Simply Cyber Newsletter #182

Start your work week off at full speed with expert analysis and actionable intel from top cybersecurity news stories. Share with your End Users, Peers, and Executives to support weekly security awareness with the Simply Cyber Newsletter.

FOR END USERS

KongTuke hackers now use Microsoft Teams for corporate breaches. Threat actors are increasingly using Microsoft Teams to impersonate internal IT staff and trick employees into running malicious PowerShell commands. Researchers observed attackers gaining persistent access to corporate environments in under five minutes, ultimately deploying remote access malware that can steal files, capture screenshots, and maintain long-term access to compromised systems.

What you need to know: Educate your end users that attackers are no longer relying only on phishing emails to gain access to organizations. Threat actors are now impersonating help desk and IT staff directly through collaboration platforms like Microsoft Teams, creating a false sense of trust and urgency. Employees should be reminded that legitimate IT staff should never ask them to paste commands into PowerShell, Command Prompt, or Terminal windows through chat messages. Encourage your end users to slow down and verify unexpected requests using trusted communication methods before taking action. It is also important for end users to understand that attackers often rely on familiarity and internal-looking messages rather than obvious red flags. 



Also, take this story to your peers and have conversations about how your organization handles remote support requests, external Teams communications, and employee verification processes before attackers exploit uncertainty or trust.

FOR PEERS

Shai Hulud attack ships signed malicious TanStack, Mistral npm packages. The Shai Hulud supply chain campaign compromised hundreds of npm and PyPI packages by abusing stolen CI/CD credentials and valid OpenID Connect tokens to publish cryptographically signed malicious updates. The malware targeted developer secrets, cloud credentials, and CI/CD environments while maintaining persistence through VS Code and Claude Code integrations.

What you need to know: Share this story with your peers and have conversations about how we have touched on supply chain attacks several times over the past few months, but this campaign reinforces why the topic continues to demand attention. Threat actors are no longer simply uploading obviously malicious packages. They are increasingly abusing legitimate CI/CD workflows, valid signing infrastructure, and trusted developer ecosystems to make malicious updates appear authentic. In this case, the compromised packages carried valid provenance attestations and legitimate signatures, making detection significantly harder from both a developer and defender perspective. Security teams should continue reviewing dependency management practices, GitHub Actions hardening, token protections, lockfile enforcement, and monitoring for persistence mechanisms that survive package removal. This also highlights how developer workstations remain highly valuable targets because they often provide access to source code repositories, cloud infrastructure, secrets managers, and deployment pipelines.

I hate to state the obvious, but let this be a reminder that trust alone is no longer enough validation inside modern software supply chains.

FOR EXECUTIVES

Cyber-crime increasingly coming with threats of physical violence. Researchers report that ransomware groups are increasingly using threats of physical violence to pressure organizations into paying extortion demands. Attackers are leveraging stolen personal information, direct intimidation tactics, and even operational technology disruptions to create fear among employees, executives, and organizations during ransomware negotiations.

What you need to know: Business leaders should understand that ransomware events are no longer only technology incidents or operational disruptions. Threat actors are increasingly targeting the people behind the systems by using stolen personal information, intimidation tactics, and psychological pressure during extortion campaigns. This evolution changes the conversation from purely cybersecurity resilience to broader business continuity, employee safety, crisis communications, and executive preparedness. Organizations should evaluate how sensitive employee information is protected, how incident response teams communicate during high-pressure events, and whether leadership teams are prepared for scenarios involving direct threats against staff or operational technology disruptions. This is also a reminder that ransomware response planning should include legal, human resources, communications, and physical security stakeholders alongside cybersecurity teams. As threat actors continue blending cybercrime with coercion and fear tactics, executive preparedness and organizational trust become critical components of resilience.

[Cold data + slow answers] x supply chain compromises = bad combo.

If you've ever chased a supply chain compromise across your SIEM's frozen tier and S3 retention, you know every query is a waiting exercise. Most teams don't realize how much detection lag, query timeouts, and rehydration costs are stacking up until something breaks during an incident.

Scanner put together a list of 7 signs your S3 may be slowing down your SOC so you can pressure-test your own setup.

A few worth checking first:

• Analysts skip investigations because queries take too long

• You're paying to rehydrate cold logs every time auditors come knocking

• Your detections only run on a fraction of the data you collect

If any of these sound familiar, you're seeing what most SOC leaders are quietly dealing with.

Read the full blog

JOIN US EVERY WEEKDAY DAILY CYBER THREAT BRIEF

Gerald Auger, Ph.D. livestreams the Daily Cyber Threat Brief on Simply Cyber every weekday at 8:00 AM EDT: https://cyberthreatbrief.simplycyber.io

Join the party with cybersecurity enthusiasts and professionals alike who enjoy learning about the latest in cybersecurity news and staying connected.

NEW VIDEO: SOC ANALYST INTERVIEW - PART 2

3 Candidates. 1 SOC Interview Question. (Who Gets The Job?)

Most SOC analyst candidates prep for interviews by memorizing definitions —
and that's exactly why they don't get hired. Interviewers want to see how
you think under pressure, not what you can recite.

In this video, three real candidates answer one of the most technically
revealing questions in a SOC analyst interview: an EDR has fired an alert
— suspicious process CMD.EXE spawned by Winword on a finance machine,
10 minutes ago. Walk me through your investigation.

Cybersecurity expert and SOC veteran Eric Capuano breaks down each answer
live — what they got right, what they got wrong, and what a structured,
data-driven investigation actually looks like in a real SOC environment.

Whether you're preparing for your first SOC analyst interview or leveling
up your triage methodology, this video will sharpen how you think through
EDR alerts, process execution chains, and incident investigation — without
the guesswork.

