Cyberside Chats: Cybersecurity Insights from the Experts

A massive 7-year espionage campaign hid in plain sight. Harmless Chrome and Edge extensions — wallpaper tools, tab managers, PDF converters — suddenly flipped into full surveillance implants, impacting more than 4.3 million users. In this episode, we break down how ShadyPanda built trust over years, then weaponized auto-updates to steal browsing history, authentication tokens, and even live session cookies. We’ll walk through the timeline, what data was stolen, why session hijacking makes this attack so dangerous, and the key steps security leaders must take now to prevent similar extension-based compromises. 

Key Takeaways 

1. Audit and restrict browser extensions across the organization. Inventory all extensions in use, remove unnecessary ones, and enforce an allowlist through enterprise browser controls. 

2. Treat extensions as part of your software supply chain. Extensions can flip from safe to malicious overnight. Include them in risk assessments and governance processes. 

3. Detect and mitigate session hijacking. Monitor for unusual token reuse, shorten token lifetimes where possible, and watch for logins that bypass MFA. 

4. Enforce enterprise browser security controls. Use Chrome/Edge enterprise features or MDM to lock down permissions, block unapproved installations, and enable safe browsing modes. 

5. Reduce extension sprawl with policy and training. Educate employees that extensions carry real security risk. Require justification for new installations and empower IT to remove unnecessary ones. 

Please tune in weekly for more cybersecurity advice, and visit www.LMGsecurity.com if you need help with your cybersecurity testing, advisory services, and training. 

Resources: 

• KOI Intelligence (Original Research): https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign 

• Malwarebytes Labs Coverage: https://www.malwarebytes.com/blog/news/2025/12/sleeper-browser-extensions-woke-up-as-spyware-on-4-million-devices 

• Infosecurity Magazine Article: https://www.infosecurity-magazine.com/news/shadypanda-infects-43m-chrome-edge/ 

#ShadyPanda #browserextension #browsersecurity #cybersecurity #cyberaware #infosec #cyberattacks #ciso

Insider threats are accelerating across every sector. In this episode, Sherri and Matt unpack the CrowdStrike insider leak, the two DigitalMint employees indicted for BlackCat ransomware activity, and Tesla’s multi-year insider incidents ranging from nation-state bribery to post-termination extortion. They also examine the 2025 crackdown on North Korean operatives who used stolen identities and deepfake interviews to get hired as remote workers inside U.S. companies. Together, these cases reveal how attackers are buying, recruiting, impersonating, and embedding insiders — and why organizations must rethink how they detect and manage trusted access. 

 

Key Takeaways 

1. Build a culture of ethics and make legal consequences explicit.
   Use real cases — Tesla, CrowdStrike, DigitalMint — to show employees that insider misconduct leads to indictments and prison time. Clear messaging, training, and leadership visibility reinforce deterrence.
2. Enforce least-privilege access and conduct quarterly access reviews.
   Limit who can view or modify sensitive dashboards, admin tools, and SSO consoles. Regular recertification ensures employees only retain the permissions they legitimately need.
3. Deploy screenshot prevention and data-leak controls across critical systems.
   Implement watermarking, VDI/browser isolation, screenshot detection, and DLP/CASB rules to deter and detect unauthorized capture or exfiltration of sensitive data.
4. Strengthen identity verification for remote and distributed employees.
   Use periodic identity rechecks and require company-managed, attested devices for sensitive roles. Prohibit personal-device access for privileged work to reduce impersonation risk.
5. Monitor high-risk users with behavior and anomaly analytics.
   Flag unusual patterns such as off-hours access, atypical data movement, sudden repository interest, or crypto-related activity on work devices. Behavioral analytics helps uncover malicious intent even when credentials appear valid.
6. Require your vendors to follow the same insider-threat safeguards you use internally.
   Ensure MSPs, SaaS providers, IR partners, and software vendors enforce strong access controls, identity verification, monitoring, and device security. Vendor insiders can quickly become your insiders.

