Daily Security Review

A new, highly advanced malware strain—NimDoor—has emerged as the latest cyber weapon in the arsenal of North Korean state-sponsored hackers, specifically targeting macOS systems used by cryptocurrency and Web3 organizations. This episode explores the complex tactics and alarming capabilities of NimDoor, a malware family showcasing a blend of C++ and Nim programming, stealthy persistence mechanisms, and an intense focus on stealing digital assets.

First identified in early 2025, NimDoor marks a significant evolution in North Korean cyber operations. Delivered through social engineering on Telegram, the attack chain begins with a deceptive fake Zoom SDK update. Once exec...

A newly disclosed vulnerability—CVE-2025-20309—in Cisco's Unified Communications Manager (Unified CM) and Session Management Edition has sent shockwaves through enterprise VoIP and IT security teams. The flaw stems from hardcoded root SSH credentials that could allow unauthenticated remote attackers to gain full control of affected systems. In this episode, we unpack the gravity of this vulnerability and its broader implications for VoIP security.

Cisco has issued a patch to remove the backdoor account from affected versions, but the vulnerability’s CVSS score of 10.0 underscores the risk to organizations still running unpatched systems. A successful exploit could...

A critical new WordPress vulnerability—CVE-2025-6463—has been discovered in the widely used Forminator plugin, affecting over 600,000 active installations and putting hundreds of thousands of websites at risk of full compromise. In this episode, we dive deep into the mechanics, risks, and remediation of this arbitrary file deletion flaw and explain what every WordPress administrator, developer, and security professional needs to know.

At the heart of this issue is improper validation in how the Forminator plugin handles file paths when deleting form entries. This allows unauthenticated attackers to inject file paths into form submissions—even in fields...

In one of the latest large-scale data breaches to hit the U.S. private sector, Kelly Benefits, a provider of payroll and benefits administration services, disclosed a significant cybersecurity incident impacting over 553,000 individuals. The breach, which occurred in December 2024 but was only revealed in April 2025, exposed sensitive personal information—including names, Social Security numbers, financial data, and even medical records—of employees linked to over 40 partner organizations, such as Aetna Life Insurance and United Healthcare.

This episode explores what really happened, why this breach matters, and how it fits into the growing wave of identity theft driven by t...

A newly disclosed exploit dubbed FileFix is redefining how attackers bypass Microsoft Windows' built-in security protections—specifically the Mark-of-the-Web (MotW) mechanism. Developed and detailed by security researcher mr.d0x, this attack takes advantage of how browsers save HTML files and how Windows handles HTA (HTML Application) files. The result? Malicious scripts can execute without warning, bypassing the very safeguards designed to flag untrusted code.

In this episode, we break down how FileFix works, why it’s effective, and what makes it uniquely dangerous. Unlike many malware campaigns, FileFix doesn’t rely on zero-day exploits or complex payloa...

The International Criminal Court (ICC), the world’s foremost tribunal for prosecuting war crimes, genocide, and crimes against humanity, has confirmed yet another sophisticated cyberattack, highlighting the persistent threat facing high-profile global institutions. This marks the second targeted intrusion against the ICC in recent years, and although the organization successfully detected and contained the attack, critical questions remain—who was behind it, what data may have been compromised, and how can institutions like the ICC defend against increasingly complex threats?

In this episode, we examine the June 2025 cyber incident targeting the ICC’s internal systems. While the techni...

In a major red flag for the industrial cybersecurity community, three newly disclosed vulnerabilities in Microsens NMP Web+, a popular network management solution used across critical infrastructure, have revealed just how fragile many ICS environments remain. The flaws—two rated critical and one high—allow unauthenticated attackers to bypass authentication, generate forged JWTs, and execute arbitrary code, potentially enabling full system compromise with no credentials required.

Discovered by security researcher Noam Moshe, the vulnerabilities demonstrate how a combination of weak authentication mechanisms and insecure file handling can open the door to devastating attacks. While patches have now been...

In a stark reminder of the aviation industry's growing exposure to cyber threats, Australian airline Qantas recently confirmed a serious data breach—this time not from its own systems, but from a third-party platform used by one of its customer contact centers. The breach exposed personal data for up to six million customers, including names, dates of birth, contact details, and frequent flyer numbers. Although financial and passport information were not affected, the scale and nature of the compromise have sent shockwaves through the sector.

This episode unpacks what happened, why it matters, and what the broader av...

