Byer-Nichols Threat Brief for October 16-31 2025
Season: 2 | Episode: 47
Published: November 3, 2025
By: Byer Co
The Global Threat Intelligence Brief: October 2025 provides a detailed analysis of the current cybersecurity landscape, highlighting major threats and trends from the latter half of October 2025. The report notes that over a quarter of a million F5 BIG-IP instances are exposed due to source code theft, emphasizing the danger of exposing network infrastructure management interfaces to the internet. Qilin remains the top ransomware actor, though CL0P has made a significant return using "encryption-less ransomware" to focus on pure extortion. Additionally, the brief tracks trending adversaries like UNC5142 and Star Blizzard, with the latter linked to Russian intelligence and targeting Western defense firms. The analysis also covers actively exploited vulnerabilities, such as a critical Windows Server Update Service flaw (CVE-2025-59287), and details new malware like GlassWorm, the first worm spreading through VS Code extensions, often using blockchain technology for resilience. Overall, the source captures a dynamic threat environment characterized by evolving ransomware tactics, persistent state-sponsored espionage, and critical vulnerabilities requiring immediate patching.
Link: Byer-Nichols Threat Brief for October 16-31 2025
Keywords:
Episode Transcript
00:00:00 - 00:00:03
Welcome to the Deep Dive.
00:00:03 - 00:00:06
Today, we're really ripping the lid off
00:00:06 - 00:00:08
the latest intelligence, specifically the Byer-
00:00:08 - 00:00:12
Nichols Threat Brief for the back half of October, 2025.
00:00:12 - 00:00:14
Look, this isn't just about recapping headlines.
00:00:14 - 00:00:18
We want to understand how the whole game has fundamentally
00:00:18 - 00:00:20
shifted just in the last month or so, or mission.
00:00:20 - 00:00:21
Simple.
00:00:21 - 00:00:24
We need to quickly boil down the key changes you absolutely
00:00:24 - 00:00:24
need to grasp.
00:00:24 - 00:00:27
We're talking everything from, you know, huge critical
00:00:27 - 00:00:31
infrastructure exposure, all the way to brand new tactics
00:00:31 - 00:00:33
where attackers are actually using public blockchains
00:00:33 - 00:00:34
to stay operational.
00:00:34 - 00:00:36
And honestly, if you haven't seen the robbery yet,
00:00:36 - 00:00:39
the initial numbers are, well, they're pretty staggering,
00:00:39 - 00:00:42
just the sheer scale of immediate exposure.
00:00:42 - 00:00:44
The summary kicks off with a really severe incident
00:00:44 - 00:00:46
involving F5, SARS-CoV-DET stolen, right?
00:00:46 - 00:00:51
And that seems to have directly led to over 266,000 F5 BIGIP
00:00:51 - 00:00:55
instances being exposed, basically vulnerable to remote attacks.
00:00:55 - 00:00:56
OK, I have to jump in there.
00:00:56 - 00:00:58
266,000.
00:00:58 - 00:01:01
Publicly reachable devices.
00:01:01 - 00:01:03
I mean, that's practically a national security issue
00:01:03 - 00:01:04
right there, isn't it?
00:01:04 - 00:01:07
Regardless of who's attacking, that number alone
00:01:07 - 00:01:09
should be a massive red flag for everyone.
00:01:09 - 00:01:10
Oh, absolutely.
00:01:10 - 00:01:10
It should be.
00:01:10 - 00:01:13
And the report makes a critical point,
00:01:13 - 00:01:17
one that applies to every single organization big or small.
00:01:17 - 00:01:20
The core failure here isn't just the source code theft
00:01:20 - 00:01:21
as bad as that is.
00:01:21 - 00:01:23
It's the fact that management interfaces
00:01:23 - 00:01:25
for your network gear, your firewalls,
00:01:25 - 00:01:27
load balancers, all that stuff.
00:01:27 - 00:01:30
They should never, ever be just hanging out there
00:01:30 - 00:01:30
on the public internet.
00:01:30 - 00:01:32
This whole incident just confirms
00:01:32 - 00:01:35
that sloppy network setup is the starting point
00:01:35 - 00:01:37
for these huge failures.
00:01:37 - 00:01:38
So right off the bat, we're talking
00:01:38 - 00:01:40
about these massive foundational vulnerabilities.
