uber geek blue team cyber commando bad guy annihilator at CrowdStrike OSCP GREM GDAT GC|FA/FE/IH #DFIR #BLUETEAMTIPS
(views are my own)
https://twitter.com/sneakymonk3y
| www | http://you.sneakymonkey.net |
| github | https://github.com/sneakymonk3y |
U.S. prosecutors have charged two rogue employees of a cybersecurity company that specializes in negotiating ransom payments to hackers on behalf of their victims, with carrying out ransomware attacks of their own.
A third cybersecurity professional was also indicted as part of the scheme. 👀
More, from me: https://techcrunch.com/2025/11/03/doj-accuses-us-ransomware-negotiators-of-launching-their-own-ransomware-attacks/
Insider threats are going to become a massive issue over the next couple of years.
The Play ransomware gang made a post seeking to buy access to private sector companies. If they can provide good money to the right person at the right time, it will severely impact the integrity of said company.
Scattered Lapsus Hunters have also showed their interest in buying access from current employees of target companies.
Massive corporations are going to have to implement least privilege access control systems asap if they want to stay ahead of threats. I think we are going to see a decrease in social engineering attacks as more employees become aware of it.
I think buying access from current employees is going to be the next big attack vector for future breaches.
tldr; Least Privilege Automation is the next cybersecurity trend
The craziest part of the Oracle story is they got the exploit chain via... LAPSUS$.
Before Oracle had an advisory, on Telegram LAPSUS$ posted a working zero day exploit - dated May 2025.
Yes, the teenagers at LAPSUS$ know more about Oracle's security vulnerabilities than Oracle.
-rw-r----- 1 root root 3713 Jun 15 18:19 exp.py
-rw-r--r-- 1 root root 2749 Oct 3 14:54 readme.md
-rw-r----- 1 root root 2651 May 16 10:07 server.py
My view - saying the recent incidents should be a wake up call isn’t moving the needle enough in business.
So a lever is, if JLR need bailing out, put the PM on TV to announce it, explain why and the context of attacks on UK institutions, and announce paying all extortion attempts will be outlawed by the end of parliament. It would send shockwaves through business and force real resiliency planning.
For those who haven't been following JLR in detail, key chain of events:
1) JLR outsource key IT and infosec functions to TCS, approved by 1x director and 2x NEDs on both JLR and TCS boards
2) JLR transfer staff by TUPE to TCS
3) TCS lay off transferred UK staff, including cyber risk and governance and cyber monitoring
4) record profits for a decade
5) got hacked
6) company stops functioning
7) get government to bail out their key suppliers (in progress)
I don’t get it..
BBC news article,
“However, the company made a pre-tax profit of £2.5bn in the year to the end of March, which implies it has the financial muscle to weather a crisis that lasts weeks rather than months.”
But they call for Gov for furlough…
If anybody is interested, TCS’ website says JLR outsourced cybersecurity (not sure which bits) to it a few years ago.
TCS also run security operations and monitoring for Co-op (my old team) along with their IT and IT helpdesk, and M&S secops monitoring, IT and IT helpdesk.
Zack Whittaker
vxdb 
Kevin Beaumont