Germany’s battle over digital sovereignty and data privacy has intensified, with the Berlin Commissioner for Data Protection formally requesting that Google and Apple remove the DeepSeek AI application from their app stores. The move stems from allegations that DeepSeek, a Chinese-developed generative AI platform, violates the EU’s General Data Protection Regulation (GDPR) by unlawfully collecting data from German users and transferring it to Chinese servers—beyond the EU’s legal jurisdiction and outside GDPR’s protections.

This episode explores the broader implications of this takedown request under Article 16 of the EU Digital Services Act (DSA) and unpack...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple Citrix NetScaler vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog—an urgent signal for federal agencies and private enterprises alike. At the center of this update is CVE-2025-6543, a memory overflow flaw affecting NetScaler ADC and Gateway appliances, which could lead to Denial of Service attacks under specific configurations. This joins earlier additions from 2023, including CVE-2023-6548 and CVE-2023-6549, covering code injection and buffer overflow vulnerabilities.

In this episode, we explore why NetScaler vulnerabilities are drawing heightened attention, how they are actively being ex...

Cato Networks just raised $359 million in Series G funding, pushing its valuation past $4.8 billion and its total funding beyond the $1 billion mark—a milestone that cements its place as one of the most formidable players in the rapidly expanding Secure Access Service Edge (SASE) market. In this episode, we unpack what this massive investment means for the future of enterprise cybersecurity, AI integration, and network transformation.

Founded in 2015, Cato has built a cloud-native platform that seamlessly unifies SD-WAN, security services, and a global private backbone across more than 85 Points of Presence. With over 3,500 customers already on board, Ca...

A new high-severity zero-day vulnerability in Google Chrome—CVE-2025-6554—has sent shockwaves across the cybersecurity landscape. This episode dives into the technical details, real-world impact, and broader implications of this actively exploited flaw. Tracked as a type confusion bug in Chrome’s V8 JavaScript engine, the vulnerability allows attackers to remotely execute code by luring users to malicious HTML pages—a powerful vector for surveillance, espionage, or criminal exploitation.

We break down the story behind the vulnerability, discovered by Google’s own Threat Analysis Group, and examine what it reveals about the state of browser security today. Chr...

Russia has entered a new phase of digital authoritarianism. In a sweeping move, Russian Internet Service Providers (ISPs) have begun systematically throttling access to Cloudflare and other Western-backed services, including infrastructure giants Hetzner and DigitalOcean. This throttling is so severe that it restricts downloads to just 16 kilobytes per connection—effectively rendering affected websites unusable. It’s a chilling technical development dubbed the “16KB Curtain.”

In this episode, we explore Russia’s strategic effort to isolate its internet from the global web—a campaign known as digital sovereignty. This isn’t just a geopolitical talking point. It’s an active campai...

Ahold Delhaize, one of the world’s largest food retailers, is now the subject of one of the most significant ransomware breaches in recent U.S. history. Affecting over 2.2 million current and former employees, this incident—claimed by the cybercrime group INC Ransom—highlights the rising threat posed by ransomware-as-a-service operations targeting enterprise systems across critical sectors.

In this episode, we unpack the breach, its long-delayed public disclosure, and the sensitive data exposed—including Social Security numbers, financial accounts, health records, and employment data. While customer payment information appears unaffected, the breach underscores systemic vulnerabilities in enterprise cybersec...

Canada has taken a definitive stance in the escalating global scrutiny of Chinese technology, ordering surveillance giant Hikvision to cease all operations within its borders. Citing national security concerns and acting on the advice of intelligence agencies, the Canadian government has banned the use of Hikvision products across its public sector, initiated reviews of existing installations, and aligned itself with a growing international movement to curtail the influence of Chinese state-linked tech.

This podcast unpacks the details of Canada’s decision and places it within the broader geopolitical, regulatory, and cybersecurity context. Hikvision, already the subject of U...

As the aviation industry becomes more digitally interconnected, its exposure to sophisticated cyber threats continues to grow. One of the most dangerous actors in this space—Scattered Spider, a financially motivated and technically skilled cybercrime group—has recently shifted its focus to target the aviation sector. With recent incidents involving Hawaiian Airlines, WestJet, and others, global concern is rising over the safety of airline IT systems, vendor infrastructure, and the broader aviation supply chain.

This episode unpacks how Scattered Spider operates, why the aviation industry is increasingly at risk, and what this means for cybersecurity readiness in one...

