00:16:26 - 00:16:27
It lingers.
00:16:27 - 00:16:29
- That is startling.
00:16:29 - 00:16:30
You think you've moved on, you think,
00:16:30 - 00:16:33
"Oh, that was the 2022 incident I'm safe."
00:16:33 - 00:16:34
But the criminals are just patient.
00:16:34 - 00:16:35
- Extremely patient.
00:16:35 - 00:16:38
And we're seeing other long-term geopolitical tensions
00:16:38 - 00:16:40
playing out in the cyber realm too.
00:16:40 - 00:16:42
The report mentions Taiwan
00:16:42 - 00:16:44
reporting a 10-fold increase
00:16:44 - 00:16:46
in energy sector attacks from China.
00:16:46 - 00:16:48
- 10-fold, that's not a spike, that's a strategy.
00:16:48 - 00:16:50
- It signals that cyber conflict is escalating
00:16:50 - 00:16:52
in parallel with physical and political tensions.
00:16:52 - 00:16:55
You attack the power grid to test defenses,
00:16:55 - 00:16:56
to send a message.
00:16:56 - 00:16:58
It's critical infrastructure targeting
00:16:58 - 00:16:59
as a form of state craft.
00:16:59 - 00:17:00
- And on the software side,
00:17:00 - 00:17:03
just to round out the things to worry about list,
00:17:03 - 00:17:05
we have the Ne8 Mer-Flaw.
00:17:05 - 00:17:07
- Clever name, Ne8 Mer.
00:17:07 - 00:17:08
- It is, this is for NN, right?
00:17:08 - 00:17:11
- Right, NN is a workflow automation tool.
00:17:11 - 00:17:12
Think of it as the glue that connects
00:17:12 - 00:17:14
all your different maps together.
00:17:14 - 00:17:14
- So.
00:17:14 - 00:17:16
- If you get an email here,
00:17:16 - 00:17:18
save the attachment to Dropbox there
00:17:18 - 00:17:19
and send a Slack message.
00:17:19 - 00:17:21
- So it has access to everything.
00:17:21 - 00:17:21
- Exactly.
00:17:21 - 00:17:24
And that's why the flaw is rated max severity.
00:17:24 - 00:17:26
If you compromise the automation tool,
00:17:26 - 00:17:27
you possess the skeleton key
00:17:27 - 00:17:30
to every single service it connects to.
00:17:30 - 00:17:33
And it affects nearly 60,000 instances.
00:17:33 - 00:17:36
- It seems like skeleton key is the theme of the day,
00:17:36 - 00:17:39
from the 2009 bug to this N18 flaw.
00:17:39 - 00:17:40
- It really is.
00:17:40 - 00:17:41
- So we've covered a lot of ground here.
00:17:41 - 00:17:45
From 17 year old zombie bugs to cloud hopping ghosts
00:17:45 - 00:17:47
and residential botnets.
00:17:47 - 00:17:49
If we have to distill this for someone listening
00:17:49 - 00:17:51
who might be feeling a little overwhelmed,
00:17:51 - 00:17:52
what's the headline?
00:17:52 - 00:17:54
- If we zoom out on this January, 2026 report,
00:17:54 - 00:17:56
I think three things stand out.
00:17:56 - 00:17:59
First, basic hygiene is still your best defense.
00:17:59 - 00:18:01
That 2009 Microsoft bug,
00:18:01 - 00:18:03
it's only dangerous if you haven't updated.
00:18:03 - 00:18:05
- Hush the boring stuff, got it.
00:18:05 - 00:18:07
- Second, the perimeter is everywhere.
00:18:07 - 00:18:10
With threats like Kim Wolf attacking Android TV boxes
00:18:10 - 00:18:13
and stealer malware like VVS stealer targeting discord users,
00:18:13 - 00:18:15
you can't just secure the office firewall.
00:18:15 - 00:18:18
Your employees home network, their gaming PC,
00:18:18 - 00:18:19
their cheap streaming box,
00:18:19 - 00:18:22
that is now part of your corporate attack surface.
00:18:22 - 00:18:27
- Because VVS stealer hides behind heavy obfuscation parmer,
00:18:27 - 00:18:30
the report notes to steal data from the apps we use
00:18:30 - 00:18:33
for fun like Discord to get to the serious stuff.
00:18:33 - 00:18:34
- Correct.
00:18:34 - 00:18:37
The lines between home and work are gone for the attackers,
00:18:37 - 00:18:40
so they need to be gone for the defenders too.
00:18:40 - 00:18:44
And third, just realize that obscurity is not security.
00:18:44 - 00:18:46
Being a small business doesn't make you safe,
00:18:46 - 00:18:48
it makes you a statistic.
00:18:48 - 00:18:50
- Remember that 80% figure.
00:18:50 - 00:18:52
- The automated tools don't care how big you are,
00:18:52 - 00:18:53
they just care that you're vulnerable.
00:18:53 - 00:18:56
- And watch out for those fake legal documents.
00:18:56 - 00:18:58
If you're searching for a contract,
00:18:58 - 00:19:00
being incredibly suspicious of what you download,
00:19:00 - 00:19:01
Goodeloader is waiting.
00:19:01 - 00:19:02
- Absolutely.
00:19:02 - 00:19:03
- Verify the source.
00:19:03 - 00:19:06
- You know, usually we end these deep dives with a summary,
00:19:06 - 00:19:10
but today I'm left with a slightly more unsettling feeling,
00:19:10 - 00:19:12
specifically about that last past story.
00:19:12 - 00:19:15
- Well, let me leave you with a provocative thought to chew on then.
00:19:15 - 00:19:17
We talked about the last past breach from 2022,
00:19:17 - 00:19:20
still causing damage in 2026.
00:19:20 - 00:19:21
And we talked about double extortion,
00:19:21 - 00:19:24
where groups like Quillen steal the data before they lock it.
00:19:24 - 00:19:27
- Right, the data is just out there.
00:19:27 - 00:19:29
- If data is stolen, it can be sold,
00:19:29 - 00:19:32
resold, and exploited years later.
00:19:32 - 00:19:33
So we have to ask ourselves,
00:19:33 - 00:19:37
is the concept of recovering from a cyber attack becoming a myth?
00:19:37 - 00:19:40
We might need to accept that in this new landscape,
00:19:40 - 00:19:42
once a breach happens, it never truly ends.
00:19:42 - 00:19:43
It just evolves.
00:19:43 - 00:19:44
You don't fix it.
00:19:44 - 00:19:46
You just live with the exposure forever.
00:19:46 - 00:19:50
- That is a heavy thought, the breach that never ends.
00:19:50 - 00:19:53
On that note, I'm gonna go check my software updates
00:19:53 - 00:19:55
and maybe throw my Android TV box out the window.
00:19:55 - 00:19:57
- Probably a wise decision.
00:19:57 - 00:19:59
- Thank you for guiding us to this minefield,
00:19:59 - 00:20:01
and thank you to our listener for joining us
00:20:01 - 00:20:03
on this deep dive into the buyer, Nichols Threatbrief,
00:20:03 - 00:20:06
Stakeurious, Stay Paranoid, and Stay Patched.
00:20:06 - 00:20:08
We'll see you next time.
00:20:08 - 00:20:11
- Reach out to us at jbuyer.com for comments and questions.
00:20:11 - 00:20:13
Follow us at buyer company on social media,
00:20:13 - 00:20:16
and if you'd be so kind, please rate and review us
00:20:16 - 00:20:17
in your podcast app.
00:20:17 - 00:20:19
[Music]