00:01:40 - 00:01:42
Like the basement door is wide open.
00:01:42 - 00:01:43
Exactly.
00:01:43 - 00:01:45
And look, the F5 thing, it's not alone.
00:01:45 - 00:01:48
The brief also flags a critical RCE that's
00:01:48 - 00:01:50
remote code execution vulnerability.
00:01:50 - 00:01:55
It's affecting over 75,000 watch guard security devices.
00:01:55 - 00:01:57
And just a quick reminder, RCE basically
00:01:57 - 00:01:59
means an attacker can run their own malicious code
00:01:59 - 00:02:03
on your device from anywhere without needing permission.
00:02:03 - 00:02:04
So the environment we're looking at here,
00:02:04 - 00:02:06
it's exposed, it's vulnerable, and you
00:02:06 - 00:02:08
can bet the attackers are noticing.
00:02:08 - 00:02:10
OK, that really sets the stage.
00:02:10 - 00:02:13
We've got the vulnerability, the exposed infrastructure.
00:02:13 - 00:02:15
Now let's talk about how the big criminal players
00:02:15 - 00:02:16
are actually catching in on this.
00:02:16 - 00:02:17
Yeah.
00:02:17 - 00:02:19
Because the ransomware charts, they show a pretty shocking
00:02:19 - 00:02:20
strategic turn.
00:02:20 - 00:02:24
I mean, yeah, Quillen is still way out in front, victim-wise.
00:02:24 - 00:02:26
But the real story isn't the leader.
00:02:26 - 00:02:29
It's the sudden, dramatic, frankly terrifying comeback
00:02:29 - 00:02:31
of a group we thought had mostly disappeared.
00:02:31 - 00:02:33
Right, we're talking about CL0P.
00:02:33 - 00:02:36
This group, they'd posted almost zero victims
00:02:36 - 00:02:39
since what may, July, basically, quiet all summer,
00:02:39 - 00:02:40
then almost overnight.
00:02:40 - 00:02:42
Boom, a massive reentry.
00:02:42 - 00:02:44
They hit 18 victims in about three weeks.
00:02:44 - 00:02:45
That's just a stunning acceleration.
00:02:45 - 00:02:48
Put them right back in the top tier of active groups, just
00:02:48 - 00:02:49
like that.
00:02:49 - 00:02:49
Wow.
00:02:49 - 00:02:51
OK, so what's driving that?
00:02:51 - 00:02:53
I mean, they always had the name recognition,
00:02:53 - 00:02:55
but you don't just jump back into the top five like that
00:02:55 - 00:02:59
without some kind of major change in how you operate.
00:02:59 - 00:03:01
That change is absolutely key.
00:03:01 - 00:03:02
And it links right back to what you
00:03:02 - 00:03:04
said about exposed infrastructure.
00:03:04 - 00:03:08
CL0P is leaning hard into what the report calls
00:03:08 - 00:03:10
encryption-less ransomware.
00:03:10 - 00:03:12
Think of it like pure data extortion.
00:03:12 - 00:03:15
They don't even bother encrypting your files anymore.
00:03:15 - 00:03:16
Why skip the encryption?
00:03:16 - 00:03:17
Isn't that the whole point?
00:03:17 - 00:03:18
Well, it used to be.
00:03:18 - 00:03:20
But the reports suggest more companies
00:03:20 - 00:03:22
have gotten pretty good with backups and recovery.
00:03:22 - 00:03:24
So traditional crypto ransomware.
00:03:24 - 00:03:26
Maybe less profitable now.
00:03:26 - 00:03:29
OK, so even if I have perfect backups,
00:03:29 - 00:03:30
I can get my data back, sure.
00:03:30 - 00:03:34
But CL0P gets around that by just stealing the info
00:03:34 - 00:03:36
and threatening to leak it or sell it.
00:03:36 - 00:03:37
So the whole threat model shifts.
00:03:37 - 00:03:40
It's less about recovery time and more about total reputational
00:03:40 - 00:03:42
meltdown or regulatory fines.
00:03:42 - 00:03:43
Precisely.
00:03:43 - 00:03:46
And this pure focus, it's incredibly effective.
00:03:46 - 00:03:48
Remember CL0P is thought to have
00:03:48 - 00:03:51
extorted what, over half a billion dollars historically?