In a landmark case that reshapes the conversation around digital ethics, the Federal Trade Commission’s $520 million settlement with Epic Games over its Fortnite monetization tactics highlights a critical issue facing the modern digital economy: the weaponization of interface design to manipulate users. Central to the case is the use of “dark patterns”—subtle yet deceptive design strategies intended to steer users, including children, into making unintended purchases.

This episode dissects how Epic’s design choices—like omitting purchase confirmation screens and placing critical purchase functions adjacent to navigation buttons—led to millions in unauthorized transactions. We examine how th...

Phishing has long been a favored weapon of cybercriminals, but a recent revelation about Microsoft 365’s Direct Send feature has elevated the threat to a new level—from inside the firewall. Designed for internal systems to send notifications without authentication, Direct Send can be abused by malicious actors to spoof emails that appear to originate from trusted internal sources. Without compromising a single user account, attackers can craft phishing messages that bypass standard defenses like DMARC and SPF, exploiting an organization’s own email infrastructure against it.

In this episode, we dive deep into how this vulnerability is bei...

A critical flaw in the Open VSX Registry—an open-source alternative to the Visual Studio Code Marketplace—recently put over 8 million developers at risk of mass compromise. This vulnerability, discovered in the platform’s GitHub Actions workflow, exposed a super-admin publishing token that could have enabled malicious actors to overwrite or inject malware into any extension in the registry. Given the widespread use of Open VSX in platforms like Gitpod, Google Cloud Shell, and Cursor, the consequences could have been devastating.

This episode explores the depths of this security lapse and the broader risks posed by extension market...

A new critical vulnerability in Citrix NetScaler ADC and Gateway systems, dubbed CitrixBleed 2 (CVE-2025-5777), has emerged as a serious threat to remote access infrastructure. This memory exposure flaw allows unauthenticated attackers to extract session tokens directly from device memory — enabling session hijacking and even bypassing multi-factor authentication (MFA). With early evidence of exploitation in the wild and eerie similarities to the original CitrixBleed (CVE-2023-4966), the risk to enterprise environments is substantial.

The vulnerability is caused by insufficient input validation, leading to out-of-bounds memory reads when NetScaler is configured as a Gateway or AAA virtual server. On...

A sophisticated cyber-espionage campaign named OneClik is actively targeting energy, oil, and gas organizations using a combination of legitimate cloud infrastructure and novel attack techniques. The campaign, attributed to an unknown but likely state-affiliated actor, leverages Microsoft's ClickOnce deployment technology to deliver custom Golang-based malware known as RunnerBeacon. The use of AWS APIs for command-and-control (C2) communications allows OneClik to operate within trusted cloud environments, making detection by traditional tools extremely difficult.

The campaign reflects broader trends in critical infrastructure cyber threats — particularly the abuse of legitimate services to “live off the land” and the use of advanc...

In October 2024, Central Kentucky Radiology (CKR), a Lexington-based imaging provider, became the latest victim of a growing trend in healthcare cyberattacks. An unauthorized actor accessed CKR’s systems over a two-day period, compromising sensitive data for approximately 167,000 individuals. The stolen information includes names, Social Security numbers, birth dates, addresses, insurance details, and medical service records — a deeply invasive breach, though no fraud has yet been confirmed.

While the nature of the attack has not been publicly confirmed, the system disruption and timing strongly suggest a ransomware event — part of a broader wave of escalating cyber threats against the he...

In a major development at the intersection of cybersecurity and AI governance, Israeli startup Bonfy.AI has officially launched its adaptive content security platform, backed by $9.5 million in seed funding. The company’s mission is bold and timely: to secure content generated by both humans and AI across modern SaaS ecosystems — including high-risk environments like Slack, Salesforce, and AI chatbots such as ChatGPT.

As organizations increasingly rely on generative AI tools for productivity and automation, the risks to data privacy, intellectual property, and regulatory compliance have grown sharply. Bonfy.AI’s platform addresses these issues head-on. Unlike tradit...

Cisco has disclosed two critical security vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) products, both earning a maximum CVSS severity score of 10.0. These flaws—CVE-2025-20281 and CVE-2025-20282—allow unauthenticated remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The vulnerabilities are unrelated but equally severe, highlighting urgent concerns for organizations relying on Cisco ISE for network access control and identity policy enforcement.

CVE-2025-20281 is caused by insufficient input validation in a public-facing API, while CVE-2025-20282 stems from improper file validation that allows mali...

