Simply Cyber Newsletter #175

Start your work week off at full speed with expert analysis and actionable intel from top cybersecurity news stories. Share with your End Users, Peers, and Executives to support weekly security awareness with the Simply Cyber Newsletter!

FOR END USERS

The phone call is the new phishing email. Voice-based phishing attacks are increasing, with attackers impersonating employees or IT staff over the phone to gain access to systems. These real-time social engineering attacks now account for a growing share of breaches, as threat actors shift from mass email phishing to targeted, high-interaction tactics.

What you need to know: Educate your end users that not all attacks come through email or links anymore. Attackers are now calling people directly and creating a sense of urgency to get them to act quickly, such as resetting passwords, approving access, or sharing information. Because the interaction happens in real time, it feels more legitimate and gives less time to think critically.

Encourage users to recognize that feeling rushed is part of the attack. If someone is asking them to act quickly over the phone, especially regarding access, credentials, or approvals, they should pause and verify using a trusted method, such as calling the company or the person back at an official number. Teaching users to slow down and break the interaction is key because once the conversation starts, the attacker is trying to guide the outcome, step by step.

FOR PEERS

TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise. A supply chain attack compromised the popular Python package LiteLLM through a tainted dependency, allowing attackers to harvest credentials, move laterally across Kubernetes environments, and establish persistent backdoors. The campaign is part of a broader operation targeting widely used developer and security tools to expand access across ecosystems.

What you need to know: A coordinated supply chain campaign has moved beyond isolated tool compromises and into platforms embedded across cloud and AI environments. In this case, malicious versions of LiteLLM executed automatically at runtime, harvesting credentials, deploying privileged workloads across Kubernetes clusters, and establishing persistence without user interaction. The critical shift is not just the level of access gained, but how it was achieved. A compromise in one trusted tool propagated into another, expanding reach through dependencies already integrated into development and production pipelines.

Share this story with your peers and have conversations about what your organization is implicitly trusting across its software supply chain. This is no longer limited to vulnerable code but extends to how tools are integrated, updated, and executed across environments. Focus the discussion on how dependencies are validated, how credential exposure is detected, and how quickly access can be contained when a trusted component becomes the attack path.

FOR EXECUTIVES

M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds. The time between initial compromise and attacker escalation has dropped from hours to just 22 seconds, reflecting increased automation and coordination between threat groups. While detection has improved overall, attackers are moving faster than organizations can respond, reducing the window for effective intervention.

What you need to know: Share this story with your executives and frame it as a challenge to current assumptions, not just a trend. One of the most credible incident response teams in the industry is reporting that attacks are no longer primarily starting through email, and that once access is gained, escalation can happen almost instantly. That should prompt a pause, because many organizations are still prioritizing controls and investments based on older models of how attacks occur.

Use this as an opportunity to ask direct questions. If email is no longer the dominant entry point in real incidents, where is your greatest exposure today? Are you measuring and investing based on how attacks actually happen, or on how you believe they happen? And if an attacker can move in seconds, what controls do you have in place to prevent escalation after initial access, rather than relying on detection after the fact?

AI is moving fast—but identity security isn’t keeping up.

In Delinea’s 2026 Identity Security Report, 87% of organizations say they’re ready for AI—yet nearly half admit gaps in governing identities tied to AI systems. The biggest issue? Visibility. Most teams still can’t fully see how non-human identities and AI agents are accessing critical systems.

That gap creates real risk: unmanaged access, standing privileges, and activity that can go unnoticed. Read the report to see the data and read Gerry’s insights on how teams are navigating AI-related identity risk—and what security leaders can do to address it today.

Download the report.

JOIN US EVERY WEEKDAY DAILY CYBER THREAT BRIEF

Gerald Auger, Ph.D. livestreams the Daily Cyber Threat Brief on Simply Cyber on weekdays at 8:00 AM EDT.

Join the party with cybersecurity enthusiasts and professionals alike who enjoy learning about the latest in cybersecurity news and staying connected.

Meet #TeamSC in live chat and join the community! https://simplycyber.io/streams 

NEW VIDEO DROP: PENTESTING INTERVIEW PT 2

The Pentesting Interview Question That Separates Junior from Senior

Pentesting interviews are not about how many tools you know. They are about how you think when time is limited, results are noisy, and judgment matters.

