Byer-Nichols Threat Brief: Second Half September 2025
Digital Rage

Byer-Nichols Threat Brief: Second Half September 2025

Season: 2 | Episode: 37

Published: October 4, 2025

By: Byer Co

Byer-Nichols Threat Brief Cybersecurity Data For September 16-30 2025, a detailed cybersecurity report published by Byer Co. The report focuses on the threat landscape during that two-week period, highlighting a rise in attacks targeting Cisco ASA and IOS XE devices and the increased activity of malware like Brickstorm and MetaStealer. It provides statistical data indicating that the USA remains the top victim location by a large margin, and that small businesses are overwhelmingly the most targeted organization size. Furthermore, the brief lists trending ransomware (led by Qilin), actively exploited vulnerabilities, and profiles of key adversary groups such as ArcaneDoor and Scattered Spider. The document is clearly a publication aimed at informing readers about current digital security risks and trends.

Link: Byer-Nichols Threat Brief: Second Half September 2025

RSS Apple Spotify YouTube YouTube Amazon Music Overcast iHeart Radio Audacy

Keywords: CyberSecurity News,cybersecurity marketing,cybersecurity report

Episode Transcript

Download SRT file
00:00:00 - 00:00:03
Welcome back to Digital Rage Deep Dive.
00:00:03 - 00:00:05
Today, we're essentially doing triage.
00:00:05 - 00:00:08
We've got this really comprehensive cyber security
00:00:08 - 00:00:09
threat brief.
00:00:09 - 00:00:12
It covers the second half of September 2025.
00:00:12 - 00:00:13
- Yes, dense stuff.
00:00:13 - 00:00:16
A real snapshot of the cyber battlefield globally.
00:00:16 - 00:00:17
- Exactly.
00:00:17 - 00:00:20
And our mission here is to cut through that complexity fast.
00:00:20 - 00:00:23
We wanted to still this down into actionable knowledge for you.
00:00:23 - 00:00:25
- Turning Intel into something usable.
00:00:25 - 00:00:28
- Right off the bat, the stakes are, well,
00:00:28 - 00:00:29
they're screaming high.
00:00:29 - 00:00:33
The exact summary flags this immediate major concern.
00:00:33 - 00:00:37
A real uptick in attacks targeting critical network
00:00:37 - 00:00:42
infrastructure, specifically Cisco ASA and iOS Xe devices.
00:00:42 - 00:00:45
- And let's be clear, these aren't your home Wi-Fi routers.
00:00:45 - 00:00:46
- No, not at all.
00:00:46 - 00:00:49
These are the serious firewalls, the core routers,
00:00:49 - 00:00:50
the central nervous system of a network.
00:00:50 - 00:00:52
- So, attackers get into these.
00:00:52 - 00:00:54
It's way beyond just stealing some data.
00:00:54 - 00:00:56
- It's full network takeover territory,
00:00:56 - 00:00:57
potentially catastrophic.
00:00:57 - 00:00:58
- Precisely.
00:00:58 - 00:01:00
- And we pull apart this report, what we're really doing
00:01:00 - 00:01:03
is tracking the strategic shifts of, well, everyone.
00:01:03 - 00:01:04
State actors, criminals.
00:01:04 - 00:01:06
- Where are they putting their effort?
00:01:06 - 00:01:06
- Exactly.
00:01:06 - 00:01:08
It seems the focus is shifting.
00:01:08 - 00:01:10
Less about just grabbing credentials, maybe,
00:01:10 - 00:01:13
and more about getting that deep, persistent control
00:01:13 - 00:01:15
over core systems.
00:01:15 - 00:01:17
- So this brief really maps that out.
00:01:17 - 00:01:19
- It shows where the resources are going, yeah.
00:01:19 - 00:01:22
And if you rely on this kind of network gear,
00:01:22 - 00:01:23
you're right in the crosshairs.
00:01:23 - 00:01:24
- Okay, so let's unpack that.
00:01:24 - 00:01:27
Start with the who, who's getting hit the hardest right now?