The U.S. House of Representatives has officially banned the use of WhatsApp on all House-managed devices, citing significant data security risks. This move places WhatsApp alongside other restricted applications like TikTok, ChatGPT, and Microsoft Copilot, reflecting an intensifying government focus on digital security and the reliability of consumer platforms used in official contexts.

The House Chief Administrative Officer (CAO) raised several concerns: the lack of transparency in WhatsApp's data protection practices, the absence of stored data encryption, and potential vulnerabilities—particularly in light of a recent spyware attack exploiting a WhatsApp vulnerability. The CAO has instead re...

The healthcare industry is facing a relentless wave of cyber threats, as demonstrated by two recent breaches impacting Mainline Health Systems and Select Medical Holdings. In April 2024, Mainline Health experienced a direct ransomware attack by the Inc Ransom group, compromising sensitive data for over 101,000 individuals. Select Medical’s breach, in contrast, occurred through a third-party vendor—Nationwide Recovery Services—exposing records of nearly 120,000 patients. These incidents illustrate the growing vulnerability of healthcare organizations, whether from direct attacks or through weaknesses in their extended vendor networks.

As healthcare organizations digitize records, adopt connected medical devices, and rely on cloud...

This episode examines a serious conflict between Siemens’ Simatic PCS industrial control systems and Microsoft Defender Antivirus. The absence of an "alert only" mode in Defender has created a significant operational risk for plants running Siemens’ systems. Without this functionality, operators must choose between ignoring potential malware detections—remaining unaware of infections—or allowing Defender to quarantine or delete critical files, potentially destabilizing control processes or halting operations entirely.

Siemens is actively working with Microsoft to resolve the issue. Until a fix is available, Siemens advises customers to perform risk assessments and carefully configure Defender to minimize the risk...

Prometei is one of the most persistent and sophisticated botnet threats in circulation today. First identified in 2020—and active since at least 2016—this modular malware continues to evolve rapidly, targeting both Windows and Linux systems across the globe. Originally designed for cryptocurrency mining, Prometei has expanded its capabilities to include credential theft, lateral movement, command execution, and stealthy persistence, making it an adaptable and resilient threat for enterprise environments.

In this episode, we examine the latest developments in Prometei’s operations. Recent updates to the malware include a fully integrated backdoor, self-updating features, dynamic domain generation for comman...

In this episode, we dive into the 2024 McLaren Health Care data breach that compromised the sensitive information of over 743,000 individuals—just one year after a similar ransomware attack impacted 2.2 million.

We’ll unpack the timeline of the attack: how cybercriminals gained unauthorized access between July 17 and August 3, exploiting vulnerabilities in McLaren’s network to steal personally identifiable information (PII) and protected health information (PHI)—including Social Security numbers and medical records.

But this is about more than one hospital system. We’ll explore why the healthcare sector has become a prime target for ransomware: a dangerous...

This podcast dives deep into one of the most pressing vulnerabilities in modern AI — the rise of sophisticated "jailbreaking" attacks against large language models (LLMs). Our discussion unpacks a critical briefing on the evolving landscape of these attacks, with a spotlight on the novel “Echo Chamber” technique discovered by NeuralTrust.

Echo Chamber weaponizes context poisoning, indirect prompts, and multi-turn manipulation to subtly erode an LLM's safety protocols. By embedding "steering seeds" — harmless-looking hints — into acceptable queries, attackers can build a poisoned conversational context that progressively nudges the model toward generating harmful outputs.

We'll explore how this metho...

In this episode, we dive deep into the alarming revelations about Salt Typhoon—a Chinese state-sponsored advanced persistent threat (APT) actor, also known as RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286. Backed by China’s Ministry of State Security (MSS), this group has been running extensive cyber espionage operations since at least 2023, with a focus on telecommunication giants, government agencies, technology firms, and academic institutions around the world.

We’ll unpack how Salt Typhoon leveraged critical vulnerabilities, like CVE-2023-20198, and custom malware such as GhostSpider and Demodex, to gain deep, persistent access to telecom infrastructure in the U...

In this eye-opening episode, we break down a sophisticated new trend in tech support scams (TSS) that’s catching even the most cautious users off guard.

Scammers are now hijacking Google Ads and manipulating search results to funnel users—who are simply looking for help—to malicious phone numbers injected directly into legitimate websites like Apple, Microsoft, Netflix, and major banks. Clicking on what appears to be an official Google Ad can land you on a real brand page — but with a fake tech support number secretly inserted into the URL path or internal search results.

We’ll...