00:03:51 - 00:03:54
They clearly see this high-impact reputational threat
00:03:54 - 00:03:57
as the most reliable money maker right now.
00:03:57 - 00:04:00
OK, let's break down who's really feeling the pain
00:04:00 - 00:04:02
from this pure extortion model.
00:04:02 - 00:04:05
Looking at the sectors, manufacturing and financial services
00:04:05 - 00:04:07
are almost tied for the top targets.
00:04:07 - 00:04:10
But the data on company size--
00:04:10 - 00:04:12
that's what really jumps at.
00:04:12 - 00:04:13
It's critical for our listeners to hear this.
00:04:13 - 00:04:15
It really is, yeah.
00:04:15 - 00:04:17
When you look at victim size, the overwhelming majority
00:04:17 - 00:04:20
we're talking almost four out of five, something like 77%
00:04:20 - 00:04:22
are small businesses.
00:04:22 - 00:04:25
Organizations with 500 employees or fewer.
00:04:25 - 00:04:28
They are the main targets for these incredibly sophisticated
00:04:28 - 00:04:30
multi-million dollar extortion gangs.
00:04:30 - 00:04:31
OK, I get the mechanics.
00:04:31 - 00:04:35
But if CL0P is hitting 77% small businesses,
00:04:35 - 00:04:36
how is a smaller company even supposed
00:04:36 - 00:04:38
to deal with that kind of reputational risk?
00:04:38 - 00:04:40
They don't have massive PR teams or huge legal departments
00:04:40 - 00:04:42
to handle a public data leak.
00:04:42 - 00:04:44
The cost of this pure extortion threat
00:04:44 - 00:04:46
feels disproportionately high for them.
00:04:46 - 00:04:47
Right.
00:04:47 - 00:04:49
That's the really tough reality the brief points to.
00:04:49 - 00:04:53
It forces you to completely rethink your defenses.
00:04:53 - 00:04:56
And geographically, while the US is still number one,
00:04:56 - 00:05:00
over half the victims, there was a pretty big shift
00:05:00 - 00:05:02
in the global top five list this time.
00:05:02 - 00:05:03
That's really a pop top.
00:05:03 - 00:05:03
Right.
00:05:03 - 00:05:04
That's true.
00:05:04 - 00:05:04
Yeah, exactly.
00:05:04 - 00:05:07
Australia joined the top five victim locations
00:05:07 - 00:05:08
in this reporting period.
00:05:08 - 00:05:11
That really suggests some successful targeted campaigns
00:05:11 - 00:05:13
hitting the Egypt Pacific region.
00:05:13 - 00:05:16
It proves that while, yeah, US targets are still profitable,
00:05:16 - 00:05:19
these groups are actively aggressively
00:05:19 - 00:05:21
looking elsewhere too, diversifying.
00:05:21 - 00:05:23
Okay, so if they're adapting how they make money,
00:05:23 - 00:05:26
like CL0P's pure extortion,
00:05:26 - 00:05:27
how are the other players adapting?
00:05:27 - 00:05:29
I mean, the state sponsored groups,
00:05:29 - 00:05:31
they're really sophisticated financial actors.
00:05:31 - 00:05:33
How are they changing their own infrastructure?
00:05:33 - 00:05:35
Let's shift to these cutting edge tactics.
00:05:35 - 00:05:39
The new adversaries and their whole quest for resilience.
00:05:39 - 00:05:40
Right.
00:05:40 - 00:05:41
Resilience and speed.
00:05:41 - 00:05:43
They're investing heavily in both.
00:05:43 - 00:05:46
Take star blizzard, also known as coal driver,
00:05:46 - 00:05:47
that's a perfect example of speed.
00:05:47 - 00:05:49
This is believed to be a Russian intelligence
00:05:49 - 00:05:52
linked group focused on espionage.
00:05:52 - 00:05:55
They do a lot of spearfishing against Western think tanks,
00:05:55 - 00:05:57
defense contractors, that sort of thing.
00:05:57 - 00:06:00
And their whole story is just relentless adaptation,
00:06:00 - 00:06:00
isn't it?
00:06:00 - 00:06:01
Keep moving.
00:06:01 - 00:06:02
Keep changing.
00:06:02 - 00:06:03
Exactly.