00:01:27 - 00:01:31
Geographically, no huge surprise at the very top.
00:01:31 - 00:01:34
The US is still the main target.
00:01:34 - 00:01:35
Huge dominant actually.
00:01:35 - 00:01:36
- What's the number?
00:01:36 - 00:01:40
- 54.20% of victim locations in this period.
00:01:40 - 00:01:41
That kind of focus, well, it's consistently.
00:01:41 - 00:01:44
- Okay, 54% US, but you said that's not
00:01:44 - 00:01:45
the whole story geographically.
00:01:45 - 00:01:47
- Right, because there was a big mover, South Korea.
00:01:47 - 00:01:49
- South Korea, okay, that is interesting.
00:01:49 - 00:01:50
How high up?
00:01:50 - 00:01:53
- Shot right into the top five, 7.69%.
00:01:53 - 00:01:55
And the report's very specific here.
00:01:55 - 00:01:56
- Hasso.
00:01:56 - 00:02:00
- And some gradual increase, it was basically one huge event.
00:02:00 - 00:02:03
A massive data dump linked to, quote,
00:02:03 - 00:02:04
Quillen ransomware.
00:02:04 - 00:02:08
- Wow, so one big hit can totally skew the victim map.
00:02:08 - 00:02:09
- Absolutely.
00:02:09 - 00:02:12
Show how a single successful large scale up
00:02:12 - 00:02:14
can just reshape things almost overnight.
00:02:14 - 00:02:16
- All right, let's talk sectors.
00:02:16 - 00:02:18
Who are they hitting industry-wise?
00:02:18 - 00:02:20
- Okay, top three are financial services.
00:02:20 - 00:02:23
That's 18.53%.
00:02:23 - 00:02:24
- Makes sense?
00:02:24 - 00:02:25
Always a target.
00:02:25 - 00:02:28
- Construction at 17.13%.
00:02:28 - 00:02:29
- Wait, construction?
00:02:29 - 00:02:30
I had a tech.
00:02:30 - 00:02:35
- Yep, technology is third at 16.08%.
00:02:35 - 00:02:38
Financial and tech, yeah, obvious targets, high value data.
00:02:38 - 00:02:41
But construction in second place.
00:02:41 - 00:02:42
That's fascinating.
00:02:42 - 00:02:43
- It really is.
00:02:43 - 00:02:44
What's the thinking there?
00:02:44 - 00:02:45
Why construction?
00:02:45 - 00:02:47
- Well, you could call the construction problem.
00:02:47 - 00:02:50
It's quite revealing about attack or calculus, I think.
00:02:50 - 00:02:51
- How so?
00:02:51 - 00:02:52
They're following the money, but--
00:02:52 - 00:02:54
- But maybe where the defenses aren't quite as mature,
00:02:54 - 00:02:55
I think about it.
00:02:55 - 00:02:57
Construction firms have tons of valuable data.
00:02:57 - 00:03:01
Blueprints, big project details, client lists, IP.
00:03:01 - 00:03:02
- High value stuff.
00:03:02 - 00:03:04
- Definitely not value, but historically,
00:03:04 - 00:03:06
maybe they have an invested in cyber defense
00:03:06 - 00:03:07
the same way a big bank has.
00:03:07 - 00:03:10
- So it's perceived as lower effort for a high reward.
00:03:10 - 00:03:12
- That seems to be the play, yeah.
00:03:12 - 00:03:14
- Okay, now here's the part that, well,
00:03:14 - 00:03:15
it really jumped out of me.
00:03:15 - 00:03:18
And it's crucial if you, the listener,
00:03:18 - 00:03:20
are trying to figure out where to focus your defenses.
00:03:20 - 00:03:21
Org size.
00:03:21 - 00:03:23
- This stat is--
00:03:24 - 00:03:25
- Stark.
00:03:25 - 00:03:27
- Small businesses.
00:03:27 - 00:03:27
- Right.
00:03:27 - 00:03:30
- Defined here as 500 employees or fewer,
00:03:30 - 00:03:32
they count for it, wait for it.