In this episode, we take a deep dive into the Qilin ransomware group — now regarded as the world’s leading ransomware-as-a-service (RaaS) operation — and explore how it’s reshaping the cybercrime landscape in 2025.

Qilin, also known as Agenda, burst onto the scene in 2022 with a Go-based ransomware. It has since evolved into a highly evasive Rust-based malware platform targeting both Windows and Linux environments, including critical VMware ESXi servers. The group uses aggressive double extortion tactics — encrypting data while also threatening public exposure of stolen information — with ransom demands ranging from $50,000 to $800,000.

But what truly sets Qilin a...

In this episode, we dive deep into the story behind CVE-2025-27363, a critical zero-click vulnerability in the widely used FreeType font rendering library. Initially discovered by Facebook’s security team and patched by Google in May 2025, this flaw allowed attackers to execute arbitrary code on Android devices—without any user interaction—by exploiting how FreeType parsed certain font structures.

This seemingly obscure bug became a key attack vector for Paragon Solutions’ "Graphite" spyware, an Israeli-made surveillance tool capable of taking near-total control of compromised smartphones. Through forensic analysis, it was revealed that Paragon’s spyware leveraged CVE-2025-2...

In this episode, we take a deep dive into the June 2025 cyberattack on Aflac, one of the latest strikes in a growing wave of sophisticated, AI-driven cyber campaigns targeting the insurance industry. On June 12, Aflac detected suspicious activity within its U.S. network—a breach attributed to a highly organized cybercrime group and part of a larger pattern of targeted attacks against financial and insurance providers.

Our discussion goes beyond Aflac’s rapid response to explore the broader cybersecurity landscape of 2024-2025: a time marked by an explosion in third-party supply chain vulnerabilities, the resurgence of ransomware, and...

In May 2025, a ransomware attack forced Nucor — one of America’s largest steel producers — to halt its metal production operations. This wasn’t just a corporate IT incident: it disrupted a critical link in the nation’s industrial supply chain.

In this episode, we take an in-depth look at the Nucor attack: how cybercriminals targeted operational technology (OT) systems, why manufacturers like Nucor are becoming prime ransomware targets, and what this means for national security.

We analyze the escalating tactics of ransomware groups, including sophisticated loader chains, abuse of legitimate tools, and emerging delivery methods that can t...

A staggering $225 million in illicit cryptocurrency was recently seized by U.S. authorities in what has become the largest digital asset recovery in Secret Service history. This episode unpacks the mechanics, methods, and forensics that made this possible—and how a sprawling network of scams, labor compounds, and fake identities in Southeast Asia unraveled under blockchain scrutiny.

We explore how cryptocurrency is being used in modern money laundering operations—from intermediary wallet “hops” and high-frequency rounded transactions, to tumblers like WasabiWallet and Tornado Cash, and privacy coins like Monero. You'll hear how these laundering methods are structured, and why...

Ransomware groups are no longer just encrypting data — they're going straight for the backups. And if those backups aren’t properly protected, recovery becomes impossible, and ransom payouts more likely. In this episode, we dive deep into how threat actors are exploiting critical vulnerabilities in widely used backup systems, focusing on the recently disclosed CVEs affecting Veeam Backup & Replication.

We explore CVE-2025-23121, a critical remote code execution flaw already being weaponized in the wild, and CVE-2025-24287, a privilege escalation vulnerability that opens the door for deeper compromise. These aren't theoretical risks — these are the exact tactic...

Ransomware just bankrupted a 100-year-old manufacturer—and the world should take notice.

In this episode, we dissect the cyberattack that brought down Fasana, a German paper napkin producer, and pushed it into insolvency. On May 19, 2025, employees arrived to find printers ejecting extortion notes. By the end of the week, systems were paralyzed, €250,000 in daily orders went unprocessed, and the company hemorrhaged €2 million in under 14 days. Fasana couldn’t pay salaries, couldn’t ship products, and now has just eight weeks to find a buyer or shut down for good.

We explore how this happened—and why it could...

In this episode, we break down the true scale and mechanics behind the largest credential leak ever recorded—over 16 billion login credentials, most of them exfiltrated by infostealer malware.

We dive into how this happened: from the malware-as-a-service (MaaS) model enabling even low-skill threat actors to deploy powerful stealers, to how credentials are harvested from infected systems, bundled into "logs", and sold on dark web marketplaces.

You'll learn about the rise of credential stuffing attacks that use these logs to hijack user accounts at scale, bypassing traditional defenses with distributed botnets and evasion tactics. We ex...