00:06:03 - 00:06:06
Earlier this year, researchers exposed their main tool,
00:06:06 - 00:06:09
malware called Lost Keys.
00:06:09 - 00:06:10
What do they do?
00:06:10 - 00:06:11
They didn't just tweak it.
00:06:11 - 00:06:13
They switched gears incredibly fast.
00:06:13 - 00:06:15
Rolled out completely new malware families,
00:06:15 - 00:06:19
nor robot, yes robot, neighbor robot, Google's analysis,
00:06:19 - 00:06:21
which is cited in the brief confirms it.
00:06:21 - 00:06:24
Coal driver is developing and deploying malware faster,
00:06:24 - 00:06:25
more aggressively than ever.
00:06:25 - 00:06:27
Speed itself has become their main defense
00:06:27 - 00:06:28
against getting caught.
00:06:28 - 00:06:30
That rapid development cycle is scary enough.
00:06:30 - 00:06:33
But what seems truly, I don't know, groundbreaking.
00:06:33 - 00:06:35
And maybe a bit shocking, is how the financially motivated
00:06:35 - 00:06:37
groups are using decentralized tech.
00:06:37 - 00:06:40
Tell us about this group, UNC5142,
00:06:40 - 00:06:43
and its innovative use of the blockchain.
00:06:43 - 00:06:46
OK, so UNC5142 is financially driven, right?
00:06:46 - 00:06:49
And they've figured out something pretty fundamental.
00:06:49 - 00:06:53
The easiest way to stop someone from taking down your operation
00:06:53 - 00:06:55
is to put your command structure somewhere
00:06:55 - 00:06:56
that can't be taken down.
00:06:56 - 00:06:59
So they're abusing public blockchain technology
00:06:59 - 00:07:01
to get maximum resilience.
00:07:01 - 00:07:02
Let's break that down for listeners.
00:07:02 - 00:07:04
Why is that so effective?
00:07:04 - 00:07:07
Normally, if, say, the FBI finds a command and control
00:07:07 - 00:07:11
server, the C2, they get a core order.
00:07:11 - 00:07:13
ISP takes it down, lights out for the malware, right?
00:07:13 - 00:07:15
That's the traditional way, yeah, the kill switch.
00:07:15 - 00:07:16
But think about it.
00:07:16 - 00:07:18
What if the instructions for the malware,
00:07:18 - 00:07:21
or maybe even the next piece of code it needs to download?
00:07:21 - 00:07:23
What if that lives on an immutable ledger, something
00:07:23 - 00:07:27
like a public blockchain salana, maybe Ethereum?
00:07:27 - 00:07:29
There's no single server to seize.
00:07:29 - 00:07:32
The data is spread out globally, and crucially,
00:07:32 - 00:07:33
it can't be changed.
00:07:33 - 00:07:36
It becomes effectively impossible for law enforcement
00:07:36 - 00:07:37
or security companies to just switch it off.
00:07:37 - 00:07:38
Wow.
00:07:38 - 00:07:41
That really is maximum resilience built right in.
00:07:41 - 00:07:42
And the malware they use for this.
00:07:42 - 00:07:45
That's Rad Theif, also known as Radimethis.
00:07:45 - 00:07:46
It's an info stealer.
00:07:46 - 00:07:50
And it's specifically using smart contracts on the blockchain
00:07:50 - 00:07:52
to distribute its later stages.
00:07:52 - 00:07:55
It means the malware's critical communication channel
00:07:55 - 00:07:58
is basically outside the reach of normal security tools
00:07:58 - 00:07:59
and governance.
00:07:59 - 00:08:00
All right, let's pivot now.
00:08:00 - 00:08:03
We need to talk about the Amiti critical threats,
00:08:03 - 00:08:05
the stuff that needs patching yesterday,
00:08:05 - 00:08:08
and also some of these genuinely next-level malware
00:08:08 - 00:08:09
families that are popping up.
00:08:09 - 00:08:10
Absolutely.
00:08:10 - 00:08:12
We have to highlight the extreme urgency
00:08:12 - 00:08:16
around a really stunning vulnerability in Microsoft's Windows
00:08:16 - 00:08:18
Server update service, WSUS.
00:08:18 - 00:08:20
This was so bad, Microsoft pushed out
00:08:20 - 00:08:23
an emergency out of Band Update, which they really
00:08:23 - 00:08:23
don't do lightly.
