🔴 Feb 12's Top Cyber News NOW! - Ep 1067

The February 12 episode of Simply Cyber’s Daily Cyber Threat Brief, hosted by Dr. Gerald Oer, opened with community shout‑outs, sponsor plugs for Flare, Material, and Threat Locker, and a reminder that each show earns half a CPE credit for listeners. The core of the broadcast focused on a new ransomware campaign uncovered by Huntress, where a “Crazy” gang leveraged legitimate employee‑monitoring software (Net Monitor) and remote‑support tools (SimpleHelp) to infiltrate corporate networks, disable Windows Defender, and hunt for cryptocurrency wallets.

The attackers exploited stolen SSL‑VPN credentials that lacked multifactor authentication, installed monitoring agents to spy on screens, transfer files, and execute PowerShell commands for persistence, including enabling the local administrator account. By disguising malicious binaries under benign names, they evaded detection while establishing multiple footholds, a tactic reminiscent of “smash‑and‑grab” ransomware groups like Lapsus and Scattered Spider.

Host Gerald emphasized the vendor‑agnostic lesson: any internet‑facing authentication must be protected by MFA, and organizations should audit and tightly control remote‑access and monitoring utilities. He also raised the ethical debate around employee surveillance, noting that while such tools can be legitimate, they become high‑value targets for threat actors when left unchecked.

The takeaway for security teams is clear: enforce MFA on VPNs, implement continuous monitoring of privileged tool usage, and conduct regular reviews of remote‑access software to mitigate the risk of weaponized monitoring solutions. Failure to act could expose enterprises to ransomware extortion, data theft, and operational disruption.