Neural Newscast

[00:00] Announcer: From Neural Newscast, this is Prime Cyber Insights, Intelligence for Defenders,
[00:04] Announcer: Leaders, and Decision Makers.
[00:09] Aaron Cole: This is Prime Cyber Insights for March 10, 2026.
[00:17] Lauren Mitchell: Today we're tracking a sophisticated pivot in nation-state surveillance
[00:21] Lauren Mitchell: and an escalating crisis in cloud misconfigurations.
[00:25] Aaron Cole: We start in Ukraine, where ESET has detailed a long-term espionage campaign
[00:31] Aaron Cole: by APT28, the Russian GRU-affiliated group,
[00:35] Aaron Cole: They are deploying a dual-implant strategy involving malware dubbed Beard Shell and Covenant to target military personnel.
[00:45] Lauren Mitchell: What's striking here, Aaron, is the evolution of their toolkit.
[00:49] Lauren Mitchell: They've integrated a keylogger called SLI Agent that shares code routes with tools used back in 2014.
[00:56] Lauren Mitchell: They aren't just hidden.
[00:58] Lauren Mitchell: hitting targets and leaving, they're using cloud services like IceDrive and Phylin for
[01:04] Lauren Mitchell: C2 to blend into legitimate traffic over several years.
[01:08] Aaron Cole: Exactly. They have heavily modified the Covenant framework, which has been out of official development since 2021.
[01:16] Aaron Cole: It shows that specialized expertise in older tools is still paying off for state actors who want to maintain a low profile while exfiltrating sensitive military data.
[01:25] Lauren Mitchell: This highlights the reality that persistent access is often about the maintenance rather than just the initial exploit.
[01:32] Lauren Mitchell: Speaking of exploits, new data from Intruder suggests the window for defenders is closing
[01:38] Lauren Mitchell: faster than ever.
[01:39] Aaron Cole: Right.
[01:39] Aaron Cole: The time to exploit for critical vulnerabilities is now frequently between 24 and 48 hours.
[01:46] Aaron Cole: Lauren, their research found thousands of SharePoint instances exposed to the Internet
[01:52] Aaron Cole: during the recent Tool Shell Zero Day, even though SharePoint rarely needs to be public-facing.
[01:57] Lauren Mitchell: It's a visibility problem.
[01:59] Lauren Mitchell: Aaron, if teams treat an exposed database or an internal protocol as just an informational finding in Escarin,
[02:06] Lauren Mitchell: they miss the fact that it's a wide open door.
[02:09] Lauren Mitchell: We have to treat exposure itself as a risk category, not just wait for a CVE to be assigned to it.
[02:16] Aaron Cole: That visibility gap is exactly what's being exploited in our third story.
[02:21] Aaron Cole: Salesforce has warned that threat actors are mass-scanning experience cloud sites using a modified version of Mandiant's ORA inspector tool.
[02:30] Aaron Cole: They're looking for overly permissive guest user settings.
[02:33] Lauren Mitchell: And the group Shiny Hunters is already claiming they've breached several hundred companies through this exact method.
[02:39] Lauren Mitchell: This isn't a platform vulnerability.
[02:41] Lauren Mitchell: It's a configuration failure.
[02:43] Lauren Mitchell: If that guest profile isn't locked down, unauthenticated users can query CRM objects directly.
[02:50] Aaron Cole: It's a reminder that identity-based targeting is the new perimeter.
[02:54] Aaron Cole: Practitioners need to audit those Salesforce guest settings immediately
[02:58] Aaron Cole: and ensure default external access is set to private.
[03:01] Lauren Mitchell: Building resilience requires moving from reactive patching to proactive exposure management.
[03:08] Aaron Cole: This has been Prime Cyber Insights, high-level analysis for the front lines of security.
[03:13] Aaron Cole: For deeper technical dives, visit pci.neuralnewscast.com.
[03:17] Aaron Cole: We'll see you in the briefing room tomorrow.
[03:19] Aaron Cole: Neural Newscast is AI-assisted, human-reviewed.
[03:22] Aaron Cole: View our AI Transparency Policy at neuralnewscast.com.
[03:26] Announcer: This has been Prime Cyber Insights on Neural Newscast.
[03:30] Announcer: Intelligence for defenders, leaders, and decision makers.