00:08:23 - 00:08:24
Why the panic?
00:08:24 - 00:08:26
What made this one so critical?
00:08:26 - 00:08:26
Access.
00:08:26 - 00:08:28
It's all about the access it gave.
00:08:28 - 00:08:31
This vulnerability allowed an unauthenticated actor,
00:08:31 - 00:08:34
meaning someone without a password, not logged in,
00:08:34 - 00:08:37
to achieve remote code execution with system privileges.
00:08:37 - 00:08:38
That's it.
00:08:38 - 00:08:38
Game over.
00:08:38 - 00:08:39
Full control of the server.
00:08:39 - 00:08:42
An attacker could just run code with the highest possible
00:08:42 - 00:08:43
authority.
00:08:43 - 00:08:44
If you were running affected versions,
00:08:44 - 00:08:46
the only move was to patch immediately.
00:08:46 - 00:08:47
No excuses.
00:08:47 - 00:08:49
And it wasn't just Microsoft, right?
00:08:49 - 00:08:51
The brief mention, a whole slew of vendors
00:08:51 - 00:08:53
with actively exploited vulnerabilities.
00:08:53 - 00:08:54
It's a broad problem.
00:08:54 - 00:08:55
That's right.
00:08:55 - 00:08:58
The list of CVEs being actively hit wasn't
00:08:58 - 00:08:59
limited to Microsoft at all.
00:08:59 - 00:09:02
We saw critical flaws under attack in Apple products,
00:09:02 - 00:09:06
Broadcom VMware, and even major e-commerce platforms,
00:09:06 - 00:09:09
like Adobe Commerce, which you might know as Magento,
00:09:09 - 00:09:12
and AEM forms, and they just confirms defenders
00:09:12 - 00:09:15
are basically fighting a war on too many fronts at once.
00:09:15 - 00:09:18
OK, the brief also had some really fascinating details
00:09:18 - 00:09:21
on new malware families.
00:09:21 - 00:09:23
Stuff that highlights just how technically sophisticated
00:09:23 - 00:09:24
these actors are getting.
00:09:24 - 00:09:28
They seem really focused on Next Gen Stealth
00:09:28 - 00:09:30
and that resilience theme we keep hitting.
00:09:30 - 00:09:31
Yeah, let's start with ClearShot.
00:09:31 - 00:09:33
This is a multi-stage loader.
00:09:33 - 00:09:37
And it's used by that same blockchain group, UNC 5142.
00:09:37 - 00:09:39
They target a vulnerable WordPress site,
00:09:39 - 00:09:41
super-commonentary point right, and use them
00:09:41 - 00:09:43
to host the first stage of ClearShot.
00:09:43 - 00:09:45
But then, and this is the clever part,
00:09:45 - 00:09:47
the malware loads at second stage directly
00:09:47 - 00:09:48
from the public blockchain.
00:09:48 - 00:09:50
Whoa.
00:09:50 - 00:09:53
OK, so they use an old, easy vulnerability WordPress
00:09:53 - 00:09:57
to deliver this super-modern, highly resilient payload.
00:09:57 - 00:09:59
That's disturbingly efficient.
00:09:59 - 00:09:59
It is.
00:09:59 - 00:10:03
And then to actually infect the user's machine, the endpoint,
00:10:03 - 00:10:06
they use a social engineering trick called ClickFix.
00:10:06 - 00:10:09
Basically, they con the victim into clicking a link,
00:10:09 - 00:10:11
maybe pretending it's to fix some issue.
00:10:11 - 00:10:14
And that click gives the initial foothold
00:10:14 - 00:10:16
for the blockchain-based payload to deploy.
00:10:16 - 00:10:18
That's terrifyingly clever.
00:10:18 - 00:10:19
Yeah.
00:10:19 - 00:10:22
But maybe not as mind-bending as the evasion used by Glassworm.
00:10:22 - 00:10:23
This one sounded almost like science fiction.
00:10:23 - 00:10:26
Glassworm is, yeah, it's genuinely revolutionary
00:10:26 - 00:10:27
and how it hides.
00:10:27 - 00:10:29
It's the first worm we've seen spreading
00:10:29 - 00:10:32
through VS Code extensions in the Open VSX marketplace.