Resources: 

• TechCrunch – CrowdStrike insider leak coverage: https://techcrunch.com/2025/11/21/crowdstrike-fires-suspicious-insider-who-passed-information-to-hackers/ 

• Reuters – DigitalMint ransomware indictment reporting: https://www.reuters.com/legal/government/us-prosecutors-say-cybersecurity-pros-ran-cybercrime-operation-2025-11-03/ 

• BleepingComputer – North Korean fake remote worker scheme: https://www.bleepingcomputer.com/news/security/us-arrests-key-facilitator-in-north-korean-it-worker-fraud-scheme/ 

• “Ransomware and Cyber Extortion: Response and Prevention” (Book by Sherri & Matt & Karen): https://www.amazon.com/Ransomware-Cyber-Extortion-Response-Prevention-ebook/dp/B09RV4FPP9 

• LMG’s Hiring Security Checklist: https://www.lmgsecurity.com/resources/hiring-security-checklist/ 

Want to attend a live version of Cyberside Chats? Visit us at https://www.lmgsecurity.com/lmg-resources/cyberside-chats-podcast/ to register for our next monthly live session. 

 

#insiderthreat #cybersecurity #cyberaware #cybersidechats #ransomware #ransomwareattack #crowdstrike #DigitalMint #tesla #remotework

From routers to office cameras to employee phones and even the servers running your network, Chinese-manufactured components are everywhere—including throughout your own organization. In this live Cyberside Chats, we’ll explore how deeply these devices are embedded in modern infrastructure and what that means for cybersecurity, procurement, and third-party risk. 

We’ll break down new government warnings about hidden communication modules, rogue firmware, and “ghost devices” in imported tech—and how even trusted brands may ship products with risky components. Most importantly, we’ll share what you can do right now to identify exposure, strengthen procurement and third-party risk management (TPRM) processes, and protect your organization before the next breach or regulation hits. 

Join us live for a 25-minute deep dive plus Q&A—and find out whether your supply chain is truly secure… or “Made in China—and Hacked Everywhere.” 

Key Takeaways: 

1. Require an Access Bill of Materials (ABOM) for every connected device. Ask vendors to disclose all remote access paths, cloud services, SIMs/radios, update servers, and subcontractors. This is the most effective way to catch hidden modems, undocumented connectivity, or offshore control channels before procurement. 

2. Treat hardware procurement with the same rigor as software supply chain risk. Routers, cameras, inverters, and vehicles must be vetted like software: know the origin of components, how firmware is managed, and who can control or modify the device. This mindset shift prevents accidental onboarding of hidden risks. 

3. Establish and enforce a simple connected-device procurement policy. Set clear rules: no undocumented connectivity, no unmanaged remote access, no end-of-life firmware in new buys, and mandatory security review for all "smart" devices. This helps buyers avoid risky equipment even when budgets are tight. 

4. Reduce exposure through segmentation and access restrictions. Before replacing anything, isolate high-risk devices, block unnecessary outbound traffic, and disable vendor remote access. These low-cost steps significantly reduce exposure while giving you time to plan longer-term changes. 

5. Strengthen third-party risk management (TPRM) for vendors of connected equipment. Expand TPRM reviews to cover firmware integrity, logging, hosting jurisdictions, remote access practices, and subcontractors. This ensures your vendor ecosystem doesn't introduce avoidable hardware-level vulnerabilities. 

 

References: 

• Wall Street Journal (Nov 19, 2025) – “Can Chinese-Made Buses Be Hacked? Norway Drove One Down a Mine to Find Out.” (Chinese electric bus remote-disable and SIM access findings) 
• U.S. House Select Committee on China & House Homeland Security Committee (Sept 2024 Report) – Port Crane Security Assessment. (Unauthorized modems, supply-chain backdoors, and ZPMC risk findings) 
• FDA & CISA (Feb–Mar 2025) – Security Advisory: Contec CMS8000 Patient Monitor. (Backdoor enabling remote file execution and hidden network communications) 
• Anthropic (Nov 13, 2025) – “Disrupting the First Reported AI-Orchestrated Cyber Espionage Campaign.” 
  (China-linked AI-driven intrusion playbook and campaign analysis) 
• LMG Security (2025) – “9 Tips to Streamline Your Vendor Risk Management Program.” 
  https://www.lmgsecurity.com/9-tips-to-streamline-your-vendor-risk-management-program 