In this video, I ask three pentesters at different career stages the same real-world interview question:
- An aspiring pentester breaking into the field
- A mid-career pentester
- A senior pentester with over a decade of experience

The scenario:
Your automated web application scan reports 200+ potential vulnerabilities, and you only have three days left in the engagement. How do you validate findings and decide what actually matters?

To break this down properly, I’m joined by Mike Saunders, Senior Red Team professional at Red Siege, who explains what hiring managers are really listening for in each response and why experience changes how pentesters triage findings.

Whether you are preparing for your first pentesting interview or pushing toward a senior role, this video will help you give answers that demonstrate impact, judgment, and real-world maturity.

🎯 What you will learn:
✅ How junior, mid-level, and senior pentesters approach vulnerability triage
✅ Why automated scanners generate so much noise
✅ How experienced testers identify false positives quickly
✅ When manual testing matters more than tools
✅ How hiring managers evaluate prioritization and risk thinking

Watch now on Simply Cyber Media Group: https://youtu.be/B5h39Xy04-s

SIMPLY CYBER FIRESIDES: RED TEAM ENGINEERING

Red Team Engineering

Thursday, April 2nd at 4:30 PM EDT

What separates a penetration tester from a true red team engineer? It comes down to building, not just using, the tools.

In this episode of Simply Cyber Firesides, host Gerald Auger, Ph.D. sits down with Casey Erdmann to explore what it really means to operate at a higher level in offensive security.

Casey brings over a decade of hands-on experience in red teaming and has contributed to the community through research, tool development, and speaking at conferences such as DEF CON’s Red Team Village. His work focuses on helping practitioners move beyond running scripts and toward engineering their own offensive capabilities.

This conversation is centered around his upcoming book, which takes a practical, project-based approach to building real red team infrastructure and tools from the ground up.

Topics include building credential harvesting applications, developing custom tooling in languages like Go, creating command and control infrastructure, and managing environments at scale.

This session is ideal for penetration testers, red teamers, and security professionals looking to move beyond entry level offensive techniques and into building more advanced capabilities.

Join us this Thursday in live chat - register to attend and get notifications: https://luma.com/ina8vdpl

SC DISCORD: MONTHLY MENTORSHIP AMA LIVE

Join us for the Monthly Cybersecurity Mentorship AMA in Simply Cyber Discord, happening this Friday at 1 PM EDT.

Check out the event to attend in Discord: https://discord.gg/pbrD3QFuA?event=1393337657169416362

SC MEDIA GROUP WEEKLY EVENTS SCHEDULE

Join us for learning and networking every day of the work week at simplycyber.io/streams & meet the community at simplycyber.io/discord!

SIMPLY CYBER MONTHLY EVENTS LINEUP

Want to know what’s happening at Simply Cyber at any given time?

Head over to the SC Monthly Events Calendar to register for new and upcoming events for the month - don’t forget to subscribe! lu.ma/simplycyber 

SC ACADEMY THE PLACE FOR CYBER CAREERS

At Simply Cyber Academy, we specialize in making GRC and Cybersecurity Careers a reality. Empower your career by learning real in-demand skills from cyber experts and the theory behind those skills with Simply Cyber Academy.

The popular GRC Analyst Master Class is a must for kickstarting your GRC Cybersecurity career. In addition, we have new courses covering various areas of focus in cyber available to help you advance in your career.

Check out the NEW FREE courses available in the academy!

SIMPLY CYBER ACADEMY BLOG HIGHLIGHT

Check out the blog from last week on Simply Cyber Academy:

LET’S CONNECT

Stay current on trending topics, tips, events and resources in cybersecurity, connect with Simply Cyber on socials for new content.

As always, please send me feedback. Which tip above is your favorite? What do you want more or less of? Other suggestions? Please let me know. Just send a DM on X with #actionableintel in the subject so I can find it.

Join us on the Daily Cyber Threat Brief happening every weekday morning at 8 AM Eastern on YouTube and LinkedIn.

Find more about what’s happening this week in the Simply Cyber community, below. Join us on the Daily Cyber Threat Brief happening every weekday morning at 8 AM Eastern on YouTube and LinkedIn.

Thank you and see you again next week, #TeamSC!

Gerry