Simply Cyber Newsletter #170

Start your work week off at full speed with expert analysis and actionable intel from top cybersecurity news stories. Share with your End Users, Peers, and Executives to support weekly security awareness with the Simply Cyber Newsletter!

FOR END USERS

Snail mail letters target Trezor and Ledger users in crypto-theft attacks. Threat actors are mailing physical letters impersonating Trezor and Ledger, urging hardware wallet users to complete a mandatory “Authentication” or “Transaction Check.” QR codes lead to phishing sites that request recovery phrases, allowing attackers to take control of wallets and steal cryptocurrency.

What you need to know: Educate your end users that phishing is no longer limited to email or SMS. Attackers are now using physical mail with logos, deadlines, and official language to pressure victims into scanning QR codes and entering sensitive information. Reinforce that recovery phrases are equivalent to full account ownership. If someone has the phrase, they control the funds.

From a behavioral standpoint, urgency and authority are doing the heavy lifting here. The letters threaten loss of access and reference compliance language to trigger fear-based decisions. Train users to pause when they see deadlines tied to account access and to verify requests through official websites typed directly into the browser, not via QR codes.

Challenge your own assumption:.
Before assuming this is obvious, ask why a reasonable person might comply. Crypto users expect firmware updates, authentication changes, and security notifications; the language sounds technical but familiar, the printed letter feels official, and a QR code feels like a normal convenience feature. Use this perspective to design awareness discussions that start with “Why would this feel legitimate?” and then walk through the decision points. Training built around realistic thought processes strengthens judgment and reduces overconfidence in high-pressure moments.

FOR PEERS

Starkiller: New ‘Commercial-Grade’ Phishing Kit Bypasses MFA. Researchers described a phishing kit called Starkiller that operates as a subscription service and proxies legitimate login pages in real time. By relaying credentials and one-time codes through attacker infrastructure, it can capture sessions and account access without relying on static page clones that are easy to fingerprint.

What you need to know: Discuss with your peers about treating this as an identity and session security problem, not an MFA failure. Because the victim authenticates to the real service through a proxy, the attacker can capture credentials, MFA codes, and often the authenticated session, so prevention still starts with stopping delivery and reducing click-through.

Prioritize controls that raise the cost of real-time phishing: phishing-resistant MFA where feasible, conditional access tied to device posture, and session protections such as token binding where supported. Align monitoring to what this technique actually produces, new sign-ins from atypical locations, impossible travel, suspicious device enrollment, unusual OAuth app grants, and session token reuse patterns. Build playbooks that treat “user entered MFA code into a fake portal” as a high-confidence compromise event with fast containment steps, revoke sessions, reset credentials, rotate tokens, and review mailbox forwarding rules.

From a governance angle, map this to identity access controls and incident response requirements, then ensure your awareness and email security programs are measurable, tested, and auditable.

FOR EXECUTIVES

Unit 42: Nearly two-thirds of breaches now start with identity abuse. Palo Alto Networks’ Unit 42 reported that identity-based techniques accounted for nearly two-thirds of initial network intrusions in the past year, with identity elements present in almost 90% of incidents. Median ransom payments rose 87% to $500,000, and attackers often exfiltrated data within two days.

What you need to know: As said in the story and on stream, threat actors are not breaking in, they are logging in. In a cloud-driven enterprise, a valid credential often unlocks multiple systems, and most malicious activity now looks like legitimate access. Identity abuse is fueling initial access, lateral movement, and financial impact, and traditional perimeter thinking does not address this exposure.

Anchor leadership on two decisions: First, require multi-factor authentication everywhere it is available, especially for email, finance systems, remote access, and administrator accounts. A stolen password should never be enough. Second, reduce unnecessary access by reviewing who truly needs administrative or sensitive system privileges and removing standing access that is not required. These are not enterprise-only initiatives. They are foundational controls that materially reduce risk whether you operate a global enterprise or a small regional business.

New insights from 1800+ security pros:

99% of SOCs are already using AI, yet teams still spend 44% of their time on manual work.
To find out why, Tines surveyed 1,800+ security leaders and practitioners worldwide for their largest Voice of Security report to date. The data shows that while AI adoption and enthusiasm are high, teams have yet to unlock its full impact.

Here’s a peek at the data:

• 87% report increased board-level attention to cybersecurity in the last year

• AI literacy and prompt engineering are the top new skills for security professionals in 2026

• 81% say security workloads increased last year

Get the full report

JOIN US EVERY WEEKDAY DAILY CYBER THREAT BRIEF

Gerald Auger, Ph.D. livestreams the Daily Cyber Threat Brief on Simply Cyber on weekdays at 8:00 AM EST.

Join the party with cybersecurity enthusiasts and professionals alike who enjoy learning about the latest in cybersecurity news and staying connected.

Meet #TeamSC in live chat and join the community! https://simplycyber.io/streams 

NEW VIDEO DROP: BUILD AGENTIC AI AUTOMATION

AI Agent Security for GRC Professionals: Container Hardening & Risk Assessment Follow Along

Are you in GRC and feeling the pressure to assess AI agents and automation risks? Learn how to build your own AI-powered news automation with security hardening, defense-in-depth against prompt injection, and a complete NIST 800-30 aligned risk assessment template.

Steve McMichael walks you through GRC News Assistant 3.0—an open-source project that not only automates cybersecurity news filtering but teaches you container security, supply chain risk mitigation, and practical risk assessment skills that translate directly to enterprise environments.

What You'll Gain:
✅ Working AI automation filtering cyber news by relevance
✅ Hands-on container security hardening experience
✅ NIST 800-30 risk assessment template (ready to use)
✅ Defense against OWASP Top 10 LLM risks
✅ Portfolio-ready GitHub project

Check out the full video now on Simply Cyber Media Group: https://youtu.be/rZ2L_JlSAUI

SIMPLY CYBER SKILLS STREAM: HACKING THE HACKER

Emotion in Ransomware Negotiations

Happening February 24th at 1:00 PM EST

Ransomware negotiations aren’t driven by logic alone - they’re driven by emotion.

Every message from an attacker contains psychological signals like pressure, confidence, frustration, fear, and urgency. Learning to recognize those signals can change how a negotiation unfolds.

In this webinar, Tim Pappa, a former FBI profiler and certified expert in online influence, shows how emotions and affect shape decision-making in digital communications.

Using a real ransomware negotiation examples, you’ll learn how to analyze emotional cues and apply behavior-based strategies to influence attacker responses.

This session delivers a practical, psychology-driven approach to ransomware response - helping security and incident response teams engage with intention, not instinct.

Meet us in live chat and bring your questions for the Q&A session at the end!

Register to attend now and meet us on Simply Cyber this Tuesday: https://luma.com/u77nwp0p

SC ACADEMY WORKSHOP: READING THE ATTACKER

Reading the Attacker: A Hands-On Ransomware Negotiation Workshop

Happening February 26th from 5:30 - 7:30 PM EST

​What if understanding how a ransomware gang negotiator was feeling could help you guide those negotiations? What if inducing affect and emotions in those online communications could help you influence how someone responds to you?

This workshop will familiarize all levels of participants with the foundations of how we process information based on how we think and what we are feeling.

This workshop taught by a certified former FBI profiler who specialized in online influence will provide demonstrations and exercises on how to analyze ransomware negotiations based on the affect and emotions in those communications and how to design a behaviorally based communications strategy that induces affect and emotions in those online communications.

​Live Workshop Fee only $99 - get in on this while spaces are still available!

Register Now via Zoom: https://us06web.zoom.us/webinar/register/WN_M3c4mXpqQWKGkS3ERrxFKQ#/registration

SC MEDIA GROUP WEEKLY EVENTS SCHEDULE

Join us for learning and networking every day of the work week at simplycyber.io/streams & meet the community at simplycyber.io/discord!

SIMPLY CYBER MONTHLY EVENTS

Want to know what’s happening at Simply Cyber at any given time?

Head over to the SC Monthly Events Calendar to register for new and upcoming events for the month - don’t forget to subscribe! lu.ma/simplycyber 

SC ACADEMY THE PLACE FOR CYBER CAREERS

At Simply Cyber Academy, we specialize in making GRC and Cybersecurity Careers a reality. Empower your career by learning real in-demand skills from cyber experts and the theory behind those skills with Simply Cyber Academy.

The popular GRC Analyst Master Class is a must for kickstarting your GRC Cybersecurity career. In addition, we have new courses covering various areas of focus in cyber available to help you advance in your career. Check out the NEW FREE courses available in the academy and our new blog!

SC ACADEMY CYBERSECURITY BLOG HIGHLIGHT

Check out the Simply Cyber Academy Blog highlight for this week:

https://academy.simplycyber.io/p/Blog?p=how-to-start-a-cybersecurity-podcast-a-7-step-blueprint-for-2026

LET’S CONNECT

Stay current on trending topics, tips, events and resources in cybersecurity, connect with Simply Cyber on socials for new content.

As always, please send me feedback. Which tip above is your favorite? What do you want more or less of? Other suggestions? Please let me know. Just send a DM on X with #actionableintel in the subject so I can find it.

Join us on the Daily Cyber Threat Brief happening every weekday morning at 8 AM Eastern on YouTube and LinkedIn.

Find more about what’s happening this week in the Simply Cyber community, below. Join us on the Daily Cyber Threat Brief happening every weekday morning at 8 AM Eastern on YouTube and LinkedIn.

Thank you and see you again next week, #TeamSC!

Gerry