00:03:32 - 00:03:35
81.47% of victims.
00:03:35 - 00:03:36
- 81%.
00:03:36 - 00:03:37
Let's just pause on that.
00:03:37 - 00:03:38
- It's staggering.
00:03:38 - 00:03:39
- It really is.
00:03:39 - 00:03:41
This isn't just a number.
00:03:41 - 00:03:44
It's arguably the key takeaway for defense strategy right now.
00:03:44 - 00:03:45
- So mid market is what?
00:03:45 - 00:03:46
About 13%.
00:03:46 - 00:03:47
- Yeah.
00:03:47 - 00:03:49
- And large enterprise only 5%.
00:03:49 - 00:03:50
- Roughly, yeah.
00:03:50 - 00:03:53
13.29 from mid market, 5.24 for large enterprise.
00:03:53 - 00:03:54
Think about the implications.
00:03:54 - 00:03:56
- If you spend all your resources
00:03:56 - 00:03:58
securing one massive company.
00:03:58 - 00:04:01
- You're addressing maybe 5% of the reported attack volume.
00:04:01 - 00:04:02
- Yeah.
00:04:02 - 00:04:05
- But if you secure say 50 smaller medium businesses.
00:04:05 - 00:04:06
- You're covering over 80% of where the attacks
00:04:06 - 00:04:07
are actually landing.
00:04:07 - 00:04:09
- It completely flips the perspective, doesn't it?
00:04:09 - 00:04:10
- It does.
00:04:10 - 00:04:12
So are the attackers just avoiding the big guys
00:04:12 - 00:04:14
because it's harder, opting for volume?
00:04:14 - 00:04:16
Or is it more strategic?
00:04:16 - 00:04:18
- I think it's highly calculated resource management.
00:04:18 - 00:04:23
Large companies have mature incident response legal teams.
00:04:23 - 00:04:24
They fight back hard.
00:04:24 - 00:04:26
- Right, more friction.
00:04:26 - 00:04:26
- Exactly.
00:04:26 - 00:04:29
Small businesses, often easier to breach.
00:04:29 - 00:04:31
Maybe more likely to pay a smaller ransom quickly
00:04:31 - 00:04:32
just to get back online.
00:04:32 - 00:04:33
- And the volume adds up?
00:04:33 - 00:04:36
- The volume makes the revenue stream more reliable
00:04:36 - 00:04:39
for the attackers less risk, steady income.
00:04:39 - 00:04:40
- Okay.
00:04:40 - 00:04:43
So we know it's overwhelmingly small businesses being hit.
00:04:43 - 00:04:46
Now, the weapons, what are they using?
00:04:46 - 00:04:47
Ransomore is still king.
00:04:47 - 00:04:48
- Oh yeah.
00:04:48 - 00:04:51
Undisputed king of cybercrime finance.
00:04:51 - 00:04:55
- Quailin holds that top spot, 21.07% of incidents
00:04:55 - 00:04:56
observed in this period.
00:04:56 - 00:04:58
- Consistent player.
00:04:58 - 00:04:59
But what about movement?
00:04:59 - 00:05:00
That tells a story too.
00:05:00 - 00:05:02
- And that's where it gets really interesting.
00:05:02 - 00:05:04
Quailin's steady, but look at the others.
00:05:04 - 00:05:05
Akira's been climbing aggressively.
00:05:05 - 00:05:06
- Won't they fourth last time?
00:05:06 - 00:05:09
- They were, now they're second, at 11.64%.
00:05:09 - 00:05:11
That's determined growth.
00:05:11 - 00:05:12
- And play ransomware.
00:05:12 - 00:05:13
I remember them being much lower down.
00:05:13 - 00:05:14
- Much lower.
00:05:14 - 00:05:16
They surged into the top three.
00:05:16 - 00:05:18
Just two reporting periods ago, they were 12th.
00:05:18 - 00:05:19
- 12th to top three.
00:05:19 - 00:05:21
That's not organic growth.
00:05:21 - 00:05:23
- No, that screams aggressive scaling.