🔑 What you'll learn:
- How to trace process execution ancestry in an EDR investigation
- Why making assumptions during alert triage will slow you down (and cost you the job)
- What interviewers are really evaluating when they ask scenario-based SOC questions
- The difference between a passing answer and a standout answer
- How to pivot on data, not bias, during a live triage scenario

Watch now on Simply Cyber Media Group: https://youtu.be/mC2dBS1F8Nw 

2 CYBER CHICKS: THE TRUTH ABOUT CRITICAL INFRASTRUCTURE SECURITY

The Truth About Critical Infrastructure Security

In this episode of 2 Cyber Chicks, Jax sits down with Angela Haun, Executive Director of the ONE-ISAC and a former FBI Special Agent with over two decades of experience protecting critical infrastructure.

Angela brings a rare, real-world perspective on cybersecurity—one where cyber incidents don’t just mean data loss, but physical consequences, national security implications, and economic disruption. She shares what it actually takes to protect the oil and natural gas sector, why information sharing is harder than everyone claims, and where leaders continue to underestimate risk.

This conversation explores:
- Why cyber threats to critical infrastructure are fundamentally different
- The realities of information sharing across highly regulated industries
- How trust is built and broken between private industry and government
- Why boards still struggle to understand cyber risk in physical terms
- The uncomfortable truths leaders need to hear about preparedness and accountability

If you care about cybersecurity beyond buzzwords where cyber meets physical, economic, and national security this episode is essential listening.

Join us Wednesday at 9:30 AM EDT: https://youtu.be/slBSb4mFcIU

OR Register to attend and get an email notification: https://luma.com/ruq67wc8 

SIMPLY CYBER FIRESIDES: WOLFMASKING

Wolfmasking with Brian Brushwood

Most cybersecurity awareness training is passive, forgettable, and ineffective. People click through slides, pass a quiz, and move on without changing behavior.

What if awareness training felt more like a game than a compliance exercise?

In this episode of Simply Cyber Firesides, Brian Brushwood discusses Wolfmasking, an interactive approach to cybersecurity awareness that turns employees into active participants instead of passive viewers.

Brian is widely known for blending entertainment, psychology, and social engineering through projects like Scam Nation, where he explores persuasion, deception, and human behavior in engaging and memorable ways.

His work has helped audiences better understand how manipulation works in the real world and how awareness can be built through participation and experience.

🎯 In this SC Firesides, you will learn:
• Why traditional awareness training often fails
• How competition and participation improve learning retention
• What Wolfmasking is and how it works in practice
• How organizations can build stronger security culture through engagement
• Why human behavior remains one of the biggest factors in cybersecurity risk

This chat is great for GRC professionals, security awareness teams, and anyone interested in improving organizational security posture through human-centered security practices.

Live on Thursday at 4:30 PM EDT: https://youtube.com/live/EQCrx1Tqar8

OR Register to attend and get an email notification: https://luma.com/juy4w2n9

STATE OF SIMPLY CYBER: WITH GERALD AUGER, PH.D.

State of Simply Cyber | Q2 2026

As part of Simply Cyber's transparency and accountability principles to the community, we're continuing quarterly "all hands" style meeting.

Join us to celebrate our wins and get hyped for what's coming up in the next quarter!

Clearly communicating on expectations and wins is important, so we dig into items below on stream:

- Welcome & Agenda
- Announcements & Wins
- Team SC Happenings
- Last Quarter Commitments
- New Goals
- High Fives
- Open Q&A

Set your notifications and meet us live at 2 PM EDT: https://youtube.com/live/3VDh-G135hM 

OR Register to attend and get an email notification: https://luma.com/gs1ysaqf 

SC MEDIA GROUP WEEKLY EVENTS SCHEDULE

Join us for learning and networking every day of the work week on YouTube: youtube.com/@simplycyber 

Connect with the SC Discord community: simplycyber.io/discord

SIMPLY CYBER MONTHLY EVENTS LINEUP

Want to know what’s happening at Simply Cyber at any given time?

Head over to the SC Monthly Events Calendar to register for new and upcoming events for the month - don’t forget to subscribe! lu.ma/simplycyber 

SC ACADEMY THE PLACE FOR CYBER CAREERS

At Simply Cyber Academy, we specialize in making GRC and Cybersecurity Careers a reality. Empower your career by learning real in-demand skills from cyber experts and the theory behind those skills with Simply Cyber Academy.

The popular GRC Analyst Master Class is a must for kickstarting your GRC Cybersecurity career. In addition, we have new courses covering various areas of focus in cyber available to help you advance in your career.

Check out the NEW FREE courses available in the academy!

SIMPLY CYBER ACADEMY BLOG HIGHLIGHT

Check out the highlighted blog on Simply Cyber Academy: https://academy.simplycyber.io/p/Blog?p=networking-basics-for-cybersecurity-what-every-beginner-needs-to-know 

LET’S CONNECT

Stay current on trending topics, tips, events and resources in cybersecurity, connect with Simply Cyber on socials for new content.

As always, please send me feedback. Which tip above is your favorite? What do you want more or less of? Other suggestions? Please let me know. Just send a DM on X with #actionableintel in the subject so I can find it.

Join us on the Daily Cyber Threat Brief happening every weekday morning at 8 AM Eastern on YouTube and LinkedIn.

Find more about what’s happening this week in the Simply Cyber community, below. Join us on the Daily Cyber Threat Brief happening every weekday morning at 8 AM Eastern on YouTube and LinkedIn.

Thank you and see you again next week, #TeamSC!

Gerry