#chinesehackers #cybersecurity #infosec #LMGsecurity #ciso #TPRM #thirdpartyrisk #security

Hackers are using AI to supercharge holiday scams—flooding the web with fake ads, phishing pages, and credential-stealing bots. This season, researchers predict a record spike in automated attacks and malvertising campaigns that blur the line between human and machine. Sherri Davidoff and Matt Durrin break down what’s new this holiday season—from AI-generated phishing kits and bot-driven account takeovers to the rise of prebuilt “configs” for credential stuffing. We used WormGPT to produce a ready-to-run holiday phishing page—a proof-of-concept that demonstrates how quickly scammers can launch these attacks with evil AI tools. This episode reveals how personal habits turn into corporate risk. Before Black Friday and Christmas hit, learn what your team can do right now to protect people, passwords, and payments. 

Key Takeaways – How to Defend Against the 2025 AI Fraud Boom 

1. Treat holiday scams as a business risk, not just a retail problem. 
   Automated bots, fake ads, and AI-generated phishing campaigns target your employees too — not just shoppers. Expect higher attack volume through the entire holiday season. 

1. Expect password reuse—and enforce strong MFA everywhere. 
   Employees will reuse personal shopping passwords at work. Require MFA on all accounts — especially SSO, admin, and vendor logins — and block reused credentials where possible. 

1. Filter out malicious ads and spoofed sites. 
   Use DNS and web filtering to block malvertising and look-alike domains. Encourage staff to verify URLs and avoid “too-good-to-be-true” promotions or charity appeals. 

1. Strengthen bot and fraud detection. 
   Tune WAF and bot-management tools to catch automated login attempts, fake account creation, and credential stuffing. These attacks spike before Black Friday and often continue into January. 

1. Run a short holiday security awareness push before Black Friday—and repeat before Christmas.  Brief all staff, especially finance and customer service, on seasonal scams: gift-card fraud, fake charities, refund and invoice scams, malvertising, and holiday-themed phishing.  

1. Remember: personal security is corporate security. 
   BYOD, home shopping, and password reuse mean an employee’s compromise can quickly become your organization’s compromise. Keep the message simple: protect your accounts, protect your company. 

Don't forget to follow us for more cybersecurity advice, and visit us at www.LMGsecurity.com for tip sheets, blogs, and more advice!

Resources: 

1. RH-ISAC — 2025 Holiday Season Cyber Threat Trends: https://rhisac.org/press-release/holiday-threats-2025/ (RH-ISAC)
2. Malwarebytes — Home Depot Halloween phish gives users a fright, not a freebie: https://www.malwarebytes.com/blog/news/2025/10/home-depot-halloween-phish-gives-users-a-fright-not-a-freebie (Malwarebytes)
3. Bitdefender Labs — Trick or Treat: Bitdefender Labs Uncovers Halloween Scams Flooding Inboxes: https://www.bitdefender.com/en-us/blog/hotforsecurity/bitdefender-labs-uncovers-halloween-scams-flooding-inboxes-and-feeds (Bitdefender)
4. FBI / IC3 PSA — Hacker Com: Cyber Criminal Subset of The Com — background on The Com threat cluster referenced by RH-ISAC and seen in holiday fraud activity: https://www.ic3.gov/PSA/2025/PSA250723 (Internet Crime Complaint Center)
5. Fast Company — Holiday season cybersecurity lessons: The vulnerability of the retail workforce: https://www.fastcompany.com/91270554/holiday-season-cybersecurity-lessons-the-vulnerability-of-the-retail-workforce (Fast Company) 

 #HolidayScams #Phishing #Malvertising #Cybersecurity #Cyberaware #SMB #BlackFridayScams

When thieves pulled off a lightning-fast heist at the Louvre on October 19, 2025, the world focused on the stolen jewels. But leaked audit reports soon revealed another story — one of weak passwords, legacy systems, and a decade of ignored warnings. 