00:05:23 - 00:05:26
Marketing, targeting, operations.
00:05:26 - 00:05:28
They invested heavily.
00:05:28 - 00:05:30
- But the biggest shocker in the rankings.
00:05:30 - 00:05:31
- Has to be kill security.
00:05:31 - 00:05:33
This is the standout mover.
00:05:33 - 00:05:34
- Where did they come from?
00:05:34 - 00:05:36
- They were way down 27th place.
00:05:36 - 00:05:39
They vaulted straight into the top five.
00:05:39 - 00:05:41
- 27th to 5th.
00:05:41 - 00:05:42
In one period.
00:05:42 - 00:05:44
- It's like some unknown startup blowing past
00:05:44 - 00:05:46
established giants overnight.
00:05:46 - 00:05:48
It just underscores the speed.
00:05:48 - 00:05:50
A new threat can gain massive scale
00:05:50 - 00:05:51
incredible quickly in this ecosystem.
00:05:51 - 00:05:53
- Beyond those big ransomware names,
00:05:53 - 00:05:56
the report flagged some other malware.
00:05:56 - 00:05:58
New stuff, or maybe trending these with different goals.
00:05:58 - 00:06:01
- Yeah, definitely need to look beyond just ransomware.
00:06:01 - 00:06:05
We need to understand the consequences of these other tools.
00:06:05 - 00:06:06
- Okay, what should we highlight?
00:06:06 - 00:06:07
- First, there's brick storm.
00:06:07 - 00:06:10
The report characterizes it as disruptive,
00:06:10 - 00:06:12
aimed at causing chaos during a compromise.
00:06:12 - 00:06:15
- So not just encrypting, but actively breaking things.
00:06:15 - 00:06:16
- Pretty much.
00:06:16 - 00:06:19
Maximum operational disruption seems to be the goal.
00:06:19 - 00:06:20
- Racking systems.
00:06:20 - 00:06:21
- Nasty.
00:06:21 - 00:06:21
- What else?
00:06:21 - 00:06:23
- Then meta-stealer.
00:06:23 - 00:06:25
And this is important for a lot of users,
00:06:25 - 00:06:27
especially outside big corporate networks.
00:06:27 - 00:06:30
It's specifically Mac Focus.
00:06:30 - 00:06:31
- An info-stealer for Macs.
00:06:31 - 00:06:32
- Exactly.
00:06:32 - 00:06:36
It chips away at that old idea that Macs are somehow immune.
00:06:36 - 00:06:38
Thread actors are definitely diversifying
00:06:38 - 00:06:40
to hit Apple users too.
00:06:40 - 00:06:43
- And the one with the worrying name, Shai Hulu.
00:06:43 - 00:06:45
- Yes, named after the Dune San worms,
00:06:45 - 00:06:47
which tells you something.
00:06:47 - 00:06:48
- Worm-like traits, right?
00:06:48 - 00:06:50
Self-spreading.
00:06:50 - 00:06:51
- That's the concern.
00:06:51 - 00:06:53
Significant worries about self-propegation.
00:06:53 - 00:06:55
It doesn't need constant commands.
00:06:55 - 00:06:58
Once it's in, it can potentially spread rapidly
00:06:58 - 00:06:59
on its own, like wildfire.
00:06:59 - 00:07:01
- That raises the stakes considerably.
00:07:01 - 00:07:02
Any state-linked stuff new.
00:07:02 - 00:07:04
- Yeah, activity linked to the Iranian group
00:07:04 - 00:07:06
in the Mammothocore.
00:07:06 - 00:07:08
They're using these lightweight loaders.
00:07:08 - 00:07:09
Mini-brow is a mini-junk.
00:07:09 - 00:07:10
- Loaders.
00:07:10 - 00:07:12
So designed to just open the door.
00:07:12 - 00:07:13
- Essentially, yeah.
00:07:13 - 00:07:16
Small, stealthy tools designed purely to establish
00:07:16 - 00:07:18
a foothold and maintain persistence.
00:07:18 - 00:07:20
Then they drop the main espionage payloads later.
