Hey, there's no Thursday.

Show what gives, if you thought that you're right.

This is the episode we ran yesterday, but we made a mistake on a company name.

We should have said SitusAMC, we said something that sounded a lot like another company's name.

Now we think a lot before we name a company that has involvement in a breach.

We're never playing a blame game.

We're only trying to make sure our listeners know what to look for and get the facts.

And speaking of the facts, we were wrong.

So we corrected the recording and our apologies and I'm only gonna whisper this once to Ascensus who are in no way involved in this breach and God bless them have been most understanding and accepted my sincere apologies.

We try to get it right every day.

When we get it wrong, we'll tell you no excuses, but also thanks to our listeners who alerted me before the company spotted it, so I was already working on correcting the error.

You are the best and you keep us honest.

Just a reminder before we get started that because of the holiday, the American Thanksgiving, our weekend show will air on Friday and continue through the weekend.

David Shipley will be back on Monday morning and now a more accurate version of the show.

Cybersecurity today, we'd like to thank Meter for their support in bringing you.

This podcast Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.

You can find them at meter.com/cst.

US banks assess fallout after data theft attack .

LOP claims Broadcom in Oracle ERP Breach Campaign SteelC malware hides inside Blender files in a new supply chain attack.

Shy had L Worm compromises 500 NPM packages and old tricks still work with phishing scammers.

This is cybersecurity today.

I'm your host, Jim Love.

US banks are assessing the fallout from a major security breach at SitusAMC, A financial technology vendor that provides record keeping, transaction processing, and regulatory compliance to major institutions.

TechCrunch reported that the ransomware group, alpha V, also known as Black Cat Claims, it stole three terabytes of data from the company in early November.

SItusAMC confirmed the incident on its website saying the attack involved data theft only, not encryption.

That means systems weren't locked, but information was taken.

The company said it brought systems offline, launched an investigation and notified federal regulators.

The FBI is involved and the Bureau's director issued a public statement confirming the investigation.

Banks that rely on SitusAMC told TechCrunch that they're still trying to determine what information was taken.

The attackers posted sample documents online to prove access, but neither SitusAMC nor its clients have identified the full scope of the exposure based on the history of the AFI group.

However, this type of operation typically targets files sensitih to justify demanding payment from large institutions For now.

The industry is in assessment mode, but it's likely we'll learn more in the days ahead as investigators determine what was taken and who may ultimately be affected.

CIOP, the ransomware group behind the wave of attacks on companies running.

Oracle's e-Business Suite is now claiming Broadcom as its latest victim.

The group added Broadcom to its leak site as part of the same campaign that's believed to have affected anywhere from 30 to a hundred large organizations through zero day vulnerabilities in Oracle's financial operations software.

Broadcom isn't.

Confirming a breach, but it isn't denying one either.

In a statement, the company said, Broadcom uses Oracle's e-business suite for certain internal corporate financial operations.

Like many organizations that use this software, Broadcom has been targeted by cyber criminals who have exploited zero day vulnerabilities in the Oracle product.

Broadcom has forensically examined and patched our Oracle system.

To remediate the vulnerabilities, Broadcom added that its core systems remain intact.

Broadcom operations are unaffected, and we are confident in the integrity of our financial data.

If any of the limited types of data processed in Oracle are unlawfully disclosed, we do not expect it to pose significant risk to any of our customers, vendors, partners, or employees.

Oracle has issued a patch for the Exploited Flaw, and most organizations are expected to have applied it by now.

But with ClOP continuing to name victims publicly, often before companies can complete their internal reviews, we may see more names surface in the days ahead, either from investigations or from the attackers themselves.

A new malware campaign is hiding malicious code inside Blender.

3D models.

Turning an everyday creative workflow into an entry point for attackers.

Bleeping Computer reports that tainted blend files often shared on freelancing sites and model repositories contain Python scripts that execute the moment the file is opened.

Blender includes an auto run feature designed to support rigged models and animation tools.

And since many users leave auto run enabled for convenience, attackers are taking advantage of that default behavior.

The payload is called Steel C, a rapidly evolving information, stealing malware.

This latest version targets more than 23 browsers, support server, side credential decryption, and works with the newest Chrome builds.

It goes after 100 cryptocurrency wallet extensions, 15 standalone wallet apps and communication tools like Telegram.

Discord Talks and Pigeon.

It also collects data from VPN and mail clients includes an updated UAC bypass and uses an encrypted multi-stage delivery chain that hides most of the malicious logic from scanners.

What makes this even more concerning is that steel sea has been on the radar since 2023 and it's still slipping past defenses.

Morphesec reports that no security engine on virus totaled detected the steel sea variant they analyzed, meaning a single model file can trigger a silent compromise with no anti-malware warning at all.

Researchers say that the group behind this campaign is skilled at planting steel seed into widely shared packages, And when a standard blender model can quietly deliver a highly capable info stealer helped along by an auto run feature, many users forget to disable, it becomes yet another serious supply chain risk.

A new supply chain attack is sweeping through the JavaScript ecosystem and it shows how fragile that ecosystem is.

Bleeping Computer reports that a self-replicating malware called Shai-Hulud has compromised about 500 NPM packages After attackers gained access to maintainer accounts and published backdoored versions of widely used modules.

Once a developer installs one of the tainted packages, the malware runs during NPMs install process.

It scans the victim's environment using tools like Truffle Hog to harvest GitHub tokens, NPM credentials and cloud secrets.

These stolen credentials are then pushed to attacker controlled GitHub repos in plain sight.

With those tokens in hand, the malware can republish itself into even more packages, turning the open source ecosystem into its distribution network.

These compromised libraries belong to trusted publishers and sit deep in dependency trees.

And as a result, trusted developers may be installing malware because a package they've used for years was silently updated by someone with hijacked credentials.

And the truth is there's no quick fix.

The supply chain has multiple points where it can be compromised.

GitHub repos, NPM accounts, CI systems, automation scripts, and the dependencies themselves.

It takes work to validate what you're installing.

But blindly pushing updates from NPM is no longer safe.

The weakness isn't one library.

It's how much trust we place in an ecosystem where a single bad publish can ripple through thousands of projects.

But not every cyber attack involves zero days or high-end malware kits.

Cybersecurity news reports, a phishing campaign targeting Microsoft account holders using a simple visual swap.

Replace the letter M with the characters, r and n.

in many fonts, especially on phones.

Rrn microsoft.com looks almost identical to microsoft.com.

Attackers are using these lookalike domains to send fake password reset notices and security alerts that lead to phishing pages Once a victim enters their Microsoft credentials, attackers gain access to email, OneDrive files, teams, chats, and anything tied to that identity Because the technique relies on visual deception rather than malware.

Traditional security tools often don't detect it, and as the holiday shopping rush gets underway, flooding inboxes with shipping updates, promotions, and account alerts, this kind of low tech becomes even more effective.

And hey guys, I'm not the God of all this, but one rule I have adopted, I will not.

Uh, repeat, not enter credentials into anything that's linked to a site that has been supplied to me in email or any other way.

I will go on and type the name of that company that URL myself.

And if I can't find what they sent me, I don't care.

It doesn't exist.

But that's just me.

And.

Simple, dumb things like this may be the big thing we can use to help ourselves because while we focus on complex threats like AI driven attacks and supply chain compromises, the simplest tactics still work because they exploit human attention and not software flaws.

and that's our show.

And in the spirit of Thanksgiving, we'd like to thank Meter for their support in helping bring you this podcast.

Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises.

Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space.

They design the hardware, the firmware, build, the software, manage deployments, and run support.

it's a single integrated solution that scales from branch offices, warehouses, and large campuses, all the way to data centers.

Book a demo at meter.com/cst.

That's METE r.com/cst.

And in our tradition of taking both US and Canadian holidays, we'll be taking the Thanksgiving holidays and our weekend shows will be running Thursday to Sunday.

David Shipley will be back on Monday morning with the cybersecurity news.

I'm your host, Jim Love, and to our US audience, happy Thanksgiving and to everyone.

Thanks for listening.