In this episode of Cyberside Chats, Sherri Davidoff and Matt Durrin dig into the cybersecurity lessons behind the Louvre’s seven-minute robbery. They explore how outdated infrastructure, poor vendor oversight, and default credentials mirror the same risks plaguing modern organizations — from hospitals to banks. 

Listen as Sherri and Matt connect the dots between a world-famous museum and your own IT environment — and share practical steps to keep your organization from becoming the next headline. 

Key Takeaways 

• Audit for weak and shared passwords. Regularly scan for shared, default, or vendor credentials. Replace them with strong, unique, role-based passwords and enforce MFA across administrative and vendor accounts. 

• Conduct regular penetration tests and track remediation. Perform annual or semiannual pen tests that include internal movement and segmentation checks. Assign owners for every finding, set deadlines, and verify fixes. 

• Vet and contractually bind third-party vendors. Require patching and OS update clauses in vendor contracts, and verify each vendor’s security practices through audits or reports such as SOC 2. 

• Integrate IT and physical security. Coordinate teams so camera, badge, and alarm systems receive the same cybersecurity oversight as IT systems. Check for remote access exposure and outdated credentials. 

• Plan for legacy system containment. Identify unsupported systems, isolate them on segmented networks, and add compensating controls. Build a phased replacement roadmap tied to budget and risk. 

• Create a continuous audit and feedback loop. Assign clear ownership for all audit findings and track progress. Escalate unresolved risks to leadership to maintain visibility and accountability. 

• Control your media communications. Limit access to sensitive reports and train staff to prevent leaks. Manage breach-related communications strategically to protect reputation and trust. 

Don't forget to follow us for weekly expert cybersecurity insights on today's threats.

Resources 

Libération / CheckNews – “Louvre as a password, outdated software, impossible updates…” (Nov. 1, 2025) 

CNET – “You probably have a better password than the Louvre did — learn from its mistake.” (Nov. 2025) 

YouTube – Hank Green interviews Sherri Davidoff on the Louvre Heist 

LMG Security – “How Hackers Turned Cameras into Crypto Miners” (Scientific American) 

#louvreheist #cybersecurity #cyberaware #password #infosec #ciso 

Attackers are poisoning search results and buying sponsored ads to push malware disguised as trusted software. In this episode, Sherri Davidoff and Matt Durrin break down the latest SEO poisoning and malvertising research, including the Oyster/Broomstick campaign that hid backdoors inside fake Microsoft Teams installers. Learn how these attacks exploit everyday user behavior, why they’re so effective, and what your organization can do to stop them. 

Whether you’re a security leader, risk manager, or seasoned IT pro, you’ll walk away with clear, practical steps to reduce exposure and strengthen your defenses against the poisoned web. 

 

KEY TAKEAWAYS  

1. Block and filter ad content at the enterprise level. Use enterprise web proxies, browser controls, and DNS filtering to block sponsored results and malicious domains tied to critical business tools or portals.  
2. Establish and enforce trusted download paths. Require that all software come from signed, verified, or internal repositories — not search results.  Enforce application whitelisting so only verified executables can run — this blocks malicious installers even if a user downloads them. 
3. Incorporate poisoned-search scenarios into training and awareness materials. Teach staff to type trusted URLs, use bookmarks, or access internal portals directly rather than searching. 
4. Assess search behavior across your organization. Track how users find tools and portals — are they typing URLs, using bookmarks, or searching externally? Use this data to identify high-risk departments or roles and tailor awareness campaigns accordingly. Over time, shift culture toward safer, more deliberate browsing habits.  
5. Expand monitoring and detection. Hunt for persistence artifacts linked to poisoned-download infections, such as new scheduled tasks, DLL registrations, or rundll32.exe activity. Flag software installs originating from search-referral URLs in your EDR and SIEM. 
6. Conduct tabletop exercises that include search poisoning. Simulate incidents where employees download fake software or fall for poisoned ads. Practice tracing attacks back to SEO poisoning, identifying other potential victims, and developing plans to block future attacks through technical and policy controls. 

Please like and subscribe for more cybersecurity content, and visit us at www.LMGsecurity.com if you need help with cybersecurity, training, testing, or policy development. 