00:07:20 - 00:07:23
- Okay, so we have the who, the what, now the how,
00:07:23 - 00:07:24
how are they getting in?
00:07:24 - 00:07:26
You mentioned the Cisco issue up front.
00:07:26 - 00:07:28
- And we really have to hammer this home.
00:07:28 - 00:07:32
The report shows repeated critical exploitation
00:07:32 - 00:07:36
of those flaws in Cisco ASA and iOS XE devices.
00:07:36 - 00:07:37
- This isn't theoretical.
00:07:37 - 00:07:38
- Not at all.
00:07:38 - 00:07:41
Real-world evidence, like the Arcandoor Campaign
00:07:41 - 00:07:43
mentioned in reports, attackers are actively
00:07:43 - 00:07:46
using known bugs in these core devices
00:07:46 - 00:07:49
to just bypass perimeter defenses entirely.
00:07:49 - 00:07:50
- Straight to the heart of the network.
00:07:50 - 00:07:51
- Exactly.
00:07:51 - 00:07:54
That's why patching these is absolutely critical.
00:07:54 - 00:07:56
- Beyond Cisco, what other vulnerabilities
00:07:56 - 00:08:00
are being actively hit right now, according to the brief?
00:08:00 - 00:08:02
What should teams be patching like mad?
00:08:02 - 00:08:04
- What we're seeing continue to tax
00:08:04 - 00:08:06
against fortress go anywhere, MFT.
00:08:06 - 00:08:07
- MFT managed file transfer.
00:08:07 - 00:08:10
- Right, that's the secure way large orgs move,
00:08:10 - 00:08:14
massive, often sensitive, regulated data sets around.
00:08:14 - 00:08:16
Hitting that is like hitting the vault.
00:08:16 - 00:08:18
- Gives access to the crown jewels potentially.
00:08:18 - 00:08:18
- Potentially, yeah.
00:08:18 - 00:08:21
Also, it's still critical, is the vulnerability
00:08:21 - 00:08:23
in Google's Chromium V8 engine.
00:08:23 - 00:08:25
- That's the engine in Chrome, Edge.
00:08:25 - 00:08:26
Lots of browsers, right?
00:08:26 - 00:08:27
Runs the code on websites.
00:08:27 - 00:08:29
- Correct.
00:08:29 - 00:08:31
It runs JavaScript and WebAssembly.
00:08:31 - 00:08:36
Exploiting V8 allows for those nasty browser-based attacks.
00:08:36 - 00:08:39
Sometimes, all it takes is visiting the wrong website.
00:08:39 - 00:08:41
It leads to a full system compromise potentially.
00:08:41 - 00:08:42
- It can, yeah.
00:08:42 - 00:08:44
- And connecting back to that huge number
00:08:44 - 00:08:47
at the 81% small business victims,
00:08:47 - 00:08:49
there was even a note about simpler hardware.
00:08:49 - 00:08:50
- Yes, good point.
00:08:50 - 00:08:53
The vulnerability in Western digital mic cloud devices,
00:08:53 - 00:08:56
home or small office network storage.
00:08:56 - 00:08:57
- Right.
00:08:57 - 00:08:58
- It's a really important reminder.
00:08:58 - 00:09:01
Sometimes the easiest way into a smaller network
00:09:01 - 00:09:04
isn't some complex zero-day against a server.
00:09:04 - 00:09:06
- It's the unpatch storage box in the corner.
00:09:06 - 00:09:07
- Exactly.
00:09:07 - 00:09:10
- The attackers will always probe for the path of least resistance,
00:09:10 - 00:09:12
the lowest friction entry point.
00:09:12 - 00:09:13
- Okay, let's pivot slightly.
00:09:13 - 00:09:16
Look at the actors themselves, the groups.
00:09:16 - 00:09:17
They're motivations.
00:09:17 - 00:09:18
We've got the spies and the crux.
00:09:18 - 00:09:21
What's new with the state-sponsored espionage sign?
00:09:21 - 00:09:24
- The espionage groups are, well, relentlessly professional.