00:10:32 - 00:10:34
So it targets developers directly.
00:10:34 - 00:10:36
But the real innovation, how it evades
00:10:36 - 00:10:39
detection, it hides malicious code using invisible character.
00:10:39 - 00:10:40
Invisible characters.
00:10:40 - 00:10:43
You mean like hidden messages in the code itself?
00:10:43 - 00:10:44
Stagnography for source code?
00:10:44 - 00:10:46
Yeah, exactly like that.
00:10:46 - 00:10:49
It uses specific unicode characters
00:10:49 - 00:10:52
that look completely identical to a human looking at the code.
00:10:52 - 00:10:55
Even basic security tools might miss them.
00:10:55 - 00:10:58
But these characters change how the code actually runs.
00:10:58 - 00:11:01
It defeats both the human eye and simple scanners.
00:11:01 - 00:11:04
The malicious part hides in plain sight
00:11:04 - 00:11:07
inside what looks like totally legitimate code.
00:11:07 - 00:11:08
And guess what?
00:11:08 - 00:11:10
Tying back to resilience.
00:11:10 - 00:11:11
It controls the machines.
00:11:11 - 00:11:14
It infects through the Salana blockchain for its C2 network.
00:11:14 - 00:11:14
Wait, hold on.
00:11:14 - 00:11:16
So they're exploiting how we read code,
00:11:16 - 00:11:18
the limitations of human perception,
00:11:18 - 00:11:20
not just how computers execute it.
00:11:20 - 00:11:22
That's next level operational security for the bad guys.
00:11:22 - 00:11:23
It really is.
00:11:23 - 00:11:26
It forces a complete rethink of how you even review code.
00:11:26 - 00:11:28
And finally, the brief touched on an issue
00:11:28 - 00:11:30
with a macos threat.
00:11:30 - 00:11:32
Something that raises specific concerns
00:11:32 - 00:11:34
about Apple's own built-in security.
00:11:34 - 00:11:36
That would be Odyssey Steelers, a macos infosterior.
00:11:36 - 00:11:40
Now, the malware itself isn't necessarily groundbreaking,
00:11:40 - 00:11:41
but how it's being deployed.
00:11:41 - 00:11:42
That's the worry.
00:11:42 - 00:11:43
Samples of Odyssey have been found out
00:11:43 - 00:11:47
in the wild code sign with a valid Apple developer ID.
00:11:47 - 00:11:48
Which means what exactly?
00:11:48 - 00:11:49
For the average user.
00:11:49 - 00:11:52
It's like having a fake ID that looks absolutely perfect.
00:11:52 - 00:11:56
When software is signed with a valid Apple developer ID
00:11:56 - 00:11:58
and notarized by Apple, it basically
00:11:58 - 00:12:01
tells macos is built in security, gatekeeper.
00:12:01 - 00:12:02
Hey, this is legit.
00:12:02 - 00:12:03
I'm vouched for.
00:12:03 - 00:12:05
So it bypasses those standard checks.
00:12:05 - 00:12:07
It allows the malware to be downloaded
00:12:07 - 00:12:11
and run without being blocked or even flagged as suspicious.
00:12:11 - 00:12:13
It shows attackers are going to extreme lengths
00:12:13 - 00:12:15
like stealing valid developer keys just
00:12:15 - 00:12:17
to get past platform security.
00:12:17 - 00:12:17
OK.
00:12:17 - 00:12:19
So let's try to pull all these threads together.
00:12:19 - 00:12:23
We've talked about Star Blizzard Speed, UNC5142 using
00:12:23 - 00:12:25
blockchain, CL-ZeroP, ditching encryption
00:12:25 - 00:12:27
for pure extortion, those thousands
00:12:27 - 00:12:29
have exposed F5 devices.
00:12:29 - 00:12:30
What's the bottom line here?
00:12:30 - 00:12:31
What connects all this?
00:12:31 - 00:12:34
I think the overarching trend is pretty clear.
00:12:34 - 00:12:38
Adversaries are aggressively prioritizing really three things.
00:12:38 - 00:12:41
Resilience, speed, and high impact extortion.
00:12:41 - 00:12:44
Resilience-- so they can't be taken down easily.
00:12:44 - 00:12:46
That's the blockchain C2 stuff-- speed.
00:12:46 - 00:12:49
So they can iterate faster than defenders can keep up.