Resources & References 

• Blackpoint Cyber SOC: Malicious Teams Installers Drop Oyster Malware 

• BleepingComputer: Fake Microsoft Teams Installers Push Oyster Malware via Malvertising 

• Netskope: Cloud & Threat Report 2025 

• Netskope Press Release: Phishing Clicks Nearly Tripled in 2024 

• Malwarebytes: Scammers Hijack Websites of Bank of America, Netflix, Microsoft, and More to Insert Fake Phone Numbers 

• Silent Push: Payroll Pirates: How Attackers Hijack Employee Payments 

• KnowBe4: Phishing Attacks Hijack Employee Payments 

When Amazon Web Services went down on October 20, 2025, the impact rippled around the world. The outage knocked out Slack messages, paused financial trades, grounded flights, and even stopped people from charging their electric cars. From Coinbase to college classrooms, from food delivery apps to smart homes, millions discovered just how deeply their lives depend on a single cloud provider. 

In this episode, Sherri Davidoff and Matt Durrin break down what really happened inside AWS’s U.S.-East-1 region, why one glitch in a database called DynamoDB cascaded across the globe, and what it teaches us about the growing risk from invisible “fourth-party” dependencies that lurk deep in our digital supply chains. 

Key Takeaways 

1. Map and monitor your vendor ecosystem — Identify both third- and fourth-party dependencies and track their health. 
2. Require vendors to disclose key dependencies — Request a “digital bill of materials” that identifies their critical cloud and service providers. 
3. Diversify critical workloads — Don’t rely on a single hyperscaler region or platform for mission-critical services. 
4. Integrate vendor outages into incident response playbooks — Treat SaaS and cloud downtime as security events with defined response paths. 
5. Test your resilience under real-world conditions — Simulate large-scale SaaS or cloud failures in tabletop exercises. 

Resources: 

• https://www.wired.com/story/what-that-huge-aws-outage-reveals-about-the-internet 

• https://www.LMGsecurity.com/our-q3-2024-top-control-is-third-party-risk-management-lessons-from-the-crowdstrike-outage/ 

• https://www.pandasecurity.com/en/mediacenter/aws-outage-cybersecurity-risk/ 

• https://ccianet.org/wp-content/uploads/2003/09/cyberinsecurity%20the%20cost%20of%20monopoly.pdf

#cybersecurity #thirdpartyrisk #riskmanagement #infosec #ciso #cyberaware #Fourthpartyrisk #cybersidechats #lmgsecurity #aws #awsoutage

When ransomware forced Jaguar Land Rover to halt production for six weeks, the impact rippled through global supply chains — from luxury car lines to small suppliers fighting to stay afloat. In this episode, Sherri Davidoff and Matt Durrin examine what happened, why manufacturing has become ransomware’s top target, and what new data from Sophos and Black Kite reveal about the latest attack trends. 

They share practical insights on how organizations can strengthen resilience, secure supply chains, and prepare for the next wave of operational ransomware attacks. 

 

Key Takeaways 

1. Patch and prioritize. 
   Focus on fixing known exploited vulnerabilities (CISA KEV) and critical  flaws before attackers do. 

1. Monitor your vendors continuously. 
   Move beyond annual questionnaires — use ongoing, data-driven monitoring to identify risk in your supply chain. 

1. Segment IT and OT networks. 
   Strong isolation can contain ransomware and prevent complete production shutdowns. 

1. Invest in detection and response. 
   Around-the-clock monitoring (MDR or SOC) can detect early-stage activity before encryption starts. 

1. Practice recovery. 
   Test isolation, backup, and restoration processes regularly — and include your leadership team in realistic tabletop exercises. 

 

References & Further Reading 

• Sophos – State of Ransomware 2025 (June 2025) 

• Black Kite – Manufacturing TPRM Report 2025 

• The Guardian – “Jaguar Land Rover Hack Shuts Factories After Cyberattack” 

• Reuters – “JLR to Restart Some Manufacturing After Six-Week Shutdown” 

• Dark Reading – Ransomware in Manufacturing: An Escalating Battle 

• LMG Security – Ransomware Prevention Best Practices Checklist