00:09:24 - 00:09:27
Take APT-28, fancy bear,
00:09:27 - 00:09:28
usually linked to Russian interests.
00:09:28 - 00:09:29
- What are they up to?
00:09:29 - 00:09:30
- They've deployed a new backdoor,
00:09:30 - 00:09:32
specifically for Microsoft Outlook.
00:09:32 - 00:09:34
They're calling it not door.
00:09:34 - 00:09:36
- New and custom for Outlook.
00:09:36 - 00:09:37
- Why is that significant?
00:09:37 - 00:09:39
- It shows a strategic effort to bypass
00:09:39 - 00:09:42
standard Microsoft security.
00:09:42 - 00:09:44
Building custom tools for specific,
00:09:44 - 00:09:47
widely used platforms like Outlook
00:09:47 - 00:09:50
is about maintaining that stealthy long-term access
00:09:50 - 00:09:51
for intelligence gathering.
00:09:51 - 00:09:52
- Very targeted.
00:09:52 - 00:09:53
What about others?
00:09:53 - 00:09:55
- We saw a Mustang Kanda,
00:09:55 - 00:09:58
linked to China hitting a Philippine military company,
00:09:58 - 00:10:01
classic targeted intel gathering.
00:10:01 - 00:10:02
- Specific objective.
00:10:02 - 00:10:05
- And another China-based group, Phantom Taurus,
00:10:05 - 00:10:07
seems laser focused on government
00:10:07 - 00:10:09
and telco sectors globally.
00:10:09 - 00:10:12
Again, underlines the geopolitical drivers
00:10:12 - 00:10:13
behind many of these high-end attacks.
00:10:13 - 00:10:16
- Okay, so that's the espionage side.
00:10:16 - 00:10:18
What about the pure cybercrank gangs?
00:10:18 - 00:10:21
The ones causing immediate disruption in financial pain?
00:10:21 - 00:10:23
- Well, we have to talk about scattered spider.
00:10:23 - 00:10:24
They're known for social engineering.
00:10:24 - 00:10:25
- They moved it around somewhere, right?
00:10:25 - 00:10:26
- Fully embraced it.
00:10:26 - 00:10:28
And here's the key thing.
00:10:28 - 00:10:30
The report says they remain highly active
00:10:30 - 00:10:32
despite some recent high-profile arrests.
00:10:32 - 00:10:35
- So taking out a few members doesn't stop them.
00:10:35 - 00:10:37
- It suggests their operational structures,
00:10:37 - 00:10:40
resilient, adaptable, maybe decentralized.
00:10:40 - 00:10:43
They can weather arrests and keep going.
00:10:43 - 00:10:44
- That's concerning.
00:10:44 - 00:10:46
And there was that other interesting
00:10:46 - 00:10:48
niche threat you mentioned, targeting developer.
00:10:48 - 00:10:50
- Ah, yes.
00:10:50 - 00:10:51
White Cobra.
00:10:51 - 00:10:52
This is fascinating.
00:10:52 - 00:10:55
They're reportedly responsible for planning,
00:10:55 - 00:10:57
maybe distributing 24 malicious extensions
00:10:57 - 00:10:58
for code editors.
00:10:58 - 00:11:01
- Targeting VS code and open VSX.
00:11:01 - 00:11:03
The tools developers use every day.
00:11:03 - 00:11:04
- Exactly.
00:11:04 - 00:11:06
- The supply chain attack at the source,
00:11:06 - 00:11:08
if you compromise the developer's tools.
00:11:08 - 00:11:11
- You potentially compromise everything they build downstream.
00:11:11 - 00:11:12
- That's the danger.
00:11:12 - 00:11:13
It's a very strategic target.
00:11:13 - 00:11:16
And we can't forget the non-financial threats either.
00:11:16 - 00:11:17
- Like influence ops.
00:11:17 - 00:11:18
- Right.
00:11:18 - 00:11:21
Storm 1516, identified as a Russian group,
00:11:21 - 00:11:24
focused purely on influence and disinformation campaigns.
00:11:24 - 00:11:27
A reminder that not every threat wants money.