00:12:49 - 00:12:50
That's cold driver.
00:12:50 - 00:12:54
And high impact extortion, the pure data theft model
00:12:54 - 00:12:56
confirms that the main threat for you, the listener,
00:12:56 - 00:12:57
is shifting.
00:12:57 - 00:12:59
It's moving away from just internal recovery
00:12:59 - 00:13:02
headaches towards external risk, public exposure,
00:13:02 - 00:13:04
regulatory fines, brand damage.
00:13:04 - 00:13:05
That's the new battleground.
00:13:05 - 00:13:07
And just to add context, we should quickly mention some
00:13:07 - 00:13:09
of the wider news items that brief included,
00:13:09 - 00:13:13
there was that huge, prosper data breach, 17.6 million accounts,
00:13:13 - 00:13:15
just underscores the sheer volume of data at risk.
00:13:15 - 00:13:16
Right.
00:13:16 - 00:13:17
And then you see the consequences, like
00:13:17 - 00:13:20
experience getting fined $3.2 million
00:13:20 - 00:13:21
for mass collecting personal data.
00:13:21 - 00:13:23
That reinforces the regulatory pressure
00:13:23 - 00:13:26
that actually makes data theft so valuable for extortionists.
00:13:26 - 00:13:29
Also that pin to own Ireland event.
00:13:29 - 00:13:30
Wow.
00:13:30 - 00:13:34
Hackers found 34 is zero days on day one, 56 on day two.
00:13:34 - 00:13:37
That's just a stark reminder of how much undiscovered attack
00:13:37 - 00:13:39
services still out there, even in popular software.
00:13:39 - 00:13:42
And let's not forget, the basics still work.
00:13:42 - 00:13:45
The brief mentioned LinkedIn phishing, targeting finance
00:13:45 - 00:13:47
execs with fake board meeting invites,
00:13:47 - 00:13:49
still trying to get that initial foothold
00:13:49 - 00:13:50
through simple deception.
00:13:50 - 00:13:53
So this deep dive into the buyer nickel's brief.
00:13:53 - 00:13:54
It paints a picture, doesn't it?
00:13:54 - 00:13:56
It's unequivocally clear.
00:13:56 - 00:13:58
We're going to rapidly accelerating technically
00:13:58 - 00:14:00
sophisticated threat environment.
00:14:00 - 00:14:02
The infrastructure is exposed.
00:14:02 - 00:14:04
And the adversaries are well funded, agile,
00:14:04 - 00:14:06
and frankly quite innovative.
00:14:06 - 00:14:09
Which really brings us to a final provocative thought
00:14:09 - 00:14:10
for you to chew on.
00:14:10 - 00:14:12
Given this definitive shift by major groups
00:14:12 - 00:14:16
like CL0P towards encryptionless ransomware,
00:14:16 - 00:14:18
focusing purely on data extortion,
00:14:18 - 00:14:20
and knowing that almost 80% of their victims
00:14:20 - 00:14:22
are small and mid-market companies,
00:14:22 - 00:14:26
the question becomes, what's the real cost of cyber defense
00:14:26 - 00:14:27
today?
00:14:27 - 00:14:29
If the number one threat is public exposure
00:14:29 - 00:14:32
and brand destruction, not just system downtime,
00:14:32 - 00:14:34
should your defensive strategy now
00:14:34 - 00:14:37
focus just as much on things like rigorous data separation,
00:14:37 - 00:14:39
internal risk management, having
00:14:39 - 00:14:42
a solid crisis communication plan ready to go?
00:14:42 - 00:14:45
Is that just as important now as having good backups?
00:14:45 - 00:14:47
Because maybe the target isn't really your systems anymore.
00:14:47 - 00:14:49
Maybe it's your reputation.
00:14:49 - 00:14:51
That is a critical question and one that demands
00:14:51 - 00:14:52
immediate attention.
00:14:52 - 00:14:54
Thank you for joining us for this deep dive.
00:14:54 - 00:14:57
Reach out to us at jbuyer.com for comments and questions.
00:14:57 - 00:14:59
Follow us at buyer company on social media.
00:14:59 - 00:15:02
And if you'd be so kind, please rate and review us
00:15:02 - 00:15:03
in your podcast app.
00:15:03 - 00:15:05
[Music]