Simply Cyber Newsletter #171

Start your work week off at full speed with expert analysis and actionable intel from top cybersecurity news stories. Share with your End Users, Peers, and Executives to support weekly security awareness with the Simply Cyber Newsletter!

FOR END USERS

Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks. Amazon reported that a Russian-speaking threat actor breached more than 600 FortiGate firewalls across 55 countries over five weeks by targeting exposed management interfaces and weak credentials without MFA. The attacker used generative AI tools to automate reconnaissance, credential extraction, and lateral movement planning.

What you need to know: Speak with your end users about why identity controls exist and how daily behavior determines whether those controls succeed. In this case, the attacker did not rely on sophisticated zero-day exploits. They logged in using weak credentials and accounts that lacked multi-factor authentication, then used AI tools to scale their access. The campaign repeatedly failed against hardened systems but succeeded where basic protections were missing.

Reinforce that when your organization requires MFA, enforces password standards, or limits administrative access, those measures are not procedural friction, but instead safeguards that prevent exactly this type of intrusion. Encourage users to treat MFA as essential protection rather than an inconvenience, and to apply the same thinking outside of work. If a personal service offers multi-factor authentication, enable it. If it does not, consider whether it should hold your sensitive information at all. Identity security only works when the controls are respected and consistently used.

FOR PEERS

Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023. Cisco disclosed that CVE-2026-20127, a critical authentication bypass flaw in Cisco Catalyst SD-WAN, has been exploited in zero-day attacks since at least 2023. Attackers added rogue peers, escalated to root, and maintained persistence. CISA issued an emergency directive requiring immediate inventory, investigation, and patching.

What you need to know: This is not just another critical patch notice. The uncomfortable part is the timeline. Exploitation reportedly dates back to 2023, and attackers were downgrading firmware, chaining older vulnerabilities, then restoring versions to avoid detection. That means patching alone would not have surfaced the compromise.

Have the real conversation internally with your IT-networking peers: do you know where every SD-WAN controller lives, whether any management interface is internet-exposed, and whether logs are stored externally so they cannot be tampered with? When a 10.0 flaw hits the KEV catalog, is your process limited to applying updates, or does it include retrospective hunting for rogue peers, unexpected SSH keys, firmware rollbacks, and root escalation? This is a governance maturity test. The control is not the patch but whether you can prove that your environment was not already compromised.

FOR EXECUTIVES

CrowdStrike says attackers are moving through networks in under 30 minutes. CrowdStrike reported that average breakout time dropped to 29 minutes in 2025, with the fastest observed intrusion spreading in 27 seconds. Eighty-two percent of incidents involved no malware, relying instead on legitimate credentials and trusted tools across cloud and enterprise environments.

What you need to know: Threat actors are moving in 29 minutes on average, and the fastest observed breakout time was 27 seconds. CrowdStrike also reported that 82% of detected attacks were malware free, with many intrusions involving the abuse of legitimate tools and credentials, especially across cloud and identity seams.

The takeaway is not speed alone, but how ordinary these intrusions can look once access is established. If this is raised with senior leadership, keep it simple: trusted access is being exploited as an entry point, so accountability for identity oversight matters. The key question is whether identity protection and detection and response speed are treated as a business risk with measurable ownership, or assumed to be working in the background.

AI Remediation Developers Will Actually Use

“I've asked vendors to build this for years, and this is the first time I've actually seen it done right.”
— James Berthoty, Analyst @ Latio Tech, Ex-Security Engineer @ PagerDuty

Every vulnerability tool tells you what's wrong. The ones that try to help you fix it just say "bump the version." That's the fix your developer rejects because it's just not helpful.

Maze knows your environment and can tell you whether it makes sense to rebuild the image, bump a direct dependency, or overwrite a transitive dependency. The kind of decision that takes developers hours.

That’s why we launched AI remediation agents that think like your developers. They trace how vulnerabilities actually enter your environment and deliver fixes your team would actually choose. Not just the textbook answer. The real one you’d use.

And when patching isn't possible, they deliver mitigations that make them non-exploitable.

Sounds too good to be true? Just wait till you see it.

See how it works

JOIN US EVERY WEEKDAY DAILY CYBER THREAT BRIEF

Gerald Auger, Ph.D. livestreams the Daily Cyber Threat Brief on Simply Cyber on weekdays at 8:00 AM EST.

Join the party with cybersecurity enthusiasts and professionals alike who enjoy learning about the latest in cybersecurity news and staying connected.

Meet #TeamSC in live chat and join the community! https://simplycyber.io/streams 

NEW VIDEO DROP: I FED MY LINKEDIN TO CLAUDE CODE

I Fed My LinkedIn to Claude Code and What It Found Was Wild

Your LinkedIn data contains career intel you can't see with the naked eye. I downloaded all 50 CSV files from my LinkedIn export, fed them into Claude Code with a job description, and got back a full gap analysis PLUS the exact people in my network who can help me close those gaps. One of them? A woman I barely know who connected with me years ago because we share the same last name. She might be the most valuable connection I have for this role.

Learn how to do it yourself by watching the video and see links in the description: https://youtu.be/D4ZL6Ld51_s

SIMPLY CYBER SKILLS STREAM: AWS PRIVESC

AWS PrivEsc Attacks & Defense

Happening March 10th at 1:00 PM EST

Your AWS IAM policies might be one misconfiguration away from a full account takeover.

​In this SC Skills Stream and hands-on webinar, Christophe Limpalair, a cloud security trainer with over 9 years of experience, will execute a live privilege escalation attack.

​He'll then walk through the detection strategies, monitoring tools, and hardening techniques to stop it. You'll leave with a practical checklist you can apply to your AWS environment.

​Topics covered:
​- What a cloud PrivEsc is and how it works
​- Demo of a live attack
​- How to prevent and defend against this threat

Meet us in live chat and bring your questions for the Q&A session at the end!

​Register now to attend and get notified with a calendar reminder: https://luma.com/5mq88nwx

SC MEDIA GROUP WEEKLY EVENTS SCHEDULE

Join us for learning and networking every day of the work week at simplycyber.io/streams & meet the community at simplycyber.io/discord!

SIMPLY CYBER MONTHLY EVENTS LINEUP

Want to know what’s happening at Simply Cyber at any given time?

Head over to the SC Monthly Events Calendar to register for new and upcoming events for the month - don’t forget to subscribe! lu.ma/simplycyber 

SC ACADEMY THE PLACE FOR CYBER CAREERS

At Simply Cyber Academy, we specialize in making GRC and Cybersecurity Careers a reality. Empower your career by learning real in-demand skills from cyber experts and the theory behind those skills with Simply Cyber Academy.

The popular GRC Analyst Master Class is a must for kickstarting your GRC Cybersecurity career. In addition, we have new courses covering various areas of focus in cyber available to help you advance in your career. Check out the NEW FREE courses available in the academy and our new blog!

SC ACADEMY CYBERSECURITY BLOG HIGHLIGHT

In case you missed it! Check out the Simply Cyber Academy Blog from this past week:

https://academy.simplycyber.io/p/Blog?p=ai-security-n8n-risk-assessment

LET’S CONNECT

Stay current on trending topics, tips, events and resources in cybersecurity, connect with Simply Cyber on socials for new content.

As always, please send me feedback. Which tip above is your favorite? What do you want more or less of? Other suggestions? Please let me know. Just send a DM on X with #actionableintel in the subject so I can find it.

Join us on the Daily Cyber Threat Brief happening every weekday morning at 8 AM Eastern on YouTube and LinkedIn.

Find more about what’s happening this week in the Simply Cyber community, below. Join us on the Daily Cyber Threat Brief happening every weekday morning at 8 AM Eastern on YouTube and LinkedIn.

Thank you and see you again next week, #TeamSC!

Gerry