00:11:27 - 00:11:29
Some just want to sew chaos or distrust.
00:11:29 - 00:11:30
- Yeah, okay.
00:11:30 - 00:11:31
A lot of threats out there.
00:11:31 - 00:11:32
Let's shift gears though.
00:11:32 - 00:11:34
It's not all doom and gloom.
00:11:34 - 00:11:37
The report does detail some significant pushback, right?
00:11:37 - 00:11:38
Good news.
00:11:38 - 00:11:39
- Definitely.
00:11:39 - 00:11:39
There's effective work being done
00:11:39 - 00:11:41
by law enforcement and security firms.
00:11:41 - 00:11:43
Victory's worth highlighting.
00:11:43 - 00:11:44
- Like what?
00:11:44 - 00:11:45
On the defensive side.
00:11:45 - 00:11:47
- Cloud flares successfully stopped
00:11:47 - 00:11:49
a massive DDoS attack.
00:11:49 - 00:11:52
New record breaking size, actually 22.2 terabits per second.
00:11:52 - 00:11:53
- Wow.
00:11:53 - 00:11:54
And their defense is held.
00:11:54 - 00:11:56
- They held.
00:11:56 - 00:11:57
That's a huge win.
00:11:57 - 00:11:58
A potentially crippling disruption
00:11:58 - 00:12:01
that just didn't happen because the engineering worked.
00:12:01 - 00:12:02
- That's good to hear.
00:12:02 - 00:12:04
And law enforcement.
00:12:04 - 00:12:05
- They're making dents.
00:12:05 - 00:12:07
- They seem to be hitting the money side hard.
00:12:07 - 00:12:09
Canada took down the trade-over crypto exchange.
00:12:09 - 00:12:11
- Was that used for laundering?
00:12:11 - 00:12:13
- Believed to be a key platform for it.
00:12:13 - 00:12:14
Yeah.
00:12:14 - 00:12:17
They seized $40 million in crypto there.
00:12:17 - 00:12:18
- $40 million.
00:12:18 - 00:12:19
And globally.
00:12:19 - 00:12:21
- Globally, the report notes police seizures
00:12:21 - 00:12:26
totaling around $439 million from various cybercrime rings.
00:12:26 - 00:12:28
- That's nearly half a billion dollars.
00:12:28 - 00:12:30
That has to hurt their operations.
00:12:30 - 00:12:30
- It absolutely does.
00:12:30 - 00:12:32
It disrupts their ability to scale,
00:12:32 - 00:12:36
to hire talent, buy new tools, pay for infrastructure.
00:12:36 - 00:12:38
It's a very effective way to apply pressure
00:12:38 - 00:12:40
and operational blockade, really.
00:12:40 - 00:12:41
- And arrests.
00:12:41 - 00:12:42
We heard about some of those.
00:12:42 - 00:12:44
- Yes, making headlines.
00:12:44 - 00:12:48
The UK arrested some teenagers linked to that scattered spider crew,
00:12:48 - 00:12:50
the ones who hit transport for London.
00:12:50 - 00:12:50
- Right.
00:12:50 - 00:12:53
And wasn't there another arrest tied to airport disruptions?
00:12:53 - 00:12:53
- Yeah.
00:12:53 - 00:12:56
A suspect linked to the RTX ransomware attacks
00:12:56 - 00:12:58
that caused problems at airports.
00:12:58 - 00:13:01
So real world consequences for individuals involved.
00:13:01 - 00:13:02
- Good.
00:13:02 - 00:13:04
And tech company's fighting back too.
00:13:04 - 00:13:05
- Google's action is notable.
00:13:05 - 00:13:08
They removed 224 malicious Android apps
00:13:08 - 00:13:10
from the Play Store.
00:13:10 - 00:13:11
- What were they doing?
00:13:11 - 00:13:13
- Length to a massive ad fraud campaign.
00:13:13 - 00:13:16
So Google cleaning house internally,
00:13:16 - 00:13:17
it feels like the counter attack
00:13:17 - 00:13:20
is becoming more unified, hitting the tech,
00:13:20 - 00:13:21
the money, and the people.
00:13:21 - 00:13:24
- Okay, let's try and synthesize this.
00:13:24 - 00:13:27
If you listening, take away just three core things
00:13:27 - 00:13:30
from this whole brief, this snapshot of late September.
00:13:30 - 00:13:31
- Oh.
00:13:31 - 00:13:32
- What should they be?
00:13:32 - 00:13:34
- Okay, three key takeaways.
00:13:34 - 00:13:37
First, the target profile has flipped.
00:13:37 - 00:13:39
Small businesses are now the overwhelming majority
00:13:39 - 00:13:41
of victims over 80%.
00:13:41 - 00:13:44
Your defense focus needs to reflect that reality.
00:13:44 - 00:13:44
- Got it.
00:13:44 - 00:13:46
Number one, SMBs are the main target.
00:13:46 - 00:13:49
- Second, the threat landscape is incredibly dynamic.
00:13:49 - 00:13:52
Yes, Quillen leads, but groups like Kill Security
00:13:52 - 00:13:54
show that new powerful threats can emerge
00:13:54 - 00:13:56
and scale shockingly fast.
00:13:56 - 00:13:59
You can't just watch the known players.
00:13:59 - 00:14:00
- Number two,
00:14:00 - 00:14:02
high velocity, high change in the threat actors.
00:14:02 - 00:14:05
- And third, critical infrastructure.
00:14:05 - 00:14:09
Specifically, those Cisco ASA and iOS XE devices
00:14:09 - 00:14:12
are under intense active attack.
00:14:12 - 00:14:14
Patching is an optional, it's urgent.
00:14:14 - 00:14:15
Attackers want core control,
00:14:15 - 00:14:17
not just data theft from these systems.
00:14:17 - 00:14:20
- Number three, core network gear is under siege.
00:14:20 - 00:14:22
Patch immediately.
00:14:22 - 00:14:23
- Okay.
00:14:23 - 00:14:26
- So we see these successes, right?
00:14:26 - 00:14:27
The arrests scattered,
00:14:27 - 00:14:30
Spire members, huge money seizures.
00:14:30 - 00:14:31
The pushback is real.
00:14:31 - 00:14:32
- But then, like you said, you see,
00:14:32 - 00:14:34
Kill Security just explode onto the scene,
00:14:34 - 00:14:36
27 to 5th, almost instantly.
00:14:36 - 00:14:39
It makes you wonder, here's the final thought for you to chew on.
00:14:39 - 00:14:41
We see these high profile arrests, these big takedowns.
00:14:41 - 00:14:43
What effect does that actually have
00:14:43 - 00:14:45
on the global rate of cyber crime long term?
00:14:45 - 00:14:48
Is the real weak link, the individual motivation
00:14:48 - 00:14:49
of the people getting caught?
00:14:49 - 00:14:50
- Or?
00:14:50 - 00:14:52
- Or is the fundamental problem,
00:14:52 - 00:14:54
the underlying security infrastructure?
00:14:54 - 00:14:57
The vulnerabilities that allow literally hundreds
00:14:57 - 00:15:01
of new groups to pop up, tool up, and scale almost instantly
00:15:01 - 00:15:03
whenever one gets taken down.
00:15:03 - 00:15:06
- That vulnerability in the infrastructure,
00:15:06 - 00:15:10
it creates this constantly fertile ground for crime cycles.
00:15:10 - 00:15:11
That's the deep challenge, isn't it?
00:15:11 - 00:15:12
- Something to think about.
00:15:12 - 00:15:15
Keep digging into those threats, keep patching,
00:15:15 - 00:15:17
and we'll be back for the next deep dive.
00:15:17 - 00:15:21
- Reach out to us at jbuyer.com for comments and questions.
00:15:21 - 00:15:23
Follow us at buyer company on social media,
00:15:23 - 00:15:25
and if you'd be so kind,
00:15:25 - 00:15:27
Please rate and review us in your podcast app.
00:15:27 - 00